Security Onion 2: Unravel Adversary Actions with Frighteningly Good Detection and Shocking Visibility

Security Onion is a completely free and open source platform for threat hunting, enterprise security monitoring, and log management. First developed in 2008 by Doug Burks, Security Onion has since grown through several distributions, and has been downloaded over 1 million times. Continuing with that growth, comes Security Onion 2, the next major iteration of the platform. In every iteration, the platform has weaved together many different open source applications in an attempt to make like easier for blue teamers, but this presentation will be focused primarily on the additions and improvements the new version brings, and how security professionals will be better prepared to peel back the layers of their computer networks, and make their adversaries cry.

To continue tipping the scales in the favor of network defenders, attendees will learn how they can leverage Security Onion (2) in a variety of ways. This includes the monitoring of network traffic — we’ll discuss the types of data that are collected, and the relative value of each. This data may include NIDS alerts from Suricata, protocol-specific metadata from Zeek, or even PCAP from Google Stenographer.

Ingestion of endpoint telemetry (ex. Wazuh, Osquery, Winlogbeat) and other data sources will be discussed, as well as how this data can be scoured and hunting actions can be performed (using Kibana, or the new Hunt interface).

While there are some great hunters out there, it can be much more efficient at scale to have pre-built detections assist us in identifying anomalous behavior (paired with regular hunting). A defined detection engineering process, and criteria for creating detections can really help us to achieve success with our overall detection strategy — as a result, we’ll discuss detection development and the management of detection playbooks, using Playbook.

Last, we’ll cover how we can enrich events with additional information, and even perform response actions using TheHive and Cortex, also touching on how additional integrations might be achieved with Security Onion 2.

With all this context and capability, we’ll have bad guys shaking in their boots, for free!


Wes Lambert

Wes Lambert is the Director of Support and Professional Services at Security Onion Solutions, where he helps companies to implement enterprise security monitoring solutions and better understand their computer networks. He is a huge fan of open source software projects, and loves to solve problems and enhance organizational security using completely free and easily deployable tools

Friday Oct 30, 2020 - 03:45 PM CDT

Level 0, Blue Team Village