5. Proof of Concept
5.5. Framework PoC Testing
5.5.2. AlienVault USM
EC‐6 Network Security: It is not possible to make Tenable SecurityCenter CV aware about the network policy, but on the other hand it is capable of seeing all the traffic on the network if configured correctly. Also, if firewall logs are forwarded to LCE, alarms can be created for any types of events that appear on the firewall log. This applies to any type of log coming from any device. The tool is also able to detect network and service reconnaissance activity.
5.5.2. AlienVault USM
Alienvault Unified Security Management (USM) is a tool that integrates several open source security tools to a single platform and management console. The most im‐
portant tools to mention are PRADS (Passive Real‐time Asset Detection System), OpenVAS (Open Vulnerability Assessment System), NMAP (Network Mapper) used for active asset detection, network IDS’es Suricata and Snort, and OSSEC (Open Source Security). There are several other components as well, as visible in Figure 10 below.
Alienvault USM provides asset discovery (using active scanning and passive monitor‐
ing), behavioural monitoring, vulnerability assessment, SIEM event correlation and threat detection using a network Intrusion Detection System (IDS), a host based IDS and file integrity monitoring (Alienvault USM, 2014). Host based intrusion detection and file integrity monitoring is achieved using OSSEC, Open Source Security. OSSEC includes also capabilities for rootkit detection and active response. Protected assets can be monitored using either agentless mode (where a centralized server performs login to the monitored system and scans it periodically) or using OSSEC agents which are installed to the monitored system. USM provides OSSEC agent management functionality and centralized log collection for OSSEC agents. It stores the file integri‐
ty checking databases and log events. All the rules, log decoders and major configu‐
ration options are stored centrally in the management interface, which simplifies administration. The OSSEC agent is a small program installed on the monitored sys‐
tem. It will collect information in real time and forward it to the OSSEC manager for analysis and correlation. The agent runs with a low privilege user (created during the installation) and inside a chroot jail isolated from the system. Most of the agent con‐
figuration is pushed from the manager, while just some of them are stored locally on each agent. In case these local options are changed, the manager will receive the information and will generate an alert. The OSSEC agent will push the logs to the server where they will be analysed based on pre‐defined rules. Logs are pushed using a OSSEC proprietary protocol, which uses UDP (User Datagram Protocol) port 1514 (OSSEC, How it works, 2015).
Figure 10. Alienvault USM open source components (Leveraging Open Source Security Tools: The Essential Guide, 2014)
Installation and Observations
Alienvault provides the USM as an virtual image (i.e. virtual appliance) which has all features enabled (called Alienvault USM‐All‐in‐one). The installation procedure was
straightforward using a text based menu and by following the installation instruc‐
tions. Figures 7 and 8 in chapter 5.2 present the environment. Alienvault USM has 6 network interfaces on the virtual appliance and these were configured so that it has capability to do scanning and has visibility to all the networks in the test environ‐
ment. During the initial set‐up, networks were scanned to detect the assets. OSSEC‐
agent was installed to the servers that are the main assets (NS1 and SUSE1) and logs were pushed to USM using OSSEC‐agent. DNS and proxy server logs were sent using syslog. File integrity monitoring was configured to run every 2 hours for the main configuration directory (/etc). In addition, a detection mechanism to see new opened ports (using netstat ‐tan |grep LISTEN |grep ‐v 127.0.0.1 | sort) was taken into use.
This will detect if a new port is opened on the server and create an event for this which can be used as a basis to create an alarm. The firewall was configured to send the Netflow data to USM.
Results
The results are analysed here for Alienvault Unified Security Management for each evaluated domain. Detailed results are visible in Appendix B.
EC‐1 Asset Management: Alienvault USM is able to detect hosts that are added into the environment and it is possible to create an alarm for this if wanted. By default, Alienvault USM does not maintain a software asset lists and therefore does not pro‐
vide mechanisms to see any new software modules on the hosts nor compare the current installed software base to the baseline. Still it may be possible to do this us‐
ing an external script or software. It would require that an event related to installa‐
tion of new software is first received (triggered for example by OSSEC file integrity monitoring which can also detect addition of new files) and that event triggers an external tool to do software scanning, enumeration and comparison to a pre‐defined baseline. External software may then trigger another event for USM which could be used to create an alarm.
EC‐2 Vul assessm bilities b ment. W ticketing system w send an host, it i ing tool.
presente work, it similar w on secur addition writing t correlate
Figure 11.
lnerability M ent tool wh based on CV When new v
g section of will not be a email when s possible t It is possib ed in Figure is possible t way as abov
rity configu nal logging ( this thesis t
ed yet.
Alienvault US
Managemen hich is capab VSS. Figure 1 ulnerabilitie the Alienva able to noti n the scan is
o detect th le to config e 12. In case to make a b ve for EC‐1.
ration files, for example here were n
SM vulnerabili
nt: Alienvau ble of provi 11 shows th es are found ault USM. If
fy on that, s complete is using eith gure the sys e it is known baseline com
File integrit but in orde e BSM audi not plugins
ity overview
ult USM use iding a critic he overview d, a system f a scan fails
however it d. If new lis her OSSEC‐a
tem so that n what port mparison us
ty monitori er to see wh
t logging) w for BSM au
es OpenVAS cality scorin w page of vu also opens s, for a reas is possible t tening port agent or wit
t this will al s are gener sing an exte ng can effec hat was cha would be req
udit logs so t
S as a vulner ng for found ulnerability s up a ticket son or anoth
to make the ts are opene th a passive
so trigger a rally used in ernal tool o
ctively dete anged and b quired. At t that they co
rability d vulnera‐
manage‐
t in the her, the e system to ed on a e monitor‐
an alarm as n the net‐
r script in a ect changes by whom,
he time of ould be
o
Figure 12.
EC‐3 Sof security monitor against k possible bring so EC‐4 Acc USM as deactiva agent. It using a c number ures 13 a do scann users an
Figure 13.
Alarm created
ftware and S configurati ing via OSS known base
to run the me addition cess Contro
well as faile ated user ac t is possible correlation of times w and 14. The ning against nd privileges
Correlation d
d on opened po
Security Co on integrity EC. It is not elines. SCAP
scans using nal value co l: Creation o ed and succ ccounts. The
to configur directive, w ithin certain ere is no use t baseline (u s there are
directive for fiv ort
onfiguration y, Alienvaul t possible to P and CIS au g Nessus an onsidering r or deletion cessful auth e logs can b re threshold where it can
n time perio er managem unless using
on each sys
ve consecutive
Integrity m t USM prov o perform co udit baseline d import re reporting an
of users ca entication e be sent eith
d limits for f n be describ
od, an alarm ment featur
g external t stem.
OSSEC authen
managemen vides just ba
onfiguration es are not s esults to Alie
nd ticket ha n be detect events and
er via syslog failed authe ed that if a m is raised a res on USM;
ools) or to d
ntication failur
nt: For softw asically file
n check sca supported e envault, wh
ndling.
ted with Ali access atte g or using O entication a certain eve as presente
; it is not po detect wha
res within 1 m
ware and integrity
nning either. It is hich may
envault empts using OSSEC‐
attempts ent occurs
d on Fig‐
ossible to t type of
minute
Figure 14.
EC‐5 Log sequenc Alienvau to those There is the log f sented i integrity sources syslog.
Alarm created
gging and M ce where un ult USM doe e actions by a mechanis file hashes.
n Figures 15 y. Alarm for
can be raise
d based on dir
Monitoring: W nauthorized es not have default. Th sm to prese The integrit 5 and 16. H
use of sudo ed when ev
ective correlat
When BSM d and autho capabilities his is mainly
erve log inte ty can be ch owever, the o or su and vents for tha
tion rule
Audit loggi rized users s to receive y due to a m egrity within
hecked usin ere is no bu for the cha at are recei
ing is config (try to) acc e and correla missing BSM
n Alienvault ng the mana uilt‐in mech
nge of syste ved, either
gured and t cess and mo
ate the eve audit log p t USM using agement GU anism to ch em time or using OSSE
he test odify files, ents related
lugin.
g signing of UI, as pre‐
heck log time EC‐agent or
Figure 15.
Figure 16.
EC‐6 Net USM, bu by event be used ists to co
Log validation
Log validation
twork Secu ut it could b t. For exam to detect p orrelate the
n successful.
n failed.
rity: It is no e possible t ple firewall possible viol e events. Sy
ot possible t to do Netflo
log events lations of ne ystem is cap
o configure ow analysis could be us etwork poli pable of det
e network p using exter sed as a trig cy consider ecting and m
policy to Alie rnal tools if gger. Firewa ring that a p making alar
envault triggered all logs can plugin ex‐
rm for un‐
authorized hosts that are not known by the tool beforehand. Netflow data is collect‐
ed and can be used to do more detailed analysis of the traffic. Using in‐built network IDS (which is Suricata on default set‐up but also Snort is available) it is possible to detect network scans. The threat intelligence may also be based on honeypots, DNS, proxy, mail server or firewall logs. There are available USM plugins for a number of different types of honeypots, also BIND (DNS‐server) and Squid (Proxy‐server) log plugins exist.