From the course: Security Onion
What is Security Onion?
- [Instructor] Welcome to Lesson 2 with Intro to Security Onion. I'm your instructor, Carl, and this lesson is all about what Security Onion is. So, for the agenda, first we'll talk about what we're going to talk about in this course. We'll start with a discussion on what Security Onion actually is, including a short history and the functionality. Next, we'll discuss the tools that are included in Security Onion. Then we'll discuss the architecture, and we'll wrap up by discussing deployment types. So, what is Security Onion? This excerpt here is taken from the Security Onion website. "Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, Wazuh, Sguil, Squert, CyberChef, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!" To build on that description from the Security Onion website, Security Onion is an open source network security monitoring and network forensics tool. It was built with ease of deployment and tool interoperability in mind. It's not just a bunch of tools on an OS. They are configured to work together. I appreciate this as it makes it much easier to deploy and the interoperability allows for more fluid investigations, and we'll dig into both of these ideas later on in the course. So when people ask me what Security Onion is, I like to compare it to Kali Linux. Kali Linux, of course, being that it's Linux distribution that is largely used for penetration testing. Well, while Kali is used for pen testing. Security Onion is used to monitor for attacks from tools like Kali. They're both similar distributions, but they have very differing ideologies. The tool itself is the creation of Doug Burks. He began the project in 2008 with the first open release in 2009. Over time, it gained a following and Doug continued to build and rebuild the project. In 2014, he founded Security Onion Solutions, which is the business arm of Security Onion. While the project is free and open source, this comes with the cost of knowing how to maintain a fairly complex piece of software. Using open source technologies in a corporate environment might be attractive because it's free. You'll likely end up paying as much, if not more in time spent learning to deploy and maintain the tool. Security Onion Solutions offers paid support, training, and other services for corporations that use the tool to help offset the time sink that may come from doing everything on your own. That may be something to check out if you're looking at Security Onion for your business. There are several websites that are maintained by the Security Onion team. The first two here are securityonion.net and securityonionsolutions.com. These give information on the project as a whole and what services are available through Security Onion Solutions. While they have good info, for this course, we'll spend more time on the documentation site and the Google group. These have more information on deploying and using Security Onion, and they're a good place to look when things are broken. Security Onion can be used either as a forensics tool or for continuous monitoring as a network security monitoring tool. When using it as a forensics tool, you can configure it as a standalone server, frequently as a VM on your desktop that you can replay PCAPs onto. If you're ever in triage mode after an incident and someone hands you a PCAP that likely contains evidence of a compromise, it can be hard to know where to start. By replaying it onto a standalone instance of Security Onion, you can have the PCAP parsed out into network classifications. So think of DNS, SMTP, FTP, things like that and ran through a IDS such as Snort. And this will give you a very good starting place for your investigation. When using it as a network security monitoring tool, you deploy multiple servers across your enterprise and gather the traffic in real time via a network tap. The traffic is then run through the same parser used in a standalone instance, but the traffic is coming in continuously. This allows you to see what is coming in and going out of your network. Since all of the traffic is run through an IDS, you can then see what types of attacks are being thrown at you. If you ever want to have some fun at home, set up an instance to monitor what is hitting your home network. You may be surprised what's coming in. Both types of installations will gather all the network traffic and store it in a searchable format. The amount of data stored will obviously depend on how much storage you have on your server and how much traffic you're throwing at it. For example, a fully saturated, one gigabit per second pipe will require you to store seven and a half gigabytes per minute and 450 gigabytes per hour, so it's always good to plan accordingly.
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.