AlienVault: the Future of Security Information Management
Security Information Management (SIM) systems have made many security administrators' lives easier over the years. SIMs organize an enterprise's security environment and provide a common interface to manage that environment. Many SIM products are available today that perform well in this role, but none are as ambitious as AlienVault's Open Source Security Information Management (OSSIM). With OSSIM, AlienVault has harnessed the capabilities of several popular security packages and created an “intelligence” that translates, analyzes and organizes the data in unique and customizable ways that most SIMs cannot. It uses a process called correlation to make threat judgments dynamically and report in real time on the state of risk in your environment. The end result is a design approach that makes risk management an organized and observable process that security administrators and managers alike can appreciate.
In this article, I explain the installation of an all-in-one OSSIM agent/server into a test network, add hosts, deploy a third-party agent, set up a custom security directive and take a quick tour of the built-in incident response system. In addition to the OSSIM server, I have placed a CentOS-based Apache Web server and a Windows XP workstation into the test network to observe OSSIM's interoperation with different systems and other third-party agents.
To keep deployment time to a minimum, I deployed OSSIM on a VMware-based virtual machine (VM). OSSIM is built on Debian, so you can deploy it to any hardware that Debian supports. I used the downloadable installation media from the AlienVault site in .iso form (version 2.1 at the time of this writing) and booted my VM from the media.
On bootup, you will see a rather busy and slightly difficult-to-read install screen (Figure 1). The default option is the text-based install, but by pressing the down arrow, you will see a graphical install option. Select the Text option and press Enter. If you've seen Debian install screens, the OSSIM installer will look very familiar. Set your language preferences and partition your hard drive(s). Configure your settings for Postfix if desired. Finally, set your root password, and enter a static IP address for the server when prompted. The installer will restart the machine to complete the configuration.
Open a browser from a machine on the same network and enter the IP address of the OSSIM server in the URL field (Figure 2). Enter “admin” as the user and password to log in to the management site. Change your password under the Configuration→Users section. After logging in, the main dashboard view loads (Figure 3).
The next step is to add systems for the OSSIM server to monitor. Start by defining your local network and performing a cursory scan. On the Networks tab under Policy, click Insert New Network. Enter your LAN information in the fields provided. If you don't see a sensor listed, insert a new one using the hostname and IP address of your all-in-one OSSIM server. Leave the Nagios check box enabled, but the Nessus box unchecked (Figure 4) to reduce the time needed for the first scan. After the scan completes, several hosts should appear on the Hosts tab of the Policies section. OSSIM installs and auto-configures Nagios and ntop during installation, so you also can see basic network information by visiting the Monitors section of the management page (Figure 5). Once all hosts are found, find the CentOS Web server in the Hosts section under Policies, and modify its priority from 1 to 5 (Figure 6). You will use this later in the article when I discuss correlation.
You now have an active OSSIM server using passive network monitors like snort, Nagios and ntop to report on your test network's activity. Next, let's add some client-based agents that feed data into the OSSIM server.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Peppermint 7 Released
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
- Sony Settles in Linux Battle
- Libarchive Security Flaw Discovered
- Maru OS Brings Debian to Your Phone
- Snappy Moves to New Platforms
- Profiles and RC Files
- Understanding Ceph and Its Place in the Market
- Git 2.9 Released
- The Giant Zero, Part 0.x
With all the industry talk about the benefits of Linux on Power and all the performance advantages offered by its open architecture, you may be considering a move in that direction. If you are thinking about analytics, big data and cloud computing, you would be right to evaluate Power. The idea of using commodity x86 hardware and replacing it every three years is an outdated cost model. It doesn’t consider the total cost of ownership, and it doesn’t consider the advantage of real processing power, high-availability and multithreading like a demon.
This ebook takes a look at some of the practical applications of the Linux on Power platform and ways you might bring all the performance power of this open architecture to bear for your organization. There are no smoke and mirrors here—just hard, cold, empirical evidence provided by independent sources. I also consider some innovative ways Linux on Power will be used in the future.Get the Guide