Data shows that 83% of enterprises and organizations save costs and improve efficiency by moving their “business to the cloud”, but cloud security issues follow closely. The open-source tools recommended in this issue are suitable for various cloud service models such as SaaS, PaaS, and IaaS. (The tools recommended in this article only represent the author’s views)
1. Wazuh
Wazuh is a security protection platform that integrates SIEM, HIDS, and XDR. Adhering to the spirit of open source, the Wazuh community is developing rapidly, and users can obtain technical support in the community, submit suggestions, and provide feedback. It is said that Wazuh has over 200,000 enterprise users, including some Fortune 100 companies. In addition to supporting local deployment, Wazuh is also suitable for cloud environments, with flexible infrastructure and strong scalability.
Portal:https://wazuh.com/
2. Osquery
Osquery is an open-source monitoring and analysis tool for operating systems, allowing users to query various system metrics like SQL statements, such as running processes, open network connections, hardware events, and browser plugins. It is suitable for Windows, MacOS, Linux, and FreeBSD, helping to improve system performance.
Osquery was created and put into use by Facebook in 2014, and engineers have reported benefits from it. Osquery logs can capture unknown malware, but require additional deployment and human intervention for threat response.
Portal:https://github.com/osquery/osquery
3. GoAudit
This is a Linux auditing system that includes kernel source code and monitoring system calls. The monitoring system calls are responsible for auditing writes and records in user space protection processes. This tool was released in 2016, featuring multi-line logging and JSON blob analysis. Therefore, users can directly invoke the kernel via Netlink and implement threat filtering based on specific business needs.
Portal:https://github.com/slackhq/go-audit
4. Grapl
Grapl, released in March 2022, is a graphical analysis platform with security detection, incident response, and forensics capabilities, adept at collecting security logs and converting them into subgraphs, which are then merged into the Master Graph to restore the attack actions in the entire environment. Thus, Grapl can respond to attackers’ intentions accordingly, similar to a real defender. Once suspicious patterns emerge, Grapl activates the analyzer and initiates an investigation.
Portal:https://github.com/grapl-security/grapl
5. OSSEC
OSSEC is a security detection and monitoring platform released in 2004, also used for log analysis, web server, firewall analysis, etc., capable of real-time monitoring of the integrity of SIEM platforms, adaptable to environments like Microsoft Windows, Linux, OpenBSD, FreeBSD, Solaris, etc. OSSEC has a centralized manager responsible for monitoring and receiving information from agents. It can also store files after performing integrity checks on databases, logs, system audits, events, etc.
Portal:https://github.com/ossec/ossec-hids
6. Suricata
Suricata combines intrusion detection, intrusion prevention, and network monitoring functions. When released in 2009, it already had traffic monitoring capabilities, and now it can monitor high traffic at speeds of 10G. Additionally, it supports file extraction and can configure bare metal and virtual machine servers in AWS to monitor traffic and detect advanced threats.
Portal:https://github.com/OISF/suricata
7. Zeek/Bro
Similar to Suricata, this is also a traffic monitoring tool that can detect abnormal behaviors and suspicious activities, thus differing from traditional rule-based IDS. Zeek allows users to view pre-attack and in-progress attack activities and has certain intelligent interaction capabilities. The programming language of Zeek can be customized according to user needs, allowing for the construction of complex logical conditions using operators like AND, OR, NOT, etc.
Portal:https://zeek.org/
8. Panther
Panther is an automated solution open-sourced by Airbnb, primarily designed to address the shortcomings of traditional SIEM, capable of matching user-specific security detection environments and scales for centralized detection. Each detection is transparent, determining detection rules while reducing false positives.
Panther can automatically fix misconfigurations and allows users to store data they do not want to be compromised. Panther has always deployed using its own AWS cloud and AWS CloudFormation, ensuring data is controlled by the user.
Portal:https://github.com/panther-labs/panther-analysis
9. Kali Linux
Kali Linux is an open-source system that provides network security utilities and penetration testing tools. It is one of the few Linux distributions focused on hacking. On Kali Linux, users can run Linux executable files, which can also be executed on Windows 10. Kali Linux supports installation on most devices, such as Raspberry Pi, Odroid, HP and Samsung Chromebooks, Beaglebone, etc.
Portal:https://www.kali.org
10. PacBot
PacBot is a compliance monitoring and cloud security automation tool. PacBot (Policy as Code Bot) scans and evaluates target resources based on policies. It includes an automatic remediation framework that can respond to and handle violations automatically through predefined behaviors. The tool also has visualization capabilities, making it easy for users to view compliance status and simplifying the analysis and handling of policy violations.
Portal:https://github.com/tmobile/pacbot
References
https://cybersecuritynews.com/opensource-cloud-security-tools/
Source: freebuf.com
The technologies, ideas, and tools mentioned in the articles published or reprinted by Heibai Zhidao are for learning and exchange purposes only for security purposes. No one is allowed to use them for illegal purposes or for profit, otherwise, the consequences shall be borne by themselves!
If there is any infringement, please contact us to delete the article
END
More points to watch
More dried fish