 Good morning everyone, I am Ashok, so today I am going to give a small introduction about SIEM and OSAC, we will move to the first slide, basically security information and event management is a term used for software and product services which combines security information management and security event management, these are of two parts and it combined part we name it as security information and event management, this system basically sits in your network and it gets all the logs and all the alerts generated by the systems and do analysis on it and then create events alerts based on those logs. So this SIEM is having some of the capabilities, these are some of the capabilities which include data aggregation, correlation, alerting, dashboard, compilation, returnance and forensic analysis. First we will see what is data aggregation, data aggregation is a process of collecting is a process of collecting logs from various systems in your network, basically those systems no need to be homogenic, in real time it is going to be heterogeneous, so logs can be coming from your systems, your servers, your local servers, your switches, routers, so all these logs will be collected in a centralized place and these logs will be aggregated and the correlation between these logs will be analyzed and based on those analysis decisions will be made and correlation is the process of relating events between two systems, let us say you have a router and a server and goes to the router to the server, so there is going to be a common package and relation between these two things, so these will be compared and sometimes in botnet kind of network so many botnets will do the similar kind of process, so in that cases we can, we can detect the botnet cases, so that is one of the property and alerting, let us say if someone started attacking your system like your server on SSL port 443, so in that case you need to know what attack is going on and those processes will be logged into the server and the server will, since it is data to the SIM center, basically it is another system which runs, so those logs will be analysis and we have to, there might be already some alerts which is written by default, those will create alerts, these alerts will be monitored by the system admin and he will take necessary actions, sometimes it will be automated and dashboard is a kind of a web use interface or you can say a centralized interface where you can see all the data collection analysis and the action taken alerts and a complete view of your security systems and compilation is the process of creating a report basically for auditing, a open like a standard report and return end is the process of storing your log data in a long term storage, see logs are going to be generated every second and it is going to be very huge, terabytes of logs will be generated and every day in huge network it is going to be huge and these log need to be stored, we are storing this because of like say if a attack happens, so it is not necessary that you could have directly, you could have immediately spotted the attack, sometimes it happens that it is a new attack which is unknown and after the attack is happened or after the damage is done, you need to know how it happens, so you need to have the logs, so unless you have the logs stored in your system you cannot do that, that is why the forensic analysis do, so basically you store these logs and then these logs should be searchable and searchable based on our requirements, like say if you want a log which is generated in a particular server from 4 pm to 5 pm, you need to have a this SIEM system should provide a facility to search that particular time interval logs and in that log you need to search a particular protocol like SSL, who made SSL connections, HTTPS servers, so those kind of information it should provide, as I said security information and event management has two parts, first part is security information management and second part is security event management, security information is the part where it collects the logs and stores and stores it for the after usage, like it do it can create reports, it can analysis the log files and it do the indexing, so that to make the searching easier, basically this is for forensic and security event management is more of a real time systems where every event will be triggered based on your logs, like let us say if someone tries to log into your server, so immediately you want to know who is trying to log in, so this system will monitor the logs and it will immediately create an alert, so the system admin will note down someone is log in trying to log in, so if it is unauthorized log in then he will cut the connections and that can also be automated, if someone unauthorized logging into your system you can write a automated response, so that it will close the port for some time or it may block that particular IP and based on the logs, these logs can be normalized, like critical logs, normal logs, like normal user log in will be a usual thing which happens every day, employees comes into your office and our students come into your labs and they log in, so those are not a critical one, those are normal logs, but if someone tries to log into your server and that you particularly remotely from some other IP, it is a critical one because there is a possibility that attack can happen and that kind of normalization can be done with security event management and we have console view which is again the dashboard which gives all the complete view of what is happening and what are the alerts creator, the critical things and we will see the example of OSAC for this security event management and as I said it can automatic alerting can also be done, so we will go to next slide. So this picture shows an overall idea of how the SEM is placed in your network, as you can see it sits in the middle and it will be connected to heterogeneous systems like it can be connected to your servers, your window servers, Ubuntu servers and it can be connected to your firewalls, Wi-Fi networks, DHCP, so lot of different logs will be coming into SEM, these logs will be categorized and it will be processed and corresponding reports and also will be generated. And SEM, there are lot of vendors online which is providing a lot of their products and some applications and products like router kind of thing, it is a physical product, physical server they will provide you. This particular open source security information management OSIM is a open source software for SEM and this is developed by Alien Vault which is one of the widely used software in current scenario and it is still open source which is supported by a community contributors and OSIM basically it make use of already existing software, open software like OSIM, open VNS and SNOT and those things were doing different functionalities of SEM which I explained in a previous slides and there is another important thing which is called Alien Vault open threat exchange. This is very interesting because this exchange will tell OSIM how the reputation of the IP, whether the IP is good or whether the IP is already involved in some other attacks, so things like that will be shown. This is basically happen like from all the installation of OSIM the data will be collected in a centralized system. Let us say if some attacks happen in USA, in California or somewhere and those image, those logs will be collected in the centralized system and if that attack is confirmed then the system reputation will be decreased. So if that happens so many times then the IP address reputation will be so low and the next time when whenever this whenever the same connection or some connection goes into some other network where OSIM is installed it will alert the admin that this is the reputation of this IP is less and there is a possibility of attack and it is done by crowdsourcing collecting information from various sources and you can visit this website to get to know more about open threat exchange. We will move to next slide. This one shows a basic architecture of OSIM where you can see lot of open source open source software are sitting in and it does all the it does all the requirements for SIM to meet the SIM requirements like data policies it have the correlation of logs it will do the risk analysis taxonomy things. So first we need to once the OSIM is installed in your system it will it need to detect what are the pre-existing what are the systems which is connected how many systems you have connected how many routers you have connected basically the components of the networks has to be detected. So it use Nmap for asset discovery assets is nothing but your systems and router which is connected in that network where OSIM is installed and NetMap is a open source and it is widely used for access discoveries and the another software which is Entop and Entop is a network based software it listens to the ports and it basically listen snips the network connectivities and the packages in it and if some kind of unwanted behaviors happens it will alert there is a there will be a set of rules in it and it matches the rules if that rule matches it will do accordingly what it what the rules is like sometimes it is alert sometime it is to let it go like without alert and sometimes it is a normal traffic so it will not alert some kind of things. So you can also insert new alerts in that and then next one is vulnerability assessment. So vulnerability assessment this particular software uses open VAS which is again a open source software and after you install OSIM it does a vulnerability assessment vulnerability assessment is nothing but it checks each and every component of your network and see the possible vulnerabilities sometimes your systems may not be up to date and the previous software which is I mean the older software may have a vulnerability like let us say open SSL 1.0.1 we have a hot bleeding attack vulnerability and it is recently done so it is been updated and still many servers are running in this open source like making SSL open SSL 1.0.1 version which is not updated so again it is possible for I mean possible for doing attack on them. So keeping a system updated will reduce lot of attacks possible attacks so those details this software will tell you what are the possible attacks that can happen. Next is third detection so here is where the OSAC comes in OSAC does this thing like it will collect all the data basically the log details from all the systems and it has some set of rules and these rules will be compared with the decoded logs and if something matches it will create an alert and again this alert is going to be of different ranges so if some operation is usual those alerts are going to be usual alerts and it may not generate an alert if some alerts are so critical which happens very rarely those kind of high alert will be generated where the system admin need to address these alerts. And we will say little bit we will see little bit about OSAC it is basically a host based intrusion based intrusion detection system which is uses log files of the systems in every system or router or the component which is in network like firewall everything creates a log files so these log files are very much useful if it is present in a centralized systems like those logs you cannot actually relate those logs in two different systems like say in a network we have some 250 systems and it is not easy to relate all the logs like for an example you want to have the logs which is generated from 4 o'clock 10 minutes to 4 o'clock 15 minutes it is a huge data and we cannot manually do that so these systems does the thing automated these things and it will give us a proper view of what is happening and what happened in the logs and if something serious happens it will alert and as I said alerting it does a time based alert if you can configure this OSAC to create a alert for particular events and it does a file integrity check like let us say in Ogun too there is a directory called bin which is used by the system so usually those bin directory files will not be changed it is used by the system for running services and executable files so if some attacks happen some virus affects these files then the virus will start changing the data of those files so this OSAC will detect those kind of changes and immediately alert the concerned person to look into it so that we can prevent lot of data loss or even we can secure the possible attacks and after that we can also do a active response like I mentioned previously you can also create automated response like if someone logs into a system unauthorized if he makes 3 times like 4 times wrong password for root then you can block the system automatically by adding a rule in the firewall IP table by using OSAC so this OSAC is works like there is going to be OSAC server this server can be a single server or it can be a multiple server usually it will be a single server which high configuration which is capable of doing lot of computation and with high network bandwidth and this server will be connected with other systems in other systems all in all the systems will have OSAC agent respect of what type of the system it is like if it is a windows we have a separate window agent for that it is a linux we have linux agent for that if we have a iOS it have a separate agents like firewall for everything we have a separate agents these agents basically collects the logs from the host or wherever it is installed and send it to the OSAC for processing and we will see some attack scenario let us say someone in IIT Delhi tries to exploit the vulnerability which I mentioned SSL version 1.01 and tries to make a hot bleed attack to IIT Bombay server and let us assume we have a centralized SIM installation where the open thread exchange information is available and we have open VNS and which basically already alerted us what are the vulnerabilities and what are the possible attack so let us see how it can happen like let us say if 103.27.9.20 is a IP of IIT Delhi and it connects to IIT Bombay through firewall since firewall does not block this particular attack since this is a SSL connection and 443 port should always be open for SSL connection so there will not be any rule for this particular port so it will allow and it will connect to this system which is a server 103.21.125.131 which can be accessible from anywhere in the world so when this particular IP address connections made so OSIM which is already installed in the network will alert that this IP particular IP is having lower reputation this is this information we got it from OTX open thread exchange which I explained previously so it means that this particular IP address have already involved in such kind of attacks in somewhere else and it is known for its attacks and things like that so first alert will be created by SIEM saying this IP can possibly make an attack and after that the open VAS have already alerted that there is a vulnerability in our system which is basically we have installed older version of open SSL and it is vulnerable to hot bleed attack so when the attack happens on the server we have a OSIM agent which is installed this OSIM OSAC agent will send locks to the OSAC server OSAC server which is a part of OSIM will send this detail to the OSIM OSIM will tell that this attacks happens so in this way you can detect a attack in real time and you can take necessary steps and this is an example of an attack and we can we will see a use case let us say you have a lab of some 200 or 100 systems and you have a server where you have all the mark sheets marks of the students and assignment given to the students and the upcoming assignments and all those things and you usually used to login the server from a particular mission let us say you are disturbed as a root user to make the changes and let us say some students try to exploit this and if he wants to change his marks like let us say he failed in a subject so he want to make himself fast so he tries to login to as a log as a root to make changes so what will happen usually he won't be getting access in your system to your system which is your personal system so if we would have installed OSAC in that server first thing we will get is an alert that someone is trying to login as a root user from the lab system it will tell you the IP addresses it will tell you the time and it will tell you the root user and how many times he tries to he tried actually for login and the next thing even if he successfully logged in he will try to change the files which is having the marks so when the file is changed the hash value will be changing so each file in a system each file will have a hash values so hash value will change it is actually checksum value checksum value will change every time when there is a change in a file so this OSAC will monitor that value and it will make another alert saying this some changes been made in this file so that you can come back and see what is the changes and you can if you have a backup you can also class verify and next thing let us say you are not sitting there and you want an email whenever this thing happens so you can configure so that the email can be sent to your email alert will be received in your mailbox so you can take immediate responses another thing is you can block the particular IP like when someone tries to login like 5 times and he fails to login as root then you can automate you can write a code to automatically insert a rule in the IP table or you can automatically block the IP addresses and this comes to this presentation introduction comes to an end we will move on to the demo of OSAC so we will do some exercises from this PDF which is OSAC EXE we will go to terminal and we will check whether the OSAC is already installed and LS is a list file command usually OSAC is installed under VAR folder in Ugoontu so we will check VAR so OSAC is installed and we will check what is inside this OSAC LS VAR slash OSAC these are some of these subdirectories which is having active responses bin etc logs we will see what is inside bin these are the executables which is used by OSAC for doing its functionalities so we will see an example first we will go into this directory change directory CD slash VAR slash OSAC slash bin we will see an example of OSAC control sudo slash OSAC different control we will see the status and password as you can see these are the main demands run run by OSAC OSAC monitor D usually it monitors the log files which is connected from various systems and log controller do the analysis of those log file and system check does the like checks and checking and permissions and all other behaviors of this is of a file and analysis D does the analysis and see the correlation among the events or all are generated by them and mail D will be used for sending emails and EXE CD is used for generating active responses you see and if you want to know like what else these specific EXE can do you can always do sudo slash the command space hyphen hyphen help and you can see we can do start stop restart status enable and disable in this lecture in this demo we are going to use restart more often to restart the OSAC services we will see how to observe OSAC activities so the first matter is by observing the local host web interface like local host slash OSAC like you can see the events which is generated by OSAC and you can see the date and time and the rule ID and the level of alert and the comment of the alert the description of the alert we can also search a particular alert using this thing and this this integrated check basically we solve the files which is current which is recently changed you can see the date and time and the file name and status shows the overall status of the system like what rule is often used and how what level of alerts is often generated we will go to about and we will go to OSAC website we will go to full state with OSACs and this page have the basic detail you needed to for working with OSAC and we will go to reference manual this is the documentation of OSAC where you can get all the details of how to manage and how to install how to change a rule writer rule we will go to main and another method to is by observing the log file so the log file is present in one of the directly of OSAC like OSAC slash log slash alert slash alert log so we will see this tile function usually tiles the file it will print few last lines of the file so F will keep it printing and you can see the alerts generated by OSAC and basically these alerts on the alerts which you can observe from the web interface are same so you can use any one of these things let us see you can observe this like refresh and the rule number 5501 and here also you will have 5501 previous one rule number 5402 5402 so you can observe any one of these thing and keep the other close and the another thing is OSAC logs so OSAC log have all the activities done by OSAC like when the alert is generated and what generated and what happens when OSAC is restarted and if you made some changes and if you get some errors so this file will be very much useful so again you can use the tile slash F for knowing the latest errors or latest status of OSAC and we will move to the exercise the first exercise is doing SSH for doing SSH we need to install open SSH open SSH server and press while for Ogun to you can give APT install APT install open SSH this is a package which is used for installing open SSH servers will give the password and press yes continue the complete the installation for doing SSH we need to do some changes in the VM we will go to network network setting adapter change attached to net to bridge adapter and change it to the Ethernet if you are connected to Ethernet cable and press ok we need to disconnect and reconnect it disconnect reconnect and to the know the IP address the simple way is to go to connection information you can see 10.129.26.43 is the IP address of this particular VM so we will see whether it is connectable we go to host command we will do ping and it is reachable so the next thing we will do SSH connection we will use putty putty is a tool used for creating SSH connections and we will paste the IP click ok and here click yes and then type root password so I am stopping Ashok here mainly because this is what you will be doing in tomorrow's lab and the goal of the talk that he gave so far was to get you to understand what it is and let me just summarize in a minute what he was trying to tell you that you are going to actually work with an installation of a software called OSAC open source security analysis tool or whatever which is part of the bigger framework called OSIM security information management system and you will be asked to do many exercises the PDF file the video that he is showing you will be available to you the lab we would not have a view we would not have direct interaction in each center but your coordinators will be able to provide you this video where he has run through some of the steps the exercises are very well documented in a PDF file and you are told do this do that do this do that and he was trying to show you how to do that and giving you part of the demonstration you will have three hours tomorrow afternoon to try it out and as you try each exercise it is not necessary that you have to complete all of them but whatever you can try to understand talk to coordinators talk to your classmates and friends and try to find out how it has been set up to detect particular type of attacks that if a student changes a file or somebody logs in as root you can see the alert actually happening and you can see the value of setting up this system and when you actually use it in the real world you have to of course tailor it for the events that you want the exercises are take you through some scenarios or use cases toy demonstrations of the value of this tool and this will be the first step to securing or security assurance to set up tools like this tools that monitor activities on the network in a real time basis they do not get tired they do not go to sleep they watch and whenever alerts are needed they will generate he was talking about email alerts you can even have SMS alerts so these side of depending on the level of service that you need to give you can escalate this is called escalation matrix if an alert is not attended within a certain time then alert can go to somebody else you can have a escalation matrix and then therefore the all the people in the organization were responsible for security will then we have to understand what to do how to respond and so on and that is part of the bigger picture of assuring security in your organization so now I will thank Ashok for doing his part.