Time
1 hour 18 minutes
Difficulty
Beginner
CEU/CPE
2

Video Description

In this lesson, participants meet the subject matter expert (SME) for this course and also learn which prerequisites are needed for this course. This course covers Log Security Incident and Event Management (SIEM) which consists of: - Log aggregation and retention: a SIEM can securely store logs from all networking systems in one centralized location. - Correlation Engine: looks for patterns and trends in logs, seeking any suspicious activity. - Alerting and Analysis: these allow network engineers to take appropriate action as needed. - Reporting and dashboards: provides visibility into which machines are most targeted. - Compliance: these can provide audit reports Course objectives are: - Develop an understanding of SIEM technology - Plan and architect OSSIM installations - Perform OSSIM installations - Sends logs to OSSIM sensors - Install the OSSEC local agents - Configure the OSSIM server In order to get the most out of this course, participants are encouraged to have the following tools: - Powerful PC or multiple PC lab setup with 12 or more gigs of RAM - Virtualization Software (VirtualBox or VMWare) - OSSIM Image - Additional Virtual Machines Upon successful completion of this course, participants will be able to install, configure and tune an SIEM installation from the ground up. Regardless of which SIEM one decides to specialize in, having experience with one SIEM lays the groundwork for learning another. In addition, participants will also be able to set up an OSSIM system by looking at a diagram and then being able to determine to best placement and utilization for an OSSIM structure. This course offers step by step instructions in installation and configuration, how to leg logs to a SIEM, the installation of host and detection agents as well as how to work on settings to customize them to an organization's specific needs. This course assumes no prior knowledge and teaches participants basic skills and deployments.

Video Transcription

00:01
Welcome Toe Society in Part one. Installation and configuration
00:06
in this presentation will be going over the course objectives, pre records, the tools you'll need to follow along and a brief background in my professional work.
00:16
I've worked for a couple of years as both a security analyst incident responder
00:21
in My latest role I've been working with Ellie involves us M for close to a year.
00:26
U. S M is a paid premium version of OS Asylum, which we'll be covering in this course.
00:32
Throughout the past year, I've installed Configured, managed in tune a Sim insulation from the ground up.
00:38
I'm going to break down what I've learned into the bare essentials to help you get started.
00:44
Now you may be asking, What even is a sin?
00:47
Well, Sim is an acronym that stands for a security incident. An event management,
00:53
and this course will be focusing on alien vaults.Open source, Security Incident Management System or Oasis. I am for Short
01:02
Sims are crucial for businesses to ensure they're protected and have active alerting for security incidents on their network.
01:08
Simms have many features and uses. However, most of them boiled down into these main points
01:17
Simpson just logs from everything they possibly can
01:19
to make controllers work. Station's Web servers, firewalls, routers, hyper visors, another networking equipment
01:27
all need to have a relaxant.
01:30
Simkin. Take these logs and store them securely and one centralized location
01:36
assume can take decentralized logs and run them through a correlation engine.
01:41
This engine looks for trends and indicators in the log Sprint for malicious activity
01:46
when it seemed to text malicious activity, they create events and alarms.
01:51
These alarms notify stock analyst to investigate.
01:53
A stock analyst can utilize the SIM to perform in depth analysis and re after the alarms. Accordingly,
02:00
these alarms, events and logs can all be used for in depth reporting and trending dashboards.
02:07
These dashboards could help provide visibility into which machines are most often targeted,
02:12
what offenders are most frequent common attack types and much more
02:15
taking reporting a step further. Some since feature compliance reporting
02:21
thes audit reports could be ran and given to the order.
02:23
If you ever went through an audit without automated reporting, you know how much time and headaches this can save.
02:31
By the end of this course, you'll have a full understanding of what a SIM system is
02:37
whether you go with Andrea vaults, Oasis, I am or another vendor. The main concepts are very similar.
02:44
Just have a experience working with once in translates very well until learning another.
02:49
You will also have a solid grasp on what it takes to set up on us. I am installation.
02:53
You will be able to look at a network diagram. I know exactly where the oasis I am. If a structure will be best utilized in place,
03:02
taking this a step forward, you will be able to perform the server and sensor installations.
03:08
I'll be walking through the entire process from start to finish. In my own virtual lab,
03:14
you can follow along in the lab or create your own set up entirely.
03:19
You'll learn how to send logs. Tau Oasis I am sensors.
03:23
Logs are the lifeblood of a sim, and you want all the locks you can possibly get.
03:28
Additionally, you'll learn how to install host intrusion detection agents onto a machine that the use of oh sec.
03:35
Once you get the servers installed, you'll be able to go into the configuration settings. I know how to set everything exactly to your liking.
03:45
Well, this course is designed around setting up a lot of environment to gain. Familiarity with the same
03:50
thes skills will be a great addition to your resume.
03:53
And if you're more interested in offensive security, understanding how a sim on other security appliances that work will help you become a much better penetration tester.
04:03
This course is centered around free software and tools.
04:06
04:10
I'd recommend using a PC with a quad core higher and 12 or more gigs of RAM.
04:15
Well, you can make do with less. You'll find the appliances run quite a bit slower.
04:19
This course will work just as well. Using a lab of multiple computers. However, the networking and lab setup is out of this course of scope.
04:28
I'd recommend using one computer and virtual ization software,
04:31
Virtual Box and VM. Where are both great options?
04:34
Personally, I like to use virtual box, and we bill using it. For all of the examples in this course,
04:41
if you want to follow along exactly click by click, I'd recommend using virtual box.
04:46
You'll also have to download the Oasis. I am image
04:49
if you haven't downloaded already, I'll be providing a link in the course materials tab
04:55
for my lab. I'm going to be setting up a Lennox Web server
04:59
going into the Web server set up and configuration is out of this course of scope.
05:02
However, I'll provide a link in the course materials tab for reference.
05:08
You should feel free to also create any other virtual machines and send those logs over as well.
05:14
The Morlocks you have being sent to us. I am, the easier it is to really dig into the sim and grass palette works.
05:20
This course will soon no prior knowledge. By the end of this course, you'll be able to create and develop your own oasis. I am installation,
05:30
and the next presentation will be answering several questions, such as What exactly is Oasis I am? And how does always a sigh in work?
05:39
We'll also discuss the eligible infrastructure and how the best plan for your use case.
05:44
I lost a boot giving a couple examples of basic deployments and go from my lap configuration
05:49
in closing. I'd like to thank you for your time. I hope to see you in my next presentation.

Up Next

AlienVault OSSIM

This course will use AlienVault OSSIM to showcase a Security Information and Event Management (SIEM) system. A SIEM is used to aggregate logs for all sources in a network, analyze the logs through a correlation engine, and generating alarms on malicious indicators and activity.

Instructed By

Instructor Profile Image
Anthony Isherwood
Instructor