open source defense for edge 2017
TRANSCRIPT
![Page 1: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/1.jpg)
Open Source DefenseBuilding a Security Program with Zero Budget
![Page 2: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/2.jpg)
NOTE: Special awkward standalone edition
I use a lot of humor in my talks and I often try to avoid throwing too much text or explanation on slides. The resulting slides aren’t very useful without my voice overlaying them.
Since many people ask for my slides following my talks, I do my best to modify the slide deck so that the bulk of the information is still useful, even without me.
I still highly recommend the live edition. You can’t ask this one any questions ;)
![Page 3: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/3.jpg)
Agenda
•Budget challenges beyond CapEx/OpEx
•Foundations: The big picture and where to start
•Specific free & open-source tools to help at each step
•Real-World Experiences and Fun Stories*
*Randomly dispersed throughout
![Page 4: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/4.jpg)
whoami – Adrian Sanabria
IT Practitioner
Security Practitioner
Security Consultant
Industry Analyst
Business Owner
$
![Page 5: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/5.jpg)
Savage Security
Applied Research
Community Projects
Market Research
and Services
Enterprise Services
https://savagesec.com [email protected]
(also, we’re good listeners)
![Page 6: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/6.jpg)
![Page 7: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/7.jpg)
What do we mean when we say “zero budget”?
What do we mean when we say “zero budget”?
We’re talking having little to no CapEx budget. There’s no getting around needing people. The more smart and creative your people, the more likely you will be to succeed with what we’re talking about today.
![Page 8: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/8.jpg)
Security: What’s the “True Cost”?
• Security = People + Processes + Products
People
• Salary
• Training
• Personal Dev
• Management
Processes
• Plan (policy)
• Build (controls)
• Test (controls)
• Improvement
Products
• CapEx/OpEx
• Support
• Time to Value
• Labor:Value
![Page 9: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/9.jpg)
Why FOSS?
Because Richard Stallman, of course!
Ha…
No, that was a joke.
I’m sorry.
There are better reasons.
![Page 10: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/10.jpg)
Why FOSS?
Not just for people with budget constraints!
It’s about time and control.
![Page 11: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/11.jpg)
Commercial
1. Google search
2. Choose three
3. Contact vendors
4. Proof of concept
5. Wine & dine
6. Procurement
7. Implementation
Elapsed time: weeks/months
FOSS
1. Google search
2. Download
3. Configure
Elapsed time: minutes/hours
Why FOSS?
![Page 12: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/12.jpg)
Shelfware
Products that are purchased, but never get used or never fully achieve their intended value
![Page 13: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/13.jpg)
What ends up on the Shelf?
What would keep them off the shelf?
![Page 14: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/14.jpg)
Build versus Buy?
![Page 15: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/15.jpg)
Start with a solid foundation.
![Page 16: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/16.jpg)
Foundational Blueprints and Frameworks
• NIST Standards and Frameworks
• CIS Critical Security Controls
• ISO 27000
• MITRE @ttack
![Page 17: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/17.jpg)
![Page 18: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/18.jpg)
Document everything!
A core documentation repository is critical
• Policy, procedure, how-tos, etc:MediaWikiAtlassian Confluence ($10 for up to 10 users)
• Incident Response Ticketing/Documentation:RTIR (https://bestpractical.com/download-page)The Hive (https://thehive-project.org/)
![Page 19: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/19.jpg)
Build from the ground up
1. Identify
2. Protect and Harden
3. Detect
4. Respond
5. Recover
![Page 20: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/20.jpg)
Map your network
![Page 21: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/21.jpg)
The Asset Discovery Dilemma
Active Scanning? Nmap? Vuln Scanner? No. Ask your network!
NetDB https://netdbtracking.sourceforge.net/
.ova available at https://www.kylebubp.com/files/netdb.ova
![Page 22: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/22.jpg)
Other network mapping approaches
• nmap + ndiff/yandiffNot just for red teams.Export results, diff for changes.Alert if something changed.
• Netdisco https://sourceforge.net/projects/netdiscoUses SNMP to inventory your network devices
![Page 23: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/23.jpg)
Data Discovery
• Users are good at putting sensitive data on the network.
• Find it with OpenDLP
![Page 24: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/24.jpg)
OpenVAS
• Fork of Nessus
• Still maintained
• Default vuln scanner in AlienVault
• Does a great job in comparison w/ commercial products
![Page 25: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/25.jpg)
Web Apps too!
• Arachni Framework (arachni-scanner.com)
• OWASP ZAP (Zed Attack Proxy)
• Nikto2 (more of a server config scanner)
• Portswigger Burp Suite (not free - $350)
• For a comparison – sectoolmarket.com
![Page 26: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/26.jpg)
In addition to fixing vulnerabilities…
• Build in some additional security on your web servers.(also part of a secure configuration)
• Fail2banPython-based IPS that runs off of Apache Logs
• ModsecurityOpen source WAF for Apache & IIS
![Page 27: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/27.jpg)
Build from the ground up
1. Identify
2. Protect and Harden
3. Detect
4. Respond
5. Recover
![Page 28: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/28.jpg)
Protect
![Page 29: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/29.jpg)
Intrusion Detection/Prevention
![Page 30: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/30.jpg)
Host-based IDS
• Monitor Critical and Sensitive Files via Integrity Checks
• Detects Rootkits
• Can monitor Windows Registry
• Alert on Changes
![Page 31: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/31.jpg)
Windows 10 – Out of the box – CIS Benchmark
22%The goal shouldn’t be 100%, but we can do better than 22%! Also, you should probably try some basic Windows hardening best practices before spending $75 per endpoint on the latest next gen AI super-APT defenderer anti-badware silver bullet.
![Page 32: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/32.jpg)
Secure Configuration
• CIS Benchmarks / DISA Stigs
• Configuration Management, while not exciting, is important
• Deploy configs across your enterprise using tools like GPO, Chef, Puppet, or Ansible
• Change Management is also important
• Use git repo for tracking changes to your config scripts
![Page 33: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/33.jpg)
Explaining the next slide: Patch it all! (kinda)
The general idea here is that whenever someone gets breached, we hear the industry’s brightest loudest stars lob criticisms at the victims about ‘patching’ and ‘doing the basics’. In most cases, the critics have never had to install a patch across 35,000 endpoints running 27 distinct gold images across three major operating system versions. They’ve never had to deal with a vendor that had to ‘certify’ a patch before it is allowed to be installed.
They don’t appreciate the fact that patching is singlehandedly the most disruptive thing that happens to an IT environment… on purpose.
![Page 34: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/34.jpg)
PATCH IT ALL (kinda)
![Page 35: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/35.jpg)
Patching Windows
+
![Page 36: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/36.jpg)
Patching Linux
+
![Page 37: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/37.jpg)
Build from the ground up
1. Identify
2. Protect and Harden
3. Detect
4. Respond
5. Recover
![Page 38: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/38.jpg)
What’s happening on the endpoint?
• Facebook-developed osquery is effectively free EDR
• Agents for MacOS, Windows, Linux
• Deploy across your enterprise w/ Chef, Puppet, Ansible, or SCCM
• Do fun things like, search for IoCs (hashes, processes, etc.)
• Pipe the data into ElasticStack for visibility & searchability
• If you only need Windows, check out Microsoft Sysinternals Sysmon
![Page 39: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/39.jpg)
What’s happening on the network?
• Elkstack
• Suricata
• Bro
• Snort
• SecurityOnion: put it all together
![Page 40: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/40.jpg)
Logging and Monitoring
• Central logging makes detection and analysis easier
• Many options here, such as Windows Event Subscription, rsyslog
• Can also pipe to one central location with dashboards, such as ElasticStack
• Good idea to include DNS logs!
![Page 41: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/41.jpg)
Education
![Page 42: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/42.jpg)
Phishing Education Phishing FrenzySocial Engineering Toolkit (SET)
GoPhish
![Page 43: Open Source Defense for Edge 2017](https://reader033.vdocuments.net/reader033/viewer/2022051710/5a6603487f8b9a04148b467d/html5/thumbnails/43.jpg)
Parting thoughts…
• Build versus Buy
• Security Requirements don’t change, regardless of budget.
• Build a strong foundation and branch out.
• Consider scenarios – solve one scenario at a time, NOT all at once!
• Stay curious and contribute to projects you like.
• Community! Share ideas – learn from others
• DOCUMENT EVERYTHING