Get best of the week

7 open source cloud security monitoring tools worth knowing

The widespread adoption of cloud computing is helping companies scale their businesses. But the use of new platforms also means the emergence of new threats. Supporting your own team within the organization responsible for monitoring the security of cloud services is not an easy task. Existing road monitoring tools are slow. They are, to some extent, difficult to manage if you need to ensure the security of large-scale cloud infrastructure. In order to maintain their cloud security at a high level, companies need powerful, flexible and understandable tools whose capabilities exceed the capabilities of what was available before. This is where open source technologies come in handy, which help to save security budgets and are created by specialists who know a lot about their business.



The article, the translation of which we are publishing today, provides an overview of 7 open source tools for monitoring the security of cloud systems. These tools are designed to protect against hackers and cybercriminals by detecting anomalies and unsafe actions.

1. Osquery


Osquery is a system for low-level monitoring and analysis of operating systems, which allows security professionals to conduct complex data research using SQL. The Osquery framework can run on Linux, macOS, Windows, and FreeBSD. It represents an operating system (OS) in the form of a high-performance relational database. This allows security professionals to explore the OS by executing SQL queries. For example, using a query, you can learn about running processes, loaded kernel modules, open network connections, installed browser extensions, hardware events, and file hashes.

Osquery framework created by Facebook. Its code was opened in 2014, after the company realized that not only she herself needed the tools to monitor the low-level mechanisms of operating systems. Since then, experts from companies such as Dactiv, Google, Kolide, Trail of Bits, Uptycs, and many others have been using Osquery. It has recently been announced that the Linux Foundation and Facebook are going to form the Osquery Support Fund.

The Osquery host monitoring daemon, called osqueryd, allows you to schedule requests to collect data from across your organization’s infrastructure. The daemon collects query results and creates logs that reflect changes in the state of the infrastructure. This can help security professionals keep abreast of the state of the system and is especially useful for detecting anomalies. Osquery’s ability to aggregate logs can be used to facilitate the search for known and unknown malware, as well as to identify the places where intruders penetrate the system and to find the programs installed by them. Here is the material where you can find details on detecting anomalies using Osquery.

2. GoAudit


Linux auditing system consists of two main components. The first is a kind of kernel-level code designed to intercept and monitor system calls. The second component is a user-space daemon called auditd . He is responsible for writing the audit results to disk. GoAudit , a system created by Slackand released in 2016, is intended to replace auditd. It has improved logging capabilities by converting multi-line event messages generated by the Linux auditing system into single JSON blobs, which simplifies analysis. Thanks to GoAudit, you can directly access kernel-level mechanisms over the network. In addition, you can enable minimal filtering of events on the host itself (or completely disable filtering). At the same time, GoAudit is a project designed not only for security. This tool is designed as a multifunctional tool for professionals involved in system support or development. It helps to deal with problems in large-scale infrastructures.

GoAudit is written in Golang. It is a type-safe and high-performance language. Before installing GoAudit, verify that your version of Golang is above 1.7.

3. Grapl


The Grapl project (Graph Analytics Platform) was transferred to the open source category in March last year. This is a relatively new platform for detecting security problems, for conducting forensic science forensics, and for generating incident reports. Attackers often work using something like a graph model, gaining control over a particular system and researching other network systems, starting with this system. Therefore, it is quite natural that system advocates will also use a mechanism based on a model of the graph of connections of network systems that takes into account the characteristics of relations between systems. Grapl demonstrates an attempt to take measures to identify and respond to incidents based on a graph model rather than a log model.

The Grapl tool accepts security-related logs (Sysmon logs or logs in the normal JSON format) and converts them into subgraphs (defining the "identity information" for each node). After that, he combines the subgraphs into a common graph (Master Graph), which represents the actions performed in the analyzed environments. Grapl then runs Analyzers on the graph using the “attacker signatures” to identify anomalies and suspicious patterns. When the analyzer detects a suspicious subgraph, Grapl generates an Engagement construct for investigations. Engagement is a Python class that can be downloaded, for example, into a Jupyter Notebook deployed in an AWS environment. Grapl moreoverable to increase the collection of information for incident investigation through the expansion of the graph.

If you want to better understand Grapl, you can watch this interesting video recording of the performance from BSides Las Vegas 2019.

4. OSSEC


OSSEC is a project founded in 2004. This project, in general, can be described as an open source security monitoring platform designed for host analysis and intrusion detection. OSSEC is downloaded over 500,000 times a year. This platform is used mainly as a means of detecting intrusions on servers. Moreover, we are talking about both local and cloud systems. OSSEC, in addition, is often used as a tool to study logs for monitoring and analyzing firewalls, intrusion detection systems, web servers, as well as for studying authentication logs.

OSSEC combines the capabilities of a Host-Based Intrusion Detection System (HIDS) with a Security Incident Management (SIM) security system and SIEM (Security Information and Event Management) . OSSEC also has the ability to monitor file integrity in real time. This, for example, monitoring the Windows registry, detecting rootkits. OSSEC can notify interested parties about detected problems in real time and helps to quickly respond to detected threats. This platform supports Microsoft Windows and most modern Unix-like systems, including Linux, FreeBSD, OpenBSD, and Solaris.

The OSSEC platform consists of a central managing entity, a manager used to receive and monitor information from agents (small programs installed in systems that need to be monitored). The manager is installed on a Linux system that stores the database used to verify file integrity. It also stores logs and records of events and system audit results.

OSSEC is currently supported by Atomicorp. The company oversees the free open source version, and, in addition, offers an extended commercial version of the product. Herepodcast in which the OSSEC project manager talks about the latest version of the system - OSSEC 3.0. It also discusses the history of the project, and how it differs from modern commercial systems used in the field of computer security.

5. Suricata


Suricata is an open source project focused on solving the main tasks of ensuring computer security. In particular, it includes an intrusion detection system, an intrusion prevention system, and a tool for monitoring network security.

This product appeared in 2009. His work is based on rules. That is, the one who uses it has the opportunity to describe certain features of network traffic. If the rule is triggered, then Suricata generates a notification, blocking or breaking the suspicious connection, which, again, depends on the specified rules. The project, in addition, supports multi-threaded operation. This makes it possible to quickly process a large number of rules in networks through which large volumes of traffic pass. Thanks to multithreading support, a completely ordinary server is able to successfully analyze traffic at a speed of 10 Gb / s. At the same time, the administrator does not have to limit the set of rules used to analyze traffic. Suricata also supports hashing and file extraction.

Suricata can be configured to work on regular servers or on virtual machines, such as AWS, using the traffic-monitoring feature that has recently appeared in the product .

The project supports Lua scripts, with which you can create complex and detailed logic for analyzing threat signatures.

The Suricata project is handled by the Open Information Security Foundation (OISF).

6. Zeek (Bro)


Like Suricata, Zeek (formerly called Bro and renamed Zeek at the BroCon 2018 event) is also an intrusion detection system and a network security monitoring tool that can detect anomalies, such as suspicious or dangerous activities. Zeek differs from traditional IDS in that, unlike rule-based systems that detect exceptions, Zeek also captures metadata related to what is happening on the network. This is done in order to better understand the context of unusual network behavior. This allows, for example, analyzing an HTTP call or the procedure for exchanging security certificates, to look at the protocol, at packet headers, at domain names.

If we consider Zeek as a network security tool, then we can say that it gives the specialist the opportunity to investigate the incident, learning about what happened before or during the incident. Zeek, in addition, converts network traffic data into high-level events and makes it possible to work with a script interpreter. The interpreter supports the programming language used to organize interaction with events and to find out what exactly these events mean in terms of network security. The Zeek programming language can be used to customize the interpretation of metadata as needed by a particular organization. It allows you to build complex logical conditions using the operators AND, OR and NOT. This gives users the ability to customize the analysis of their environments. True, it should be notedwhich, in comparison with Suricata, Zeek may seem like a fairly sophisticated tool when conducting intelligence security threats.

If you are interested in Zeek details, check out this video.

7. Panther


Panther is a powerful, initially cloud-based platform for continuous security monitoring. She was transferred to the category of open-source recently. The project’s architects are StreamAlert’s main architect, an automated log analysis solution whose code was opened by Airbnb. Panther provides the user with a single system for centrally detecting threats in all environments and for organizing responses to them. This system is able to grow with the size of the infrastructure served. Threat detection is organized using transparent deterministic rules, which was done in order to reduce the percentage of false positives and reduce the level of unnecessary load on security specialists.

Among the main features of Panther are the following:

  • Detection of unauthorized access to resources by analyzing logs.
  • Search for threats, implemented through a search in the logs of indicators indicating security problems. Searches are performed using standardized Panter data fields.
  • Checking the system for compliance with SOC / PCI / HIPAA standards using Panther built-in mechanisms.
  • Protecting cloud resources by automatically correcting configuration errors that, if exploited by them, can lead to serious problems.

Panther is deployed in an AWS organization cloud using AWS CloudFormation. This allows the user to always control his data.

Summary


Monitoring system security is, today, the most important task. Open-source tools can help companies of all sizes solve this problem. They provide a lot of opportunities and are almost worthless or free.

Dear readers! What security monitoring tools do you use?

More articles:


All Articles