When an organization cannot afford to hire an external Security Operations Center(SOC), the logical choice is to implement its own SOC by deploying a Security Information and Event Management (SIEM). For our client (Living Lab) we implemented two open sourced solutions: SELKS and the Security Onion. These tools allow a Security Analyst to gather granular data while monitoring network traffic: Event, Alert, Session and Full Packet. Both solutions are based on ELK (Elasticsearch, Logstash, and Kibana). SELKS uses Scirius for Management and Suricata for Intrusion Detection System. The Security Onion is also based on ELK but has the choice of using Suricata or Snort for the IDS. The Security Onion also uses Bro simultaneously to analyze network traffic transversally looking for anomalies outside the baseline.
Scirius tool focuses on Suricata’s ruleset management, provides many ruleset sources to choose from, and is very simple to use. Evebox is another useful tool in SELKS that provides very detailed information about alerts and events going on the network. One drawback is that there aren’t many documentations that show solutions to frequently encountered problems or challenges.
After installing both SIEMs and monitor the network, we conclude that the Security Onion is the best alternative based on its modularity: Suricata or Snort for IDS, Bro as network security monitor and its extensive community support. Creating rules and reducing the alert threshold is simpler on the Security Onion.
Project Members: David Moran, Yousef Alzaman
