mayday-conf 2019-oct cluj...osquery–endpoint visibility incident management & response...
Post on 26-Feb-2021
8 Views
Preview:
TRANSCRIPT
Cybersecurity PlatformOpen Source Security Tools and Know-how
Ovidiu Cical – ovidiu.cical@cyscale.com
It’s all about Open Source.
- Cloud Security enthusiast
- 10+ years in Cybersecurity (7 in DLP and Endpoint Protection)
- 2 products in Gartner Magic Quadrant (Enterprise DLP and IIoT)
- OWASP Chapter Leader for Cluj-Napoca
- Chief Information Security Officer as a Service – multiple companies
Who am I – Ovidiu – Founder Cyscale
What should my Cybersecurity Platform contain?
Detection and Response
Endpoint Protection,Endpoint Detection and Response,
DLP, SOAR, OpenC2
Network Protection
Firewall, IDS, IPS, Traffic Analysis
Malware Analysis
Sandboxes for file/email detonation and inspection
Threat Intelligence
Collaborate, Collect, Evaluate, Analyze
Cloud Security
Public, Private and HybridCloud Security tools
Blue Teams perspective
Centralized Logs & Management
Compliance, Policies, Logs, Analysis
Network Security – great OSS optionspfSenseFirewall
Zeek – Network Security Monitor
pfSense is one of the leading network firewalls with a commercial level of features.
Powerful network analysisframework
IPS offered by Cisco. Capable of real-time traffic analysis andpacket logging on IP networks.
Features:
ü Great Firewall & Router
ü High Performanceü Load Balancingü IDS/IPS with Snortü VPNü Proxy & Content
filtering
Features:
ü Anomali and Signature detections
ü IDS / IPS APIü High Performanceü Automatic protocol
detectionü Industry standard outputsü MIME Type Statistics
Features:
ü Most widely deployed IDS in the world
ü 600,000+ Registered usersü Real-time traffic analysisü Protocol analysisü Content searching/matching
Other great tools:
Firewalls:NG Firewall (untangle)Smoothwall (free)OPNSenseIPFire
WAF:ModSecurity *and WAF-FLE UI
IDS/IPS:SuricataOSSECSamhain Labs
Wireshark – network traffic inspection
OSQuery – Endpoint Visibility
Incident Management &
Response
TheHive – Security Incident Response PlatformCyphon.io – Incident Response Platform
Offers:
• Collect & Store – SIEM, DLP, EPP, Firewall
• Elaborate – investigate cases
• Analyze/Investigate – collaborate & assign
• Respond – ticketing, process, contain incidents, API calls, automatic actions
Cybersecurity Threat
Intelligence
OTX – Open Threat Exchange: AlienVault Open Threat Exchange
ThreatConnect Open - Access to 100+ open source intelligence feeds (OSINT)
https://threatfeeds.io – List of open-source threat feeds
github.com/hslatman/awesome-threat-intelligence
Cybersecurity Threat
Intelligence
YETI - Your Everyday Threat Intelligence
Open, distributed, machine andanalyst-friendly threat intelligence repository.
Malware Analysis
YARA - pattern matching swiss knife for malware researchers
Used in:
• Airbnb BinaryAlert (free)• Crowdstrike• FireEye• Kaspersky• Raytheon• Websense• Symantec
Malware Analysis
Cuckoo Sandbox
automated malware analysis system
Cloud Security
Github – AWS security tools
Forseti Security – GCP
Cloud Discovery – Twistlock – AWS, Azure and GCP
They offer:• Inventory of VMs, Kubernetes,
Container Registries, Serverless• Security Scanning for weak settings
and authentication• Compliance (some)
Big Data Security Analytics
Framework
OpenSOC &Apache Metron
Features: • Monitor any telemetry source• Anomaly detection and real-time rules-based alerts• Hadoop-backed storage for telemetry stream• Automated real-time indexing backed by Elastic Search
Centralized Logs & Analysis
HELK – Hunting ELK
Features:• ELK stack for log analysis• ES-Hadoop + Spark -> interact with ELK Stack to analyze data• GraphFrames - DataFrame-based Graphs for Spark• Jupyter Notebooks – Team collaboration on ML and AI algorithms
Incoming features:• OSQuery Data Ingestion• MITRE ATT&CK mapping to logs or dashboards• Terraform integration (AWS, Azure, GCP)
Open Source Security - ToolsOvidiu Cical – ovidiu.cical@cyscale.com
Vulnerability Scanning
• OWASP Vulnerability Scanning Tools List• OWASP Zed Attack Proxy (ZAP) - Free• https://pentest-tools.com - Freemium• Burp Suite• Accunetix Free• Qualys FreeScan• SUCURI Free• UpGuard Web Scan, Tennable, Rapid7 ...
IAM APIs
• OpenIAM – Community Edition• Keycloak – Open Source• Soffid – Open Source• OneLogin, OKTA• Amazon AWS• Googe IAM• Microsoft AD ...
Infrastructure/Cloud/Server Security
• Let’s Encrypt free SSL Certificates - Free• Qualys SSL Labs (server, browser tests) - Free• CloudStack - Free• Kali Linux• Metasploit• HPE ConvergedSystem• ...
Threat detection/prevention• AlienVault Open Source SIEM (OSSIM)• Suricata Intrusion Detection/Prevention• OSSEC• OPSWAT• Snort IPS• Security Onion• Fail2ban …
Web Apps/Code Security• OWASP – Follow Top 10 lists• OWASP SonarQube – 20+ languages• OWASP Orizon – Mostly Java• Bandit – Python code analysis - Free• w3af.org, Kali Linux + Nikto• Contrast Security, Kiuwan, Puma Sec• Fortify - HP...
Container Security• Peekr from Aqua Security• Platform9• Twistlock• Red Hat Atomic Scan• Clair from CoreOS• Anchore
Thank you!
Ovidiu Cicalovidiu.cical@cyscale.com
ConnectScan QR with LinkedIn App
top related