Data shows that 83% of enterprises and organizations save costs and improve efficiency by moving their “business to the cloud,” but cloud security issues follow closely behind. This issue recommends open source tools for cloud security that are suitable for various cloud service models such as SaaS, PaaS, and IaaS. (The tools recommended in this article represent the original author’s views only.)
1. Wazuh
Wazuh is a security protection platform that integrates SIEM, HIDS, and XDR. Upholding the spirit of open source, the Wazuh community is developing rapidly, allowing users to obtain technical support, submit suggestions, and provide feedback in the community. It is reported that Wazuh has over 200,000 enterprise users, including some Fortune 100 companies. In addition to supporting local deployment, Wazuh is also suitable for cloud environments, with flexible infrastructure and strong scalability.
Link:https://wazuh.com/
2. Osquery
Osquery is an open source monitoring and analysis tool for operating systems that supports querying various system metrics like SQL statements, including running processes, open network connections, hardware events, and browser plugins. It is suitable for Windows, MacOS, Linux, and FreeBSD, helping to improve system performance.
Osquery was created and put into use by Facebook in 2014, and engineers have reported benefits from it. Osquery logs can capture unknown malware, but additional deployment is required, along with human intervention for threat response.
Link:https://github.com/osquery/osquery
3. GoAudit
This is a Linux auditing system that includes kernel source code and monitoring system calls. The monitoring system calls are responsible for auditing writes and records in user space protection processes. This tool was released in 2016, featuring multi-line logging and JSON Blob analysis capabilities. Therefore, users can directly call the kernel through Netlink and implement threat filtering based on specific business needs.
Link:https://github.com/slackhq/go-audit
4. Grapl
Grapl was released in March 2022 and is a graphical analysis platform with security detection, incident response, and forensics capabilities. It excels at collecting security logs and converting them into subgraphs, which are then merged into the Master Graph to restore attack actions within the entire environment. Thus, Grapl can respond defensively based on the attacker’s intent, similar to human defense. Once suspicious patterns appear, Grapl activates the analyzer and initiates an investigation.
Link:https://github.com/grapl-security/grapl
5. OSSEC
OSSEC is a security detection and monitoring platform released in 2004, also used for log analysis, web server, and firewall analysis, capable of real-time monitoring of the integrity of SIEM platforms, compatible with Microsoft Windows, Linux, OpenBSD, FreeBSD, Solaris, and more. OSSEC has a centralized manager responsible for monitoring and receiving information from agents. It can also store files after performing integrity checks on databases, logs, system audits, events, etc.
Link:https://github.com/ossec/ossec-hids
6. Suricata
Suricata combines intrusion detection, intrusion prevention, and network monitoring functions. When released in 2009, it already had traffic monitoring capabilities, and now it can monitor high traffic at speeds of 10G. Additionally, it supports file extraction and can configure bare metal and virtual machine servers in AWS to achieve traffic monitoring and discover advanced threats.
Link:https://github.com/OISF/suricata
7. Zeek/Bro
Similar to Suricata, this is also a traffic monitoring tool that can identify abnormal behaviors and suspicious activities, thus differing from traditional rule-based IDS. Zeek allows users to view pre-attack and in-progress attack activities and has certain intelligent interactive functions. The programming language of Zeek can be customized according to user needs, allowing complex logical conditions to be constructed using operators (such as AND, OR, NOT, etc.).
Link:https://zeek.org/
8. Panther
Panther is an automated solution open-sourced by Airbnb, mainly designed to address the shortcomings of traditional SIEM, capable of setting up a centralized detection environment that matches actual security detection needs and scale. Each detection is transparent, establishing detection rules while reducing false positives.
Panther can automatically fix misconfigurations and allows users to store data that they do not want to be compromised. Panther has always used its own AWS cloud and AWS CloudFormation for deployment, ensuring that data is controlled by the users themselves.
Link:https://github.com/panther-labs/panther-analysis
9. Kali Linux
Kali Linux is an open-source system that provides network security utilities and penetration testing tools. It is one of the few Linux distributions focusing on hacking. On Kali Linux, users can run Linux executable files, which can also be executed in Windows 10. Kali Linux supports installation on most devices, such as Raspberry Pi, Odroid, HP and Samsung Chromebooks, Beaglebone, and more.
Link:https://www.kali.org
10. PacBot
PacBot is a compliance monitoring and cloud security automation tool. PacBot (Policy as Code Bot) scans and evaluates target resources based on policies. It includes an automated remediation framework that can automatically respond to and handle violations through predefined behaviors. This tool also has visualization capabilities, making it easier for users to view compliance status and simplifying the analysis and handling of policy violations.
Link:https://github.com/tmobile/pacbot
References
https://cybersecuritynews.com/opensource-cloud-security-tools/
Recommended
