The security department is completely relying on tools to get the job done. And for most tasks, there are plenty of solutions to choose from. But what if you can’t invest in tools for the security department. Is open-source an alternative? Let’s build a security department purely on open-source tools.

Security Operation Center

Typical functions for a Security Operation Center are to detect and to respond.

To detect a security incident you need to have a monitoring (SIEM) solution. AlienVault OSSIM, ElasticSIEM, and SIEMonster are some major open-source players. Most of the time these are limited versions of the commercial version. For example…

Artificial Intelligence or AI for short. The marketing buzzword at the moment. AI is really hyped at this moment. But can it meet the expectations? I don’t think so. It is still emerging technology and still very immature. However, this does not mean it is worthless.

Applying data science to security has the potential to revolutionize the industry. But it has an extensive road ahead of it.
Applying data science to security has the potential to revolutionize the industry. But it has an extensive road ahead of it.

Britannica describes artificial intelligence as the ability of a digital computer or computer-controlled robot to perform tasks commonly associated with intelligent beings. The trouble in this definition is the term intelligent. How do you define intelligence? How do you measure intelligence?

You can say something is intelligent if it can…

Sysmon can be extremely powerful if applied correctly. If not, it will be a data avalanche and/or a massive and continuous network traffic burst. And one that can easily cripple your monitoring solution and/or overload your network connections. The question is, therefore, how can you unleash the power of Sysmon?

Sysmon can monitor everything it sees, but should it?
Sysmon can monitor everything it sees, but should it?

Architecture

Although the installation of the Sysmon program is rather simple (see this Microsoft article), you need to think first about the event ingestion into your monitoring solution. Sysmon can generate a high number of events, and this can choke your event ingestion pipelines quite quickly.

Sysmon will save the output…

User authentication can be done in a variety of ways. Each method has its pros and cons. Do you go for SSO? Or do you go for local authentication? Or something else? And what about user authorization? But above all, how do you monitor user authentication?

In a previous article, I spoke about the different user account types (normal, service, privileged, etc.). In this article, I will talk about how to create a strategy to monitor user authentication. User authentication and user authorization go hand in hand together. Although it doesn’t mean both should be done…

Yes, correct. Working in security means pressure, stress, deadlines, incidents, etc. And I almost forgot it also means continuous learning. That sounds like all work and no fun. Well, the last is not entirely correct. We also love playing games. Let’s talk about Capture the Flag or CTF for short. With CTF you can sharpen your skills and discover your weakness. Yes, we gamified our skills.

But don’t be fooled that it is purely for the red side. It is for both sides. Blue and Red. And even if you are completely focused on the blue side (the defensive side), understanding and having some experience on the red side (the offensive side) is super beneficial because…

As a security professional, you want to protect your company/client as much as possible. However, budgets are not unlimited. And that fuels the discussion on likelihood and impact. These two terms are the key element in a risk register. But how can you quantify these? And what is their role in the risk acceptance process.

When you look at the risk matrix below, the axes are divided into three values. Low, Medium, and High. But these are vague and above all biased terms. What I perceive as high, you might perceive as low.

Daily, yes daily new vulnerabilities are being discovered and/or disclosed. One can say it is an avalanche. And that is essentially correct, but we haven’t seen the top just yet. All the more reason why your security department should have a team of vulnerability specialists. But what do they do exactly?

A vulnerability specialist is also a master in reporting accurate information as he is dealing on a daily basis with an avalanche of data.
A vulnerability specialist is also a master in reporting accurate information as he is dealing on a daily basis with an avalanche of data.

The primary role of a vulnerability specialist is to discover all vulnerabilities within the environment he/she is responsible for. And no, this does not include remediating them. Just discover and report. And depending on the size of the environment this is more than enough work for one full-time person.

But…

What do you do when the alarm bells ring and an alarm shows up on your monitor screen? NIST devotes an entire bulletin to it. It is great for reference but will it help in designing the perfect incident response playbook?

NIST SP800–61 — Computer Security Incident Handling Guide

NIST describes in publication SP800–61 the four phases of incident response. Preparation, detention and analysis, eradication and recovery, and post-incident analysis. But how does this relate to the five functions also described by NIST?

If you read and compare these two, you will see there is overlap in both Response…

Richard de Vries

A passionate security professional who shares his knowledge, wisdom, and experiences to ensure we can make the world a little bit safer one step at a time.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store