DeepSec 2018 Training: Hunting with OSSEC – Xavier Mertens
“OSSEC is sometimes described as a low-cost log management solution but it has many interesting features which, when combined with external sources of information, may help in hunting for suspicious activity occurring on your servers and end-points”, says Xavier Mertens, who’s giving a training called “Hunting with OSSEC” at this years DeepSec.
“During this training, you will learn the basic of OSSEC and its components, how to deploy it and quickly get results. Then I will demonstrate how to deploy specific rules to catch suspicious activities. From an input point of view, we will see how easy it is to learn new log formats to increase the detection scope and, from an output point of view, how we can generate alerts by interconnecting OSSEC with other tools like MISP, TheHive or an ELK Stack / Splunk /etc…”
We asked Xavier a few more questions about his course.
Please tell us the top 5 facts about your training.
1. It is mandatory to keep an eye on event logs to catch new threats or suspicious behaviors
2. There are plenty of information available on the Internet that could improve your monitoring process
3. Endpoints are the weakest point of your network, they must be kept under the radar
4. Security controls can be implemented at a low cost
5. Integration / sharing of information is key
How did you come up with it? Was there something like an initial spark that set your mind on creating it?
I’m a big fan of OSSEC for years and already blogged a lot about it. I participated to the project (ex: I wrote the initial GeoIP support). And, of course, I’m using it daily to monitor my infrastructure. Many (small) organizations do not have resources to implement or seem afraid to deploy solutions like OSSEC. I think it was time to wrap-up all this content and propose it as a training.
Why do you think this is an important topic?
Despite the fact that we deploy more and more security controls at our network boundaries, we still see compromized hosts, data leaks, etc. Keeping an eye on events is a key to detect as soon as possible all suspicious activity.
Is there something you want everybody to know – some good advice for our readers maybe?
Sharing and integration of tools are a key point. Each of them has interesting data that could be reused by other tool to improve detection capabilities. The training could be interesting for Blue Team people or system/security engineers. Investing in tools like OSSEC will also raise your overall protection and, in case of incident, you will already have some data to analyze.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your training in particular?
We will be more and more flooded with “security data” that must be analyzed. They challenge is really to find the needle in a hay stack. The key message is not to ask “if” you’ll face a security incident but “when” you will face one. Be prepared!
Xavier Mertens is a freelance cyber security consultant based in Belgium. His daily job focuses on protecting his customer’s assets by applying “offensive” (pentesting) as well as “defensive” security (incident handling, forensics, log management, SIEM, security visualisation, threat hunting, OSINT). Besides his daily job, Xavier is also a security blogger, a SANS Internet Storm Center Senior Handler, and co-organizer of the BruCON security conference.