Centralized monitoring and intrusion detection
Alarm System
Ensuring the security of a company's IT infrastructure becomes increasingly important as new threats and forms of attack continually emerge. Linux already has numerous tools for detecting anomalies in networks across platforms that evaluate logfiles, among other tasks. However, many of the security tools that make life easier for administrators are scattered across the Internet and not easy to find.
The Security Onion [1] project addressed this shortcoming back in 2008. Originally based on Ubuntu, the security suite, which now runs in Docker environments, bundles professional tools for monitoring the IT infrastructure, including logfile analysis and intrusion detection [2]. The various ways of using the system include cloud images, which are intended for use in the Amazon, Google, and Azure clouds, and a downloadable ISO image that you can install on a dedicated host and deploy in virtual environments such as VirtualBox or VMware.
Strategies
When collecting, aggregating, and analyzing data, Security Onion can take both a host-based and network-based approach. The suite uses three tools for host-based intrusion detection: (1) Wazuh [3] is a fork of the OSSEC [4] intrusion detection system; it monitors hosts and sends data to a server in the event of anomalies. A cross-platform agent is installed on the computers for this purpose. By analyzing the log data, Security Onion detects malware and identifies further vulnerabilities that need to be addressed. (2) Osquery [5] is another host-based tool that queries and logs the system status. (3) Beats [6] uses Winlogbeat to
...Buy this article as PDF
(incl. VAT)