Photo by Mick Haupt on Unsplash
Security analysis with Security Onion
Collector
Many different tools on the market help enterprise security teams monitor security-related log and network data, with a view to detecting and analyzing acute threats and attacks on their infrastructures. Back in 2008, the open source Security Onion [1] project was launched with the aim of bundling open and free software to analyze threats, establish security monitoring in the sense of an intrusion detection system (IDS), and support central log management on the corporate network.
The idea behind Security Onion was to provide a Linux-based operating system that would include a full set of useful tools and give users a suitable environment for their daily work. Security Onion was initially based on Ubuntu. In version 2, though, the installation of the individual tools was shifted to containers so that Security Onion now runs on basically any distribution that supports Docker. That said, it officially only supports the Ubuntu and CentOS distributions. For this article, I use the downloadable ISO file, but you can always try out one of the other variants, such as one of the prebuilt images available for AWS or Azure.
Intrusion Detection
The motivation for using Security Onion is intrusion detection. You need to distinguish between host-based IDS (HIDS) and network-based IDS (NIDS). Both methods have their advantages and disadvantages in terms of possible monitoring points. On a host, you will mainly check the running processes, settings, registry entries, files, and users, whereas checks on the network let you monitor communications, communication partners, content, and metadata.
Although you can access the data on the network centrally (e.g., at the monitoring or mirror port of a switch) without having to configure the monitored computers yourself, you need to find a manageable way of transporting the data for analysis from the
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Centralized monitoring and intrusion detection
Security Onion bundles numerous individual Linux tools that help you monitor networks or fend off attacks to create a standardized platform for securing IT environments. -
Network monitoring with Zeek
Zeek offers an arsenal of scripts for monitoring popular network protocols and comes with its own policy scripting language for customization. -
Successful protocol analysis in modern network structures
Virtual networks and server structures require additional mechanisms to ensure visibility of data streams. We show how to monitor and analyze network functions, even when virtualization is involved. -
Advanced monitoring techniques for Azure VMs on Linux
We delve into advanced monitoring methods for enhancing the performance and security of Linux-based Azure virtual machines. -
Detecting security threats with Apache Spot
Security vulnerabilities often remain unknown when the data they reveal is buried in the depths of logfiles. Apache Spot uses big data and machine learning technologies to sniff out known and unknown IT security threats.
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
