TalaTek attends Open Source SEC 2019 Conference

Security and DevOp professionals gather to discuss best practices, the future of OSSEC

By Joshua Grove, TalaTek CTO

OSSEC brochure coverAs the CTO of TalaTek, I  attended the recent Open Source SECurity Host Based Intrusion Detection System (OSSEC HIDS) Conference, bringing together OSSEC project leaders, power users and investors from around the world to discuss the future of OSSEC and gather practical advice for security and DevOps professionals.

OSSEC, a free, open-source host-based intrusion detection system (HIDS), is the most widely used HIDS in the world.  Unlike Advanced Intrusion Detection Environment (AIDE), OSSEC performs log analysis, Windows registry monitoring, rootkit detection, real-time alerting, active response, and integrity monitoring, is available on most platforms, including Linux, Windows, and Mac and comes in seven commercial derivatives.  Due to its active response capabilities, OSSEC can be consider an intrusion prevention system.  OSSEC has received several security certifications, is a Department of Defense approved product and in the last year received code reviews performed by Apple Security and OVH https://www.ovh.com/world/vps/.

Featured presenters included OSSEC founder Daniel Cid, who discussed creating OSSEC, the challenges he faced and OSSEC’s future; Xavier Mertens of Xavier Mertens Consulting on Threat Hunting with OSSEC and OSSEC Project Manager, Scott Shinn, who spoke about OSSEC’s non-profit foundation and encouraged everyone to contribute to OSSEC, stating that no commit is too small.

Other speakers included USA TODAY’s Director of Cybersecurity Operations and Engineering Ben Auch, and Senior Architect Joe Miller, who discussed the use of OSSEC and its integration with Kubernetes orchestration, Google (gke) and Cloud Armor IP access control at USA TODAY.

New features coming in version 3.3 include:

  • PCRE2
  • Dynamic Decoders
  • JSON expansion
  • Improved agent registration

Roadmap for future development includes:

  • Dynamic decoders
  • Threat intelligence
  • Gossec – Golang
  • Web management

OSSEC can generate daily reports and send alerts to AWS’s CloudWatch agent for review. OSSEC can be configured to output the alerts to JSON format, which can be ingested into CloudWatch using the CloudWatch Agent.  Using CloudWatch, filters can be set for alert levels, metrics defined for alert levels, and alarms set to trigger when the metrics breach a threshold.  A CloudWatch alarm can be generated to alert administrators via email or text message when the OSSEC alerts are greater than a predefined threshold.  Selecting Maximum Statistic triggers the alarm when there is an alert of that threshold.  The alert can then be sent to an AWS SNS topic to notify the appropriate personnel.

OSSEC Project Manager Scott Shinn presents at the 2019 OSSEC Conference.

TalaTek is using OSSEC for the implementation of its next-generation Governance, Risk, and Compliance (GRC) platform that is currently under development.  TalaTek’s team of business leaders, developers and security professionals are building an advanced GRC platform that will offer a highly intuitive , powerful tool for GRC management that can be used from inception, through assessment and continuous monitoring, to decommissioning.  The platform  leverages the Amazon Web Services (AWS) US East-1/East-2 infrastructure and Platform as a Service (IaaS/PaaS) offerings that have been accredited by the FedRAMP PMO since May of 2013.

OSSEC facilitates the necessary FedRAMP and FISMA processes to accredit our next generation GRC software as a service.  OSSEC’s syscheck, rootkit detection and automated log analysis and reporting features aid in the accreditation process by helping to perform the SI-7 integrity monitoring, SI-3 malicious code protection and AU-6 audit review, analysis and reporting controls, respectively.