Security Onion includes best-of-breed free and open tools including Suricata, Zeek, Wazuh, the Elastic Stack and many others. We created and maintain Security
2. How Security Onion in Linux Distribution For Threat Hunting,
Enterprise Security Monitoring, And Log Management.
Name Of Our Thesis
01
3. - Introduction
- Background study
- Literature review
- Network security monitor
- Why we use security onion
- Tools and technologies
- Virtualization
- Methodology
Agenda
02
- Network Traffic Analysis & Monitoring
- Malware analysis with security onion
- Accomplishment Work
- Future Works
- Student Motivation (those who study
security onion)
- Conclusion
- Reference
4. Presented By
03
Supervised By CO-Supervised By
Mashihoor Rahman
Cyber Security
Analyst
Sahabuddin
Lecturer
Department of CSE
City University
Name ID
Boni Yeamin 173462012
Nahnudul Hasan Nir Rahim 173462098
5. Introduction of Security Onion
04
- This work takes a closer look into the functionality and efficiency
of a prebuilt, open source, security tool, known as the Security
Onion. The Security Onion was selected as the system of choice for
this experiment based on the numerous different kinds of tools that
are integrated into its design. Many security systems don’t
incorporate numerous tools into the design, making it a unique
system to analyze.
Introduction
6. Statement of the problem
04
- many organizations fail to provide security with the necessary
budget, guidance, or resources.
- fully understanding the effectiveness or ineffectiveness of the
tool.
- utilize a variety of software
- firewall
- Monitoring and securing a network are a daunting task
Introduction
7. Objective
04
- The objective of this research is to provide a comparative analysis
of a device with the Security Onion installed, and one without it.
It is to provide users with greater insight into how effective or
ineffective a security tool may actually be. This could potentially
help them realize, or understand, the pros and cons of a security
tool and how secure their network truly is.
Introduction
8. Limitation of the Research
04
- This study is limited to the comparative analysis of the Security
Onion, although, there are other opensource security tools available
for enterprises to utilize. Moreover, this work attempts to launch
attacks on each computer to analyze the effects. However, the
complexity of the attacks is restricted and doesn’t include all
variations of protentional threats or vulnerabilities.
Introduction
9. Background Related to the problem
04
- The area of cybersecurity has become a growing commodity for
companies over the last decades. According to Jeff, there will be a
“3.5 million global shortage of cybersecurity professionals by 2022"
Cybersecurity Ventures reported that the number of unfilled
cybersecurity jobs grew by 350%. The Security Onion allows
enterprises to automate and control the security process, which can
potentially help a department that is lacking proper man and women
power. In addition, it is a cost-effective solution since the
software is prebuilt and free. On the surface the Security Onion
looks like a promising tool that could solve all of an
organization’s security problems. professionals need to be
Background study
10. Literature Study
04
- This section provides additional content relating to the background
of the problem; including the primary use of the Security Onion to
protect an enterprise’s network. It introduces the common problems
or challenges that exist in the security world and the ways in which
it impacts a professional’s decisions to use an open-source system,
such as the Security Onion. It looks at literature to indicate the
current understanding of the system and identify what’s missing.
Finally, it introduces the concept of a private network and
different types of attacks.
Literature review
11. Literature related problem
04
- The Security Onion is a relatively new concept in the cybersecurity
world. When reading through different articles, books, and journals,
there seems to be a lack of information relating to the
effectiveness or ineffectiveness of the software. There were many
pieces of literature relating to the setup of the system and
different ways of configuring it to help prevent certain types of
attacks.
Literature review
12. Why we use security onion
06
- When we talk about develop, then security onion gives them a universal
panacea for security. Here the administrator needs to do work with the
system to get the maximum result. If the same thing a professional
doe, they need the experience and knowledge so that they can
completely analyze the alert and take the action based upon the
information.
- Moreover, most security professionals prefer to make their “roll their
own”. This is the version where you can create a mix and match
security toolset, and work for them. Since different networks provide
different solutions, you need to select the reviewed open-source
network security tool.
- Depending on the distro, you need to select the security and a
professional has to take up the task. If you want a tester for an
ethical hacker, then Kali Linux is the best choice for you. If you
need to monitor a variety of network traffic and events, then Security
14. - Security onion is a network security
monitoring (NSM) system that provides
full context and forensic visibility
into the traffic monitors.
- Designed to make deploying complex open-
source tools simple via a single package
- Having the ability to pivot from one
tool to the next to seamlessly, provides
the most effective collection of network
security tools available in a single
package
- Allows the choice of IDS engines,
analysts consoles, web interfaces
What is Security Onion
05
15. What is SOC, NMS, SIEM Solution
06
- (SOC) A security operations center is a centralized unit that deals
with security issues on an organizational and technical level.
- (NMS)Network monitoring systems include software and hardware tools
that can track various aspects of a network and its operation, such as
traffic, bandwidth utilization, and uptime. These systems can detect
devices and other elements that comprise or touch the network, as well
as provide status updates.
- (SIEM) .Security information and event management technology supports
threat detection, compliance and security incident management through
the collection and analysis (both near real time and historical) of
security events, as well as a wide variety of other event and
contextual data sources.
16. Why Open Source
07
- Every company has a unique process for creating reviewing and
approving/denying business cases. The path of creating and improving a
SOC is challenging and Costly.
- Annual operating costs: We are assuming the company has their own
management team, Operators, Office supplies and Computers. So, we
considering only Software maintenance cost, that is $25,000 and
recurring cost can be included.
- For a Mid Level company this amount is very large and won’t try to
make a SOC for their company.
17. Why IDS/IPS if I have Firewall
08
- In computing, a firewall is a network security system that monitors
and controls incoming and outgoing network traffic based on
predetermined security rules. A firewall typically establishes a
barrier between a trusted network and an untrusted network, such as
the Internet.
- Intrusion Detection System: An IDS is designed to detect a potential
incident, generate an alert, and do nothing to prevent the incident
from occurring.
- Intrusion Prevention System: An IPS, on the other hand, is designed to
take action to block anything that it believes to be a threat to the
protected system
20. Virtualization
11
- In computing, virtualization is the act of creating a virtual version
of something, including virtual computer hardware platforms, storage
devices, and computer network resources.
- There are two virtualization software we are using in this project
- 1. VMWare Pro
- 2. VM ExSi 7
- In VMware pro machine With the sniffing interface in bridged mode, you
will be able to see all traffic to and from the host machine’s
physical NIC (network interface control). If we would like to see ALL
the traffic on our network, we will need a method of forwarding that
traffic to the interface to which the virtual adapter is bridged. This
can be achieved with a tap or SPAN port.
21. - Hardware Requirements:
Security Onion only supports x86-64 architecture (standard
Intel/AMD 64-bit processors).
- For all other configurations, the minimum specs for running
Security Onion 2 are:
16GB RAM
4 CPU cores
200GB storage
System Requirements
12
23. Networking configuration
14
- In computing, virtualization is the act of creating a virtual version
of something, including virtual computer hardware platforms, storage
devices, and computer network resources. In the given table we show
how we configure the network in our test lab
Name Network Types IP
External internet
protocol
Public IP 103.102.133.14
Router IP Static IP 192.168.0.1
Vmware machine
Host only 192.168.143.0
NAT 192.168.24.0
ESxI 7 IP 192.168.24.128
24. Networking configuration
15
Name Network Types IP
Security Onion
NAT 192.168.24.255
Bridge 192.168.24.130
Windows 7
NAT 192.168.137.1
Bridge 192.168.24.135
Windows Server 2012
NAT 192.186.137.80
Bridge 192.168.24.132
Kali Linux
NAT 192.186.137.48
Bridge 192.168.24.135.129
Ubuntu
NAT 192.186.137.17
Bridge 192.168.24.136
25. Installing Security Onion
16
- We install the security onion using ISO image in Vmware pro
workstation
1. First we setup VMware settings for security onion as requirement.
2. Then we NAT and bridge the network.
3. Run the Virtual machine and boot up the iso file.
4. Installing the security onion file in graphical mood.
5. For more info we cove a video where we describe all things in
detaile.
26. Security Onion
Architecture
17
- In computing, virtualization is the act of creating a virtual version
of something, including virtual computer hardware platforms, storage
devices, and computer network resources.
32. Accomplishment Work
24
- Virtualization
- Network configuration
- Setup network lab
- Setup virtual lab
- Setup Security Onion and other OS
- Monitoring IDS and IPS
33. Implementation AWS Cloud AMI
Implementation Azure Cloud Image
Future Work
25
34. In this particular section we will discuss if some one wants to
practice or learn about security onion. What will the basic needs for
him. We describe in bellow
• Need a clear knowledge about virtualization.
• Need to know about networking configuration Architecture
• Knowledge about IDS, IPS.
• Knowledge about NIDS, HIDS, OS detector, NSM.
• Knowledge about SOC, SIEM
Student Motivation (those who study security
onion)
26
35. Conclusion
Security Onion is an open-source and free intrusion detection system that
is not difficult to turn up. It is an extraordinary instructive device for
both students and staff. It is possibly appropriate for ventures with the
resources and inclination to maintain and deploy their own monitoring
solution and intrusion detection system. In the case of nothing else,
turning up a Security Onion test deployment is an incredible method to have
something to benchmark.
27
36. Reference
https://docs.securityonion.net/en/2.3/
Introduction to Security Onion:
https://www.researchgate.net/publication/304200311_Introduction_to_Security_Onio
n
Bugs in Security Onio:
https://www.researchgate.net/publication/355978629_Bugs_in_Security_Onion
28