How Open Source Technologies Aid Enterprise Security?
Intrusion Detection and Prevention • May 16, 2019
We use cookies to improve your experience. Do you accept?
Intrusion Detection and Prevention • May 16, 2019
With the increasing cyber risks that can lead to loss of data, intellectual property theft, payment information breach, and user privacy breach, organizations face the challenging task of ensuring the safety of their corporate and user data. In helping organizations face this challenge, Open Source Software (OSS) plays an understated yet crucial role. Let us briefly look at some of the open source technologies that are used in enterprise security.
When it comes to critical security controls, a multitude of open source projects have been created over the years to address various pain points. Here, we will focus on those that are key to building a Cyber Fusion Center for securing all assets belonging to an organization.
The standardized open source formats for sharing threat intel information include CAPEC, CybOX, IODEF, IDMEF, MAEC, OpenC2, STIX 2.0, TAXII, and VERIS. Among these, STIX and TAXII are two of the most widely used formats for threat intel sharing which have also provided the base for building many proprietary solutions.
MITRE’s ATT&CK framework is also one of the most notable names in the list of open source projects centered around cyber threat intelligence and threat response. Moreover, there are numerous open source providers which provide threat indicator data as well such as the Malware Information Sharing Platform (MISP) Project.
There are several projects that provide an open source alternative for implementing security orchestration and automation capabilities for comprehensive cyber defense which includes:
Patrowl - An open-source solution for orchestrating Security Operations
TheHive project - An all-in-one solution providing incident response and security orchestration capabilities.
There are a few open source projects that provide capabilities ranging from digital forensics, incident management, and more. This includes the likes of Mozilla MozDef, Mozilla MIG and Mozilla Investigator, Sleuth Kit, Open Computer Forensics Architecture, and Digital Forensics Framework, among others.
Threat Hunting is a key defensive activity conducted by security teams to identify abnormal activity on their network which can point to the potential compromise of any of the assets operated by them.
To conduct threat hunting operations, security teams can rely on a diverse set of tools ranging from powerful frameworks such as Wireshark to packages built to achieve specific objectives such as HELK, osquery, Sysmon, NOAH, PSHunt, Flare, JA3, HASSH, and many more. Moreover, MITRE’s ATT&CK also provides a solid framework for hunting specific adversary behavior.
Once analysts recover a potentially malicious sample, it is subjected to various tests to figure out its capabilities and further understand the tactics and techniques used by the threat actors. For this purpose, there is a wide range of tools for collecting samples and conducting various tests such as Yara, Cuckoo Sandbox, Remnux, Google Rapid Response (GRR), Bro, and the recently released malware analysis suite called Ghidra by NSA.
With the increasing number of security vulnerabilities reported every year, it is important for organizations to actively scan their infrastructure and applications for any loopholes that can leave the door open for cybercriminals.
To conduct vulnerability scans and managing detected vulnerabilities, there are several open source tools including OpenVAS, DefectDojo, Metasploit framework, Nikto, OWASP Zed Attack Proxy (ZAP), Moloch, and Powerfuzzer.
With the ever-rising number of connected devices in the age of the Internet of Things (IoT), it becomes crucial for organizations to keep a watch on all its assets to detect any potential attack vectors left unchecked.
Some of the open source tools that aid in this process of documenting all IT assets include Open-AudIT, Snipe-IT, Kuwaiba, and GLPI.
SIEM frameworks perform the task of monitoring, recording, and analyzing security alerts or incidents and generating reports based on information collected from a variety of connected tools such as network logs, firewalls, antivirus filters, etc.
Some of the open source frameworks for SIEM purposes include OSSIM, Elastic Stack, and Apache Metron.
Another important set of tools in the arsenal of security teams are the Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). Some of the open source tools for detecting network intrusion activity include Snort, OSSEC, Open DLP, Kismet, and Bro.
OSS provides several benefits including:
Transparency : As the name suggests, right from its source code to the contributors, OSS is built with ample transparency about the decisions and processes behind its development and often involves engaging community discussions that highlight these factors further. This provides a level of transparency that is unrivaled by any proprietary technology development process.
Reliability : Due to the transparent processes employed in open source development, it is much easier to rely on the capabilities of the software. Any shortcomings of open source software are openly highlighted by its own community and its users.
Innovation : One of the most salient effects of OSS is that it shapes the user expectations for various kinds of software. It pushes the proprietary developers to innovate and come up with something better in terms of user experience or features to retain their market share. It also often nudges the industry towards implementing solutions that give users more control and insight into the software products they use.
Standardization : Imagine a world where every bank implemented its own proprietary encryption algorithm to secure their transactions. Whom would you trust and why? Thankfully, today we have the Advanced Encryption Standard (AES) that any organization can rely upon to encrypt sensitive data. Much of our critical infrastructure today leverages open source standards for network communication protocols and security protocols.
Despite having several advantages over other modes of development, there are also some downsides to contend with when using OSS.
Accountability : In case of facing security issues or other operational issues with OSS, organizations using it have to deal with the lack of an accountability structure. This leads to a delay in the release of crucial patches which can be detrimental for organizations using it.
Technical support : Unlike proprietary software that is built with clients’ needs in mind, open source software often tends to serve a broader audience, thereby lacking in the amount of dedicated maintenance and support available to organizations relying on it.
Compatibility : In the case of proprietary software, vendors go the extra mile to provide easy-to-use integrations and compatibility with the existing workflow of their clients. This is where open source often lags behind with much more efforts required from the user side, thereby adding hidden costs to integrate OSS into their operations.
With technologies like the Internet of Things (IoT), Artificial Intelligence (AI), and Blockchain on the rise, open source technologies and software are expected to play a central role in securing these new frontiers. Even though the lack of resources can often prevent its growth, it is clear that new and existing open source projects will continue having a lasting impact on the security industry.