Open Source Security Tools You Should Know

Our pick of some of the best Open Source Cloud Security tools that will keep your organization safe from any malicious activity.

The widespread adoption of cloud computing has helped companies scale their businesses, but it has also led cloud-based breaches becoming a regular occurrence. Hosting a security monitoring team in-house is challenging, and the tools available today are cost-restricting, slow, and somewhat unmanageable at scale. To stay safeguarded in the cloud, security teams need more power, flexibility, and visibility than ever. Here is where open-source tools come into play - the benefits of open source technology are centered on lower costs and in the control of a dedicated community.

In this post, we have highlighted 7 open source cloud security tools and how they help security teams keep their organization safe from hackers and cyber-criminals by detecting anomalies and malicious activity.

Note: The GitHub snapshot stats are based on what they were at the time of writing. Subject to change.

#1 Osquery

Osquery is a low-level operating system analytics and monitoring tool that enables security engineers to perform sophisticated analysis with SQL. Available for Linux, macOS, Windows, and FreeBSD, this framework exposes an operating system as a high-performance relational database. This exposition allows engineers to write SQL-based queries to explore operating system attributes such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.

Created by Facebook, the framework was open-sourced in 2014 after the company realized that the issue of maintaining insight into the low-level behavior of operating systems is not a problem that is unique to Facebook. Since then, it has been used and appreciated by engineers and developers from Dactiv, Google, Kolide, Trail of Bits, Uptycs, and other companies. Recently, the osquery Foundation was also welcomed into the Linux Foundation.

Osquery’s host monitoring daemon, osqueryd lets you schedule queries to be executed across your entire infrastructure. The daemon aggregates queries and generates logs that indicate state changes in your infrastructure which can help you maintain insight into security especially useful for anomaly detection. You can use osquery's log aggregation capabilities to easily catch known and unknown malware as well as pinpoint when the attack occurred and what was installed. Read more about anomaly detection using Osquery here .

#2 GoAudit

The Linux Audit system consists of two major components. The first component is some kernel code to hook and monitor syscalls. The second component is a userspace daemon, auditd responsible for writing audit records to the disk. GoAudit, written by Slack and released in 2016, is a replacement for auditd which provides better logging by converting auditd’s multiline events into a single JSON blob for easy analysis. With GoAudit, you can directly speak to the kernel via netlink. You can also do minimal (or zero) filtering of events on the hosts themselves. Not just for security, GoAudit developers designed it as a general-purpose tool - for operations or development teams to help debug problems at scale.

Go-audit is written in Golang that is type-safe and performant. When installing, make sure your golang version is above 1.7

#3 Grapl

Open-sourced last year in March, Grapl is a, relatively new, Gr aph A nalytics Pl atform for detection, forensics, and incident response. Attackers often work with graphs - they land on a box and start traversing the network. This makes it natural for defenders to also adopt a graph-based mechanism that understands the scope of the trust relationships within their network. Grapl is an attempt to explore Detection and Response given a graph primitive instead of a log primitive.

Grapl consumes security-relevant logs (Sysmon logs or a generic JSON log format), converts them into subgraphs (determining the ‘identity’ for each node), and then merges these subgraphs into a Master Graph that represents the actions across your environments. Grapl then executes Analyzers, the ‘attacker signatures’ for Grapl, against the graph to find anomalies and suspicious patterns. When analyzers detect a scary subgraph, Grapl will generate an Engagement construct for performing investigations. Engagement is a Python class that you can load up in an AWS hosted Jupyter Notebook. Grapl can also scope engagement through graph expansion.

Watch this interesting talk at BSides Las Vegas 2019 for an in-depth understanding of Grapl.

#4 OSSEC

Founded in 2004, OSSEC is an open-source, host-based intrusion detection software that is basically a security monitoring platform. With more than 500,000 downloads a year, it is primarily used as a server intrusion detection system — both on-premise and in the cloud. It is also commonly used as a log analysis tool for monitoring and analyzing firewalls, IDSs, web servers, and authentication logs.

It combines HIDS monitoring features with Security Incident Management (SIM)/Security Information and Event Management (SIEM). OSSEC can also perform real-time file integrity monitoring, Windows registry monitoring, rootkit detection, real-time alerting, and active response. OSSEC is multi-platform, running on Microsoft Windows, and most modern Unix-like systems including Linux, FreeBSD, OpenBSD, and Solaris.

The software consists of a central manager for monitoring and receiving information from agents (a small program installed on the systems to be monitored). The OSSEC manager is installed on the Linux system which stores the file integrity checking databases, logs, events, and system auditing entries.

The OSSEC project is currently maintained by Atomicorp who oversees the free and open-source version and also offers an enhanced commercial version . Listen to this Linux Security Podcast where Scott Shinn, OSSEC project manager discusses the latest update - OSSEC 3.0, history of the project, and how it differs from commercial security software currently in use.

#5 Suricata

Suricata is an essential open-source security project that acts as an intrusion detection system, intrusion prevention system, and network security monitoring tool.

First introduced in 2009, Suricata is rules-based, meaning you can specify a simple definition to specify unique characteristics of network traffic. When these conditions are met, it triggers an alert and the communication is blocked or dropped based on the rule requirements. Suricata also has multithreading so more rules could be processed on the same hardware for networks that have large traffic volumes. With multithreading, commodity hardware can achieve 10-gigabit speeds without sacrificing ruleset coverage. It also supports hashing and file extraction.

Suricata can be configured to run both on bare metal and virtual machines within AWS using the newly introduced traffic-mirroring feature. More on this in a later blog post!

Suricata provides Lua scripting support using which you can create complex and detailed signature detection logic for detecting complex threats.

The Suricata project and code are owned and supported by the Open Information Security Foundation (OISF).

#6 Zeek/Bro

Like Suricata, Zeek or Bro (Bro was renamed Zeek at BroCon 2018) is also an intrusion detection system and a network monitoring tool that can identify behavior anomalies, such as suspicious or threat activity. Zeek is different from traditional IDS in the sense that unlike rules-based engines that detect exceptions, Zeek also captures metadata about activity on a network to better understand the context of the network behavior. You can, for example, look at protocols, at headers and domain names in an HTTP call or in certificates.

As a networking monitoring tool, Zeek provides forensic examination which means it lets you look back at what happened before or during an incident. It also converts data about network traffic into higher-level events and provides a script interpreter. This interpreter is essentially a programming language used to interact with events and understand what those events mean in terms of network security. The Zeek programming language can be used to customize the interpretation of metadata to the specific needs of an organization. It can build out complex logical conditions using AND, OR and NOT operators, which allow the users to customize the analysis to their environment. Although, compared to Suricata, Zeek can be fairly complex when it comes to threat intelligence.

You can learn more about Zeek in this primer by Adam Pumphrey.

#7 Panther

Panther is a powerful, cloud-native, continuous security monitoring platform, recently open-sourced. It was founded by the core architect of StreamAlert , a solution for automated log analysis open-sourced by Airbnb. Panther provides a single pane for centralizing detection and response in all environments that scales with the business. Detections are transparent and deterministic rules in order to reduce false positives and alert fatigue.

Panther's core features include:

• Unauthorized Access detection: Analyze logs to identify unauthorized access into systems
• Threat Hunting: Quickly search logs for matches against indicators of compromise with Panther's standardized data fields
• Compliance: Use built-in detections as controls for SOC/PCI/HIPAA compliance
• Secure Your Cloud Resources: Automatically fix misconfigurations that could cause severe damage if exploited

Panther is deployed within your  own AWS Cloud with AWS CloudFormation. This ensures that data is always within your control

Conclusion

Enabling security monitoring is paramount today and open source tools can help with organizations of any scale, providing great benefits at negligible or zero costs.

We hope you enjoyed our pick of open source cloud security tools. Thank you for reading!Subscribe here to receive a notification whenever we publish a new post.