Working for a smaller organization inevitably means you end up wearing numerous hats and time to focus on any one project, much less one that management doesn't see any direct benefit from (i.e. network monitoring), can be scarce.
In the past, I've had various installs of Snort, OSSEC, and OCS Inventory setup to monitor the network. But inevitably, these projects got pushed to the back-burner, became outdated, and eventually got mothballed.
A year or so ago I tried Security Onion, but due to some memory issues, was never really able to make it sing. That all changed when I recently got time to try again with Security Onion 12.04. I'm still having to use it on some older hardware, but it is working wonderfully.
You will find tons of information on the Security Onion website, but in summary, it is a customized Linux distro built for network security monitoring. There are tons of tools built in, but so far the ones I use the most are:
- Snort - The de facto standard IDS
- Squil - Swiss army knife for digging into your Snort and OSSEC alerts
- Snorby - Good looking web based dashboard for Snort alerts
- Bro - Logs HTTP session data
- NetworkMiner - Great way to extract files from logged pcaps
- daemonlogger - Logs full packet capture data
Small business security is notoriously poor due to small budgets, low staffing, and lack of knowledge. It should come as no surprise that businesses under 250 employees are getting battered. While I may have the skills and patience to get some of these tools put in place, the time to do so is ever fleeting.
That's why I think the Security Onion project is so good for small business. In under 30 minutes, the typical Windows sysadmin can "Next,Next, Finish" their way to a very powerful NSM.
Check out Doug's talk at last years Derbycon for more details.
No comments:
Post a Comment