Category Archives: SANS

Using Sysmon To Enrich Security Onion’s Host-Level Capabilities

SANS recently accepted my GCFA Gold paper, Using Sysmon To Enrich Security Onion’s Host-Level Capabilities. The abstract is as follows:

With more network traffic being encrypted, as well as the persistence of advanced adversaries, it is becoming increasingly imperative that there is greater visibility at the host-level. With this greater visibility comes the ability to more efficiently detect and respond to threats. This paper highlights the use of Sysmon to enrich existing Windows host visibility capabilities in Security Onion, as well as how to use this increased visibility in detection and incident response. In this paper, the author has developed custom parsers and rulesets for integrating host-based data into Security Onion, something which to date had not yet been done for this project.

You can find the paper here. [pdf]

You can also find the ELSA Parsers, as well as the OSSEC decoder and rulesets that I wrote, on Github.

In the next month, I will be breaking up some key parts of the paper into a number of blog posts.

-Josh

Tagged , , , ,

Security Onion Cloud Client – NSM for the Cloud

As of yesterday, SANS has accepted & published the whitepaper for my GCIA Gold, titled “The Security Onion Cloud Client – Network Security Monitoring for the Cloud.”

Abstract

 With “cloud” servers continuing to become ever more popular, along with typical off-site servers (VPS/Dedicated), Network Security Monitoring (NSM) practitioners struggle to gain insight into these devices, as they usually don’t have the ability to tap the network traffic flowing to and from the servers—To solve this problem, I propose designing a cross platform (Windows, Linux) NSM client that would integrate with Security Onion, a NSM-centric Linux distribution.  Essentially, the NSM client would copy traffic (near real time) to the Security Onion Sensor, which would then process the data as it would any other network tap.  This would allow NSM practitioners the visibility they need into their off-site servers that are not in a setting where a typical NSM setup would suffice.

This was a topic that has direct impact on what I do on a daily basis, as most of the organizations that I do work for have at least a couple Cloud servers. I will be taking the next couple months and integrating the Cloud Client into Security Onion…. Hopefully it will see the light of day on the Stable ppa by the end of the year.

As for the actual paper, until SANS puts it on their Reading Room, you can find a pdf of it here.

-Josh

Tagged , , , ,