I’ve spent most of my career defending environments of all sizes. What I’ve found is that the job of a defender is much less flashier and thankless as compared to an “ethical hacker.” While there are volumes of articles, guides, and talks on penetration testing and the latest attacks, there isn’t much on defending or security monitoring. With plenty of free tools and exploits for attackers (such as the venerable Kali Linux), there doesn’t seem to be as much excitement for building similar tools for defenders. In fact, there’s a notion that in order to properly defend a network, you must spend thousands or even millions of dollars.
Enter “Open Security Monitoring”, or “OSM”, which I refer to as a system of integrated open source security tools working together to secure networks of all sizes and all budgets. Why open source? There are three specific advantages:
- Cost: Open source security tools are freely available for anyone to download and install. This makes the barrier to entry much lower for convincing management to implement these tools.
- Transparency: The source code can be viewed and edited by anyone, making it clear how it works. If it doesn’t do something you want it to do, you’re free to modify the code to fit your needs. I’ve always found the best way to learn and understand something is to take it apart and look at how all the pieces work together. It’s no different with security tools.
- Quality: Just because it’s open source and “free”, doesn’t mean it’s a lesser tool than something costing thousands of dollars. In fact, many are better than anything commercially available because they’re built and supported by a passionate community that isn’t looking to simply make the next big sale.
In this series, I will walk through key OSM components and the relevant tools I’ve used to defend real-world environments:
- Intrusion Detection/Prevention System
- Network Security Monitoring
- Host Intelligence
- Security Analytics
You could certainly achieve this without using open source tools, but the point here is that you can build a robust security monitoring architecture with limited financial resources. And if you have some money to spend, open source security tools complement commercial systems well. Each environment is unique and you’ll likely have a mix of open source and commercial products.
We’ve defined the concept of Open Security Monitoring and why there is a need for open source security tools. Next, we’ll explore the first of four OSM components, intrusion detection/prevention systems.