Imagine you’re on a mission in a big game where everyone has a special job to protect the kingdom. Some people guard the gates, others search for hidden dangers, and…
Security Onion (SIEM)
What is Security Onion?
Security Onion is a free and open-source Security Information and Event Management (SIEM) platform designed for threat hunting, network monitoring, and intrusion detection. It integrates a wide array of tools to monitor, manage, and analyze network and endpoint security events. Created by Doug Burks, Security Onion simplifies the deployment and configuration of several open-source tools, making it accessible for organizations of all sizes to build a powerful security operations platform.
What Does Security Onion Do?
Security Onion provides a centralized platform to collect, analyze, and visualize security data from networks and endpoints. By combining various tools, it allows security teams to detect and respond to threats effectively. Here’s a breakdown of its core features:
- Network-Based Intrusion Detection: Security Onion uses tools like Suricata and Zeek (formerly Bro) to monitor network traffic for suspicious activity. Suricata provides signature-based detection, while Zeek offers protocol analysis and anomaly detection.
- Endpoint Detection and Response (EDR): Using tools like Osquery and Elastic Agent, Security Onion can track endpoint activities and detect signs of compromise.
- Centralized Log Management: Security Onion integrates with Elasticsearch, Logstash, and Kibana (commonly known as the ELK stack) to store, process, and visualize log data, offering powerful search and reporting capabilities.
- Threat Hunting: With tools like TheHive and Cortex, Security Onion supports incident response, forensic analysis, and threat hunting, allowing teams to investigate and respond to potential threats.
- Alerting and Reporting: Security Onion provides a unified interface for managing alerts, generating reports, and creating dashboards, simplifying incident management.
Getting Started with Security Onion: A Step-by-Step Tutorial
This tutorial will guide you through setting up Security Onion, from installation to basic usage.
Step 1️⃣: Install Security Onion
Download Security Onion:
Go to the official Security Onion website and download the latest Security Onion ISO image. You can deploy it as a standalone machine or in a virtualized environment like VMware or VirtualBox.
Install Security Onion:
🔸Create a virtual machine and load the Security Onion ISO as a boot disk.
🔸Follow the on-screen installation prompts. Choose between evaluation mode (for testing purposes) or enterprise mode (for production setups).
🔸Configure the network interface(s). Security Onion requires a management interface and can support additional interfaces for monitoring.
Initial Setup: Choose a Deployment Type:
🔸Security Onion provides several deployment options, including Evaluation, Standalone, Distributed, and Hybrid.
🔸Standalone is suitable for small setups.
🔸Distributed is ideal for larger environments requiring multiple servers.
Step 2️⃣: Configure Network and Data Collection
Enable Network Monitoring
During the setup, assign network interfaces for management and monitoring. The monitoring interface should be configured to capture traffic in promiscuous mode, which allows it to capture all network packets for analysis.
Select Detection Engines
Choose from a variety of detection engines:
Suricata: for signature-based network intrusion detection.
Zeek: for protocol-based detection and anomaly detection.
Configure Data Sources
Security Onion supports collecting data from various sources, such as endpoint logs, network traffic, and external log sources.
Add devices and configure them to send logs to Security Onion’s log management system, where Logstash will handle ingestion.
Step 3️⃣: Use Security Onion for Security Monitoring
Access the Web Interface
Once Security Onion is fully installed, access the web interface by navigating to the management IP address in a web browser. You will use the admin credentials you set up during installation.
Explore Kibana for Log Analysis
🔸 Kibana is part of the ELK stack and provides a powerful dashboard to search, visualize, and analyze data.
🔸 Go to Kibana, and in the Discover tab, use queries to explore indexed log data. For example:
csharpevent.action: "network connection"
🔸 Use filters and time ranges to narrow down results for specific events, such as login attempts, file access, or network connections.
View Alerts and Events in SOC (Security Operations Center) Dashboard
🔸Security Onion’s SOC dashboard consolidates alerts from all integrated tools (e.g., Suricata, Zeek, Osquery).
🔸Use the dashboard to view alerts in real time, investigate unusual patterns, and monitor threat trends.
Step 4️⃣: Threat Detection and Incident Response
Monitor for Intrusions Using Suricata
🔸Suricata, as a signature-based IDS, triggers alerts based on pre-defined rules. Check the Suricata Events tab in the dashboard to view triggered alerts.
🔸Investigate alerts by drilling down into event details, such as source IP, destination IP, and payload content.
Analyze Network Protocols with Zeek
🔸Zeek logs can be found in the Zeek Logs section, where you can view protocol-level details for traffic, such as HTTP, DNS, and SSL.
🔸Use these logs to look for unusual behavior, such as unknown file downloads, DNS tunneling, or other suspicious network activity.
Perform Endpoint Monitoring with Osquery
🔸Osquery allows you to execute SQL-like queries on endpoints, making it possible to monitor processes, file changes, and user activity.
🔸Use the Osquery module to track endpoint changes and detect anomalies, like unauthorized software installations or privilege escalation attempts.
Threat Hunting with TheHive and Cortex
🔸TheHive is a Security Incident Response Platform (SIRP) that supports managing incidents, case creation, and tracking.
🔸Cortex enables automated analysis by running analyzers on indicators (such as IP addresses and file hashes) and cross-referencing them with threat intelligence databases.
Step 5️⃣: Set Up Alerts and Reporting
Configure Alerts
🔸In Kibana, create custom alerts to monitor for specific events. For example, set an alert for a high number of failed login attempts:
csharpevent.action: "login" AND result: "failure"
🔸You can automate alerts to send notifications via email or integrate with other alerting systems.
Set Up Dashboards for Reporting
🔸Create dashboards for various metrics such as Intrusion Events, User Activity, and System Health.
🔸Use graphs and charts to visualize trends and create reports that summarize security incidents over specific time frames.
Step 6️⃣: Troubleshoot and Fine-Tune Security Onion
Tune Suricata Rules:
Suricata’s rules can be customized to reduce false positives or add specific detection capabilities. Edit rule files in /etc/nsm/rules/ to adjust rule severity or disable noisy rules.
Adjust Zeek Scripts:
Zeek scripts can be customized to collect additional information. Modify Zeek’s configuration to include custom scripts for monitoring specific protocols or actions.
Monitor System Health:
Security Onion includes system health monitoring tools. Regularly check the System Status dashboard to ensure all components are running smoothly, and troubleshoot any issues as they arise.
Security Onion is a comprehensive and flexible SIEM solution, combining tools for network monitoring, endpoint detection, and threat hunting in a single platform. With its robust integration of the ELK stack, Suricata, Zeek, and other open-source security tools, Security Onion is a valuable asset for any organization looking to enhance its security operations
