I’m in Washington, waiting for my flight back to Belgium. I just attended the 2019 edition of the OSSEC Conference, well more precisely, close to Washington in Herndon, VA. This was my first one and I’ve been honoured to be invited to speak at the event. OSSEC is a very nice project that I’m using for a long time. I also contributed to it and I’m giving training on this topic. The conference was already organized for a few years and attracted more people every year. They doubled the number of attendees for the 2019 edition.
The opening session was performed by Scott Shinn, OSSEC Project Manager, who came with some recap. The project started in 2003 and was first released in 2005. It supports a lot of different environments and, basically, if you can compile C code on your device, it can run OSSEC! Some interesting facts were presented by Scott. What is the state of the project? OSSEC is alive with 500K downloads in 2018 and trending up. A survey is still ongoing but already demonstrates that many users are long-term users (31% are using OSSEC for >5y). If the top user profile remains based on infosec people, the second profile is IT operations and devops. There is now an OSSEC foundation (503c – a non-profit organization) which has multiple goals: to promote OSSEC, a bug bounty will probably be started, to attract more developers and to enforce the project. There is an ongoing effort to make the tool more secure with an external audit of the code.
Then, Daniel Cid presented his keynote. Daniel is the OSSEC founder and reviewed the story of his baby. Like many of us, he was facing problems in his daily job and did not find the proper tool. So he started to develop OSSEC. There was already some tools here and there like Owl, Syscheck or OSHIDS. Daniel integrated them and added a network layer and the agent/server model. He reviewed the very first versions from the 0.1 until 0.7. Funny story, some people asked him to stop flooding the mailing where he announced all the versions and suggested him to contribute to the project ’Tripwire’.
Then, Scott came back on stage to talk about the Future of OSSEC. Some times, when I mention OSSEC, people’ first reaction is to argue that OSSEC does not improve or does not have clear roadmap. Really? Scott give a nice overview of what’s coming soon. Here is a quick list:
- Dynamic decoders – OSSEC will implement user defined variable names. They will be configured via a KV store represented in JSON. The next step will be to implement the output transport to other format to replace tools like Filebeat, ArcSight, Splunk agents, etc.
- Real-time threat intelligence – Instead of using CDB lists (that must be re-generated at regular interval, OSSEC will be able to query threat intelligence lists on the flight, in the same way as the GeoIP lookups are working.
- GOSSEC – Golang OSSEC. agent-auth has already been ported to Golang.
- Noisesocket – To replace the existing encryption mechanism between the OSSEC server and agents.
- A new web managment console
Most of these new features should be available in OSSEC 3.3.
The next presentation was about “Protecting Workloads in Google Kubernetes with OSSEC and Google Cloud Armor” by Ben Auch and Joe Miller, Gannett working at USA Today. This media company operates a huge network with 140M unique visitors monthly, 120 markets in the US and a worldwide presence. As a media company, there are often targeted (defacement, information change, fake news, etc). Ben & Joe explained how they successfully deployed OSSEC in their cloud infrastructure to automatically block attackers with a bunch of Active-Response scripts. The biggest challenge was to be able to remain independent of the cloud provider and to access logs in a simple but effective way.Detect malicious requests to GKE containers
Mike Shinn, from Atomicorp, came to speak about “Real Time Threat Intelligence for Advanced Detection“. Atomicorp, the organizer of the conference, is providing OSSEC professional services and is also working on extensions. Mike demonstrated what he called “the next-generation Active-Response”. Today, this OSSEC feature accesses data from CDB but it’s not real-time. The idea is to collect data from OSSEC agents installed in multiple locations, multiple organizations (similar to what dshield.org is doing) and to apply some machine-learning magic. The idea is also to replace the CDB lookup mechanism by something more powerful and in real time: via DNS lookups. Really interesting approach!
Ben Brooks, from Beryllium Infosec, presented “A Person Behind Every Event“. This talk was not directly related to OSSEC but interesting anyway. Tools like OSSEC are working with rules and technical information – IP addressds, files, URLs, but what about the people behind those alerts? Are we facing real attackers or rogue insides? Who’s the most critical? The presentation was focussed on the threat intelligencecycle:
Direction > Collection > Processing > Analysis > DesseminationBof
The next two talks had the same topic: automation. Ken Moini from Fierce Software Automation, presented “Automating Security Across the Enterprise with Ansible and OSSEC“. The idea behind the talk was to solve the problems that most organizations are facing: people problems (skills gaps), point tools (proliferation of tools and vendors solutions), pace of innovation. Mike Waite, from RedHat, spoke about “Containerized software for a modern world, The good, the bad and the ugly“. A few years ago, the ecosystem was based on many Linux flavors. Today, we have the same issue but with many flavours of Kubernetes. It’s all about applications. If applications can be easily deployed, software vendors are becoming also Linux maintainers!
The next presentation was performed by Andrew Hay, from LEO Cybersecurity: “Managing Multi-Cloud OSSEC Deployments“. Andrew is a long OSSEC advocate and co-wrote the book “OSSEC HIDS Host Based Intrusion Detection Guide” with Daniel Cid. He presented tips & tricks to deploy OSSEC in cloud services, how to generate configuration files with automation tools like Chef, Puppet or Ansible.
Mike Shinn came back with “Atomic Workload Protection“. Yesterday, organizations’ business was based on a secure network of servers. Tomorrow, we’ll have to use a network of secure workloads. Workloads must be security and cloud providers can’t do everything for us. Cloud providers take care of the cloud security but the security IN the cloud relies on their customers! Gartner said that, by 2023, 99% of the cloud security failures will be customer’s fault. Mike explained how Atomicorp developed extra layers on top of OSSEC to secure workloads: Hardening, Vulnerability shielding, Memory protection, Application control, Behavioral Monitoring, Micro segmentation, Deception and AV/Antimalware.
The next slot was assigned to myself, I presented “Threat Hunting with OSSEC“.
Finally, the last presentation was the one of Dmitry Dain who presented the NoiseSocket that will be implemented in the next OSSEC release. The day ended with a quick OSSEC Users panel and a nice social event.
The second day was mainly a workshop. Scott prepared some exercises to demonstrate how to use some existing features of OSSEC (FIM, Active-Response) but also the new feature called “Dynamic Decoder” (see above). I met a lot of new people who are all OSSEC users or contributors.