BSIDESLV PREVIEW: THE OBJECT MONITOR FOR ENHANCED NETWORK SECURITY (OMENS)
MAY 22, 2013 9:00 PM PUBLISHED BY ANTHONY M FREED
Security BSides Las Vegas – which this year will be held at the Tuscany Suites & Casino on July 31st & August 1st – is just around the corner, so we decided to run a short series highlighting some of the fantastic presentations that are slated for the event.
First up is a session by security researcher D0n Quix0te (@OMENScan) who – with more than 25 years of experience in architecting, installing, maintaining, and defending high value targets – will nonetheless be making his debut as a BSides presenter with a session in the “Proving Grounds” track titled The Little Dutch Boy.
D0n Quix0te framed the topic of his session with an arch-typical scenario: A compromised web server was used as a pivot point to compromise an entire network despite the fact that the administrators hardened the systems, implemented a firewall, application and vulnerability scanners, network intrusion detection mechanisms, and deployed a comprehensive patch management strategy.
“Like the Little Dutch Boy in that famous story, you discover a tiny hole in your network defenses that the bad guys were able to sneak through undetected, and you realize that the clues were there all along. If you had seen those simple clues, you could have plugged the vulnerability before it was exploited and prevented the whole mess,” D0n Quix0te wrote in his abstract for the session.
This common scenario was the genesis for the creation of a continuous monitoring tool that D0n Quix0te calls OMENS (Object Monitor for Enhanced Network Security), which is a free Windows web server sentry designed to monitor, detect, and block the attacks that traditional Network Monitoring tools often miss.
In D0n Quix0te’s presentation, he will examine the typical blind spots that other Network Monitoring systems can suffer from, and how these holes can be plugged by a distributed, host-based monitoring system.
He will also discuss how OMENS is currently being used to monitor networks for hostile actors in order to better understand their actions and remediate any vulnerabilities they are probing before they can be actively exploited.
“There are some unique problems that defenders encounter, that no one is really talking about. I ran into these problems while doing intrusion analysis, and OMENS was the way I addressed some of these issues,” D0n Quix0te said.
“This talk exposes and addresses some of the problems with existing detection tools, and provides a free tool to the security community to address those problems.”
Anyone who has worked on a major (or even a minor) breach understands that most security systems have small holes in them that the bad guys can and do use to bypass defenses, and even though the holes are considered to be insignificant, the attacks that they let pass through are definitely not.
“Invariably, once an attacker is inside they can slowly and methodically undermine system defenses and gain access to system after system. My talk is about those holes, and about how I decided to write a tool to plug some of them by thinking a little differently about the problem,” D0n Quix0te explained.
While the talk will be primarily aimed at Windows web server defenders, the weaknesses the session will explore are not unique to either Windows itself or web servers. “Even though my talk and my security tool is/are geared towards Windows web servers – the fundamental issues are systemic,” D0n Quix0te noted.
He is also convinced that the industry needs to start looking at security from a different perspective, and the talk is designed to communicate that.
“Right now attacks are very scalable but existing defenses often are not,” D0n Quix0te said. “I hope to show how OMENS has implemented a simple distributed method to enable defenders to quickly address evolving and emerging threats, and how this model could be used in many other security tools.”
The researcher hopes that the audience will come away with a realization that it might be a good idea for them to go back and look at the inherent weaknesses in their defenses and to strengthen them with complimentary tools, and he wishes to advance the notion that we really need inexpensive, near-real-time, distributed, actionable intelligence.
“Too many small but important vendors in the supply chain cannot afford expensive security systems,” he stated. “I believe that a set of free and inexpensive tools coupled with crowd-sourced, automated intelligence helps everyone in the supply chain be more secure.”
Both host-based protections and network-based protections have weaknesses, and D0n Quix0te stressed that it is important to note that he is merely adding to the available tool sets, and that he is definitely not saying that we should get rid of anything.
“We have to recognize that our current architectures are vulnerable at many inflection points, and no single tool or paradigm can be 100% effective,” he continued.
D0n Quix0te also made a point of mentioning that there was no doubt in his mind that we as an industry cannot solve the spectrum of security problems we face today without moving from a vertical paradigm to a horizontal one, making the case for more shared threat intelligence.
“Eventually we will have to have a standardized, machine readable format for near-real-time sharing of actionable intelligence,” he argued.
“Our security systems must talk to each other and must be able to share intelligence if we are going to address the issues of fast moving threats and adversaries that can hide deep inside our systems to establish a long term, stealthy presence.”
Tags: BSidesLV, continuous monitoring, information sharing, intrusion detection, Network Security, OMENS, Security BSides, Security Intelligence, training
Categories: Incident Detection
THIS POST WAS WRITTEN BY…
Anthony M Freed has contributed 45 posts to The State of Security.
Twitter @AnthonyMFreed
Google+ Anthony M Freed
Anthony M. Freed is Tripwire’s Community Engagement & Social Media Coordinator, and has a passion for translating security techno-babble into the language of enterprise risk abatement for the business class. Prior to joining the Tripwire team, Anthony was an infosec journalist and editor who authored numerous feature articles, interviews, and investigative reports which were sourced and cited by dozens of major media outlets. Born and bred in the greater Portland area, Anthony is an avid outdoorsman, foodie and music aficionado.
