OSM: Open Security Monitoring

Introduction

I’ve spent most of my career defending environments of all sizes.  What I’ve found is that the job of a defender is much less flashier and thankless as compared to an “ethical hacker.”  While there are volumes of articles, guides, and talks on penetration testing and the latest attacks, there isn’t much on defending or security monitoring.  With plenty of free tools and exploits for attackers (such as the venerable Kali Linux), there doesn’t seem to be as much excitement for building similar tools for defenders.  In fact, there’s a notion that in order to properly defend a network, you must spend thousands or even millions of dollars.

Enter “Open Security Monitoring”, or “OSM”, which I refer to as a system of integrated open source security tools working together to secure networks of all sizes and all budgets.  Why open source?  There are three specific advantages:

  • Cost: Open source security tools are freely available for anyone to download and install.  This makes the barrier to entry much lower for convincing management to implement these tools.
  • Transparency: The source code can be viewed and edited by anyone, making it clear how it works.  If it doesn’t do something you want it to do, you’re free to modify the code to fit your needs.  I’ve always found the best way to learn and understand something is to take it apart and look at how all the pieces work together.  It’s no different with security tools.
  • Quality: Just because it’s open source and “free”, doesn’t mean it’s a lesser tool than something costing thousands of dollars.  In fact, many are better than anything commercially available because they’re built and supported by a passionate community that isn’t looking to simply make the next big sale.

In this series, I will walk through key OSM components and the relevant tools I’ve used to defend real-world environments:

  • Intrusion Detection/Prevention System
  • Network Security Monitoring
  • Host Intelligence
  • Security Analytics

You could certainly achieve this without using open source tools, but the point here is that you can build a robust security monitoring architecture with limited financial resources.  And if you have some money to spend, open source security tools complement commercial systems well.  Each environment is unique and you’ll likely have a mix of open source and commercial products.

What’s Next

We’ve defined the concept of Open Security Monitoring and why there is a need for open source security tools.  Next, we’ll explore the first of four OSM components, intrusion detection/prevention systems.

Related Posts

Elastic Explained: How To Create a Cluster with Docker Compose

Elastic Explained: How To Create a Cluster with Docker Compose

Overview In this guide we'll walkthrough setting up and running an externally accessible three-node Elastic cluster using Docker Compose on Ubuntu Linux 22.04 that's suitable for a home lab or developer / test environment. Our Elastic deployment will include the...

Zeekurity Zen – Part IX: How To Update Zeek

Zeekurity Zen – Part IX: How To Update Zeek

This is part of the Zeekurity Zen Zeries on building a Zeek (formerly Bro) network sensor. Overview In our Zeek journey thus far, we've: Set up Zeek to monitor some network traffic. Used Zeek Package Manager to install packages. Configured Zeek to send logs to Splunk...

Elastic Explained: How To Guides For The Elastic Stack

Elastic Explained: How To Guides For The Elastic Stack

Elastic develops the popular log analytics platform, the Elastic Stack, which supports a variety of search, observability, and security use cases through its many out of the box integrations.  It's a great platform for collecting, analyzing, and visualizing data from...

Transform Your Business & Operate at Peak Efficiency