The widespread adoption of cloud computing helps companies scale their business. But the use of new platforms also means the emergence of new threats. Supporting your own team within the organization responsible for monitoring the security of cloud services is not an easy task. Existing monitoring tools are expensive and slow. They are, to some extent, difficult to manage if you need to ensure the security of a large-scale cloud infrastructure. Companies looking to keep their cloud security at a high level require tools that are powerful, flexible, and understandable beyond what has been available before. This is where open source technologies come in very handy, which help save budgets for security and are created by specialists who know a lot about their business.
The article, the translation of which we are publishing today, provides an overview of 7 open source tools for monitoring the security of cloud systems. These tools are designed to protect against hackers and cybercriminals by detecting anomalies and unsafe activities.
1. Osquery
is a system for low-level monitoring and analysis of operating systems that allows security professionals to conduct complex data mining using SQL. The Osquery framework can run on Linux, macOS, Windows, and FreeBSD. It presents the operating system (OS) as a high performance relational database. This allows security professionals to explore the OS by executing SQL queries. For example, using a query, you can find out about running processes, about loaded kernel modules, about open network connections, about installed browser extensions, about hardware events, about file hash sums.
The Osquery framework was created by Facebook. Its code was opened in 2014, after the company realized that it was not only the company itself that needed tools to monitor the low-level mechanisms of operating systems. Since then, Osquery has been used by experts from companies such as Dactiv, Google, Kolide, Trail of Bits, Uptycs, and many others. Recently it was that the Linux Foundation and Facebook are going to form a fund to support Osquery.
Osquery's host monitoring daemon, called osqueryd, allows you to schedule queries that collect data from across your organization's infrastructure. The daemon collects query results and creates logs that reflect changes in the state of the infrastructure. This can help security professionals keep abreast of the state of affairs in the system and is especially useful for detecting anomalies. Osquery's log aggregation capabilities can be used to facilitate the search for known and unknown malware, as well as to identify where intruders have entered the system and to find the programs they have installed. material, where you can find details about anomaly detection using Osquery.
2.GoAudit
System consists of two main components. The first is some kernel-level code designed to intercept and monitor system calls. The second component is a user-space daemon called . It is responsible for writing the results of the audit to disk. , a system created by the company and released in 2016 is intended to replace auditd. It has improved logging capabilities by converting multi-line event messages generated by the Linux auditing system into single JSON blobs, making it easier to parse. Thanks to GoAudit, you can directly access the mechanisms of the kernel level over the network. In addition, you can enable minimal event filtering on the host itself (or disable filtering entirely). At the same time, GoAudit is a project designed not only for security. This tool is intended to be a multifunctional tool for system support or development professionals. It helps to deal with problems in large-scale infrastructures.
The GoAudit system is written in Golang. It is a type-safe and high-performance language. Before installing GoAudit, make sure that your version of Golang is higher than 1.7.
3 Grapl
Project (Graph Analytics Platform) was transferred to the open source category in March last year. It is a relatively new platform for detecting security issues, for conducting computer forensics and for generating incident reports. Attackers often work using something like a graph model, gaining control of a particular system and exploring other networked systems starting from that system. Therefore, it is quite natural that the system defenders will also use a mechanism based on the network systems connection graph model, which takes into account the peculiarities of relations between systems. Grapl demonstrates an attempt to apply incident detection and response measures based on a graph model rather than a log model.
The Grapl tool takes security related logs (Sysmon logs or plain JSON logs) and converts them into subgraphs (defining "identity information" for each node). After that, it combines the subgraphs into a general graph (Master Graph), which represents the actions performed in the analyzed environments. Grapl then runs Analyzers on the resulting graph using "attacker signatures" to detect anomalies and suspicious patterns. When the parser detects a suspicious subgraph, Grapl generates an Engagement construct for investigating. Engagement is a Python class that can be loaded into, for example, a Jupyter Notebook deployed in an AWS environment. Grapl is also able to scale up the collection of information for the investigation of the incident through the expansion of the graph.
If you want to get better with Grapl, you can look at An interesting video is a recording of a performance from BSides Las Vegas 2019.
4 OSSEC
is a project founded in 2004. This project, in general, can be described as an open source security monitoring platform designed for host analysis and intrusion detection. OSSEC is downloaded over 500000 times a year. This platform is mainly used as a server intrusion detection tool. Moreover, we are talking about both local and cloud systems. OSSEC is also often used as a tool for examining monitoring logs and analyzing firewalls, intrusion detection systems, web servers, and for examining authentication logs.
OSSEC combines Host-Based Intrusion Detection System (HIDS) with Security Incident Management (SIM) and Security Information and Event Management (SIEM) . OSSEC is also able to monitor the integrity of files in real time. This is, for example, monitoring the Windows registry, detecting rootkits. OSSEC is able to notify stakeholders about detected problems in real time and helps to quickly respond to detected threats. This platform supports Microsoft Windows and most modern Unix-like systems, including Linux, FreeBSD, OpenBSD, and Solaris.
The OSSEC platform consists of a central control entity, a manager used to receive and monitor information from agents (small programs installed on systems to be monitored). The manager is installed on a Linux system that keeps a database used to check the integrity of files. It also keeps logs and records of events and system audit results.
The OSSEC project is currently supported by Atomicorp. The company curates a free open source version, and, in addition, offers commercial version of the product. a podcast in which the OSSEC project manager talks about the latest version of the system - OSSEC 3.0. It also talks about the history of the project, and how it differs from modern commercial systems used in the field of computer security.
5. meerkat
is an open source project focused on solving the main problems of computer security. In particular, it includes an intrusion detection system, an intrusion prevention system, and a network security monitoring tool.
This product was launched in 2009. His work is based on rules. That is, the one who uses it has the opportunity to describe certain features of network traffic. If the rule is triggered, then Suricata generates a notification, blocking or breaking the suspicious connection, which, again, depends on the rules set. The project also supports multithreading. This makes it possible to quickly process a large number of rules in networks that carry large amounts of traffic. Thanks to multithreading support, a quite ordinary server is able to successfully analyze traffic at a speed of 10 Gb / s. At the same time, the administrator does not have to limit the set of rules used for traffic analysis. Suricata also supports hashing and extracting files.
Suricata can be configured to run on regular servers or on virtual machines, such as AWS, using a feature recently added to the product .
The project supports Lua scripts that can be used to create complex and detailed threat signature analysis logic.
The Suricata project is managed by the Open Information Security Foundation (OISF).
6. Zeek (Bro)
Like Suricata, (this project was formerly called Bro and was renamed Zeek at the BroCon 2018 event) is also an intrusion detection system and network security monitoring tool that can detect anomalies such as suspicious or dangerous activities. Zeek differs from traditional IDS in that, unlike rule-based systems that detect exceptions, Zeek also captures metadata related to what is happening on the network. This is done in order to better understand the context of unusual network behavior. This allows, for example, when analyzing an HTTP call or a procedure for exchanging security certificates, to look at the protocol, at packet headers, at domain names.
If we consider Zeek as a network security tool, then we can say that it gives a specialist the opportunity to investigate an incident by learning about what happened before or during the incident. Zeek also converts network traffic data into high-level events and makes it possible to work with a script interpreter. The interpreter supports the programming language used to interact with events and to find out exactly what these events mean in terms of network security. The Zeek programming language can be used to customize the interpretation of metadata as needed by a particular organization. It allows you to build complex logical conditions using the AND, OR and NOT operators. This gives users the ability to customize how their environments are analyzed. True, it should be noted that, in comparison with Suricata, Zeek can seem like a rather complicated tool when conducting intelligence on security threats.
If you are interested in more details about Zeek, please contact video.
7.Panther
is a powerful, cloud-native platform for continuous security monitoring. It was transferred to the category of open source recently. At the origins of the project is the main architect is a solution for automated analysis of magazines, the code of which was open-sourced by Airbnb. Panther gives the user a single system to centrally detect and respond to threats in all environments. This system is able to grow with the size of the infrastructure being served. Threat detection is organized using transparent deterministic rules to reduce false positives and reduce unnecessary workload for security professionals.
Among the main features of Panther are the following:
- Detection of unauthorized access to resources by analyzing logs.
- Threat scan implemented by searching logs for indicators indicating security issues. The search is conducted using standardized Panter data fields.
- System check for SOC/PCI/HIPAA compliance using Panther mechanisms.
- Protect your cloud resources by automatically fixing configuration errors that, if exploited, can cause serious problems.
Panther is deployed in an organization's AWS cloud using AWS CloudFormation. This allows the user to always be in control of his data.
Results
Monitoring the security of systems is, these days, the most important task. Open source tools can help companies of all sizes solve this problem, providing a lot of opportunities and almost nothing costing or free.
Dear Readers, What security monitoring tools do you use?
Source: habr.com