As logs never lie, it’s very important to aggregate and analyze the internal and external network logs constantly so that companies can prevent breach or perform incident response in a timely manner. For that security reason, companies use SIEM(Security Information and Event Management) as a solution and it’s deployed within an organization to address threat management, incident response, and compliance. SIEM technology is typically funded mostly because of regulatory compliance reporting requirements. According to Magic Quadrant, more than 80% of initial SIEM deployments are funded to close a compliance gap (Reference 1). That is an unfortunate fact, which shows that most managements are approving budgets on SIEM only because they have to, which is not an act of being security proactive.
Luckily, there’s a way to show your management the value of SIEM, without spending a penny, by deploying AlienVault’s OSSIM (Open Source SIEM). Not having to pay for OSSIM doesn’t necessarily mean there’s no cost. Someone once said that Open Source tools are free but your time is not free. So, although there’s no price tag for OSSIM, there’s definitely a cost for planning, deploying, and supporting the technology. Nevertheless, OSSIM can be a great initiative for companies who have a need for SIEM but haven’t been able receive funding for it or for companies who are considering AlienVault’s Professional Unified Security Management but would like to try the basic functionalities before buying it.
Having the right expectations and clear requirements can be a large part of SIEM project’s success. Although it is true that most things are automated once the deployment phase is over, there still needs to be human level support to monitor the system. So it is vital to have an owner for the SIEM, and the owner would typically be Information Security team.
AlienVault’s OSSIM has been in the SIEM market since 2003 and it’s the only open-source SIEM platform available today. According to AlienVault’s website, OSSIM deployments are about 18,000, which is quite a big number for the SIEM world. The professional edition is called Unified Security Management Platform based on OSSIM platform. Although OSSIM is a well-known security management product, its creator AlienVault is still fairly new in the security market and is experiencing many changes in terms of funding, organizational structuring, and product development. The company recently relocated its headquarters from Europe to North America and reorganized its management team by stealing 7 HP security executives. Also, at the beginning of this year, AlienVault raised $8 million series B financing round, which makes the total funding to $12 million (Reference 2). As a result of those major changes, AlienVault is rapidly improving the product by introducing AlienVault Open Threat Exchange (AV-OTX) for collaborative defense, which further reduces costs and improves visibility for 18,000 OSSIM deployments and AlienVault customers around the globe (Reference 6).
In April 2012 edition, SC Magazine reviewed various SIEM technologies in their Product Section, and they gave four and a half stars (out of five) for AlienVault’s professional edition SIEM. According to SC Magazine’s review, AlienVault’s strength is that it is highly capable SIEM with a nice feature set, but the weakness is the overall high cost of ownership with price of $32,000. The Professional edition, Unified Security Management Platform, comes with more advanced features in performance, administration, reporting, and technical support than OSSIM (Reference 3). One key feature OSSIM doesn’t have but the professional edition has is Logger, which is an additional database for forensic purpose. Logger allows you to store the large amount logs with digital signature and time stamp for long term using mostly NAS/SAN storage system. Another advantage of choosing professional edition is that it offers greater coverage against attack with more than 600 correlation directives. In OSSIM, one needs to rely on community and his/her own ability to customize for any technical support, just like with any other open-source software.
OSSIM can be used by small organizations, but it’s most effective when used by large organizations where there are multiple network devices such as firewall, IDS/IPS and Anti-Virus and web servers etc. OSSIM is already integrated with other open source security tools including, but not limited to, Snort, Ntop, OpenVAS, P0f, Pads, Arpwatch, OSSEC, Osiris, Nagios, OCS, and Kismet. Having well-known open source tools as part of the platform makes it easier for security professionals to work with it.
Here is what the OSSIM’s basic operations are:
- External applications and devices generate events (External Data Sources)
- Applications shipped with AlienVault generate events (AlienVault Sensors)
- Events are collected and normalized before being sent to a central Server (AlienVault Sensors)
- The AlienVault Server does the Risk Assessment, correlation and storage of the events in an SQL Database (SIEM)
- The AlienVault Server stores the events (Digitally signed) in a Massive Storage system, usually NAS or SAN (Logger) → professional edition only
- A web interface allows and provides a reporting system, metrics, reports, Dashboards, ticketing system, a vulnerability, Management system and real-time information of the network (Web interface) (Reference 4).
Agents/ Collection methods
There are multiple ways to collect logs from hosts using agents like Ossec and Snare. Alternatives to installing agents for Linux systems are simply configuring rsyslog or setting up snmptrapd. The best way to forward logs from a Windows system is to use Snare.
Much of the deployment work comes when connecting desired data-sources to the OSSIM server. OSSIM needs a plug-in to connect any data-source to the server. Plug-in is an XML based configuration file. According to AlienVault’s website, OSSIM comes with 2395 data source plugins(Reference 6). Here are some of the useful plug-ins:
- Anit-virus (Mcafee, Symantec, Sophos, Avast)
- CheckPoint Fw1
Based on my experience, although OSSIM has a plug-in for almost anything, it doesn’t mean that every plug-in you enable will work. This is because some of the plug-ins were written a long time ago and the associated products and their log formats have been updated since then. So, you might need to modify the configuration file, which requires advanced knowledge of regular expression. Also it’s possible and actually quite simple to create a new plug-in. The main steps for writing a new plug-in are:
- Add plugin entry into config.cfg (in /etc/ossim/agent)
- Create plugin file
- Create regexp
- Create plugin_sid sql file
- Populate database (Reference 6)
Correlation is one of the core features that defines OSSIM as an intelligent security event management platform and distinguishes it from IDS/ IPS. It helps to reduce false positives by transforming multiple input events and alarms to a more reliable output so that there is a manageable amount of events to pay attention to. Correlation feature consist of Cross Correlation and Logical Correlation (Correlation Directive). Cross Correlation works only with events that have defined destination IPs because it has to check the destination host to determine whether it has any vulnerabilities not in the database and changes the reliability value of the event accordingly. The event’s reliability value is one of the metrics that is used to calculate risk in OSSIM.
Another core feature of OSSIM is Correlation Directives. OSSIM comes with 200 correlation of directives and they are written in XML based syntax. Directive’s main purpose is to analyze multiple events and decide whether or not to generate an alarm based on directive rules. This feature can prevent zero day attacks or unknown vulnerabilities because it is generating an alarm by following rules, as opposed to checking the event in the known vulnerabilities list. One simple example of directive usage could be to generate alarm when someone attempts to SSH into a web-server multiple times.
OSSIM data management consists of raw logs, events, alarms, and tickets. Raw logs are received from various data sources to the OSSIM server and get normalized. Normalized logs are shown in web management interface under SIEM as events. Tickets can be manually opened or automatically generated in OSSIM. Typical usage for handling incidents in OSSIM would be to review alarms, create a ticket for relevant incidents, and assign it to appropriate personnel. Alarms are generated when the risk value of the event is equal or greater than one. Risk is calculated using the following formula:
[ASSET VALUE(0-5 *PRIORITY(0-5)*RELIABILITY(0-10)] /25 = RISK OF THE EVENT(0-10)
Each asset in OSSIM has an asset value between 0-5. The higher the number is the more valuable the asset. Asset can be a host, host groups, network, and network groups. Priority measures event’s importance. Reliability measurement is the probability of an attack; and for instance, a high value (9 or 10) means the attack is real.
OSSIM reporting is highly scalable and easy to work with. One thing I found very useful in regards to the Reporting feature is its ability to create a scheduled report and email it automatically.
Deployment and support
The system requirements are at least 4GB RAM, 64 bit processor, and e1000 network card, which ensures good compatibility with Debian GNU/Linux. Also, note that AlienVault’s installation documentation stated that hardware requirements will basically depend on the number of events per second and the throughput of the network that you want to secure. It’s pretty straightforward to install OSSIM, especially if you perform the default automated installation, which is called all-in-one profile. All-in-one profile includes Sensor, Server, Framework, and Database profiles. The Sensor profile will allow us to set up the system so that we can receive logs from remote hosts and devices using the syslog protocol. By default, many of the known open source tools are enabled as detectors in Sensor profile, such as Snort, Ntop, OSSEC, Osiris, and Nagios etc. There can be multiple Sensors in OSSIM deployment if the desired number of networks to be monitored is more than one. The Server profile’s responsibility is to receive normalized logs from the Sensor. OSSIM is managed through web management interface once the installation is complete, and the Framework profile is responsible for setting up this web GUI component. Database profile uses MySQL database to store the configuration information and SIEM events.
I installed OSSIM on a virtual machine, and it was just a matter of loading the ISO file, configuring the network information, creating and mounting the partitions. It only took about a half an hour to install the software, but most of the work comes after the installation which is configuring the SIEM.
The very first thing to do upon installation of OSSIM is to add systems for the OSSIM to monitor and put asset values to the hosts. The next task is to connect the data sources to the sensor in order to forward all the logs to a central place to analyze them. I connected the Anti Virus system, Web server, and some workstations to OSSIM using OSSEC, Snare, and rsyslog. Connecting the sensor to the data source(s) is fairly time consuming and a complicated task, as you might have to modify the plug in configuration scripts. For instance, the plug-in script for the Symantec Anti-Virus didn’t work, so I had to modify the configuration file by changing the regex.
The next major task is to customize the directives, correlation directives, and rules so that false positives are reduced and you have the ability to set almost any kind of conditions for triggering an alarm/ticket.
Getting hacked is bad but not being aware of it is worse. It’s not possible to fully secure your network as there is always an unknown factor for a breach to happen. So it’s important for organizations to have a full visibility over their perimeter, and one way to do this is to have SIEM technology in place. In this article, I reviewed AlienVault’s open source SIEM (OSSIM) solution. OSSIM platform provides a compilation of many tools that work together to address need for SIEM, compliance management, file integrity monitoring, vulnerability assessment, and IDS/IPS. Having well-known open source tools as part of the OSSIM platform makes it easier for security professionals to work with it.
- Magic Quadrant for Security Information and Event Management 2011 http://www.gartner.com/
- Techcrunch http://techcrunch.com/2012/01/31/on-the-heels-of-nabbing-7-hp-execs-cyber-security-startup-alienvault-raises-8-million/
- SC Magazine April 2012 edition
- AlienVault OSSIM Installation Guide http://communities.alienvault.com/docs/Installation_Guide.pdf
- AlienVault OSSIM Users Manual http://communities.alienvault.com/docs/Alienvault_Users_Manual_1.0.pdf