Securing enterprise networks with open source security solutions

In today’s evolving threat landscape, large organizations must leverage the power of open-source security solutions to protect their networks. This post will explore a real-world example of how a security operations center (SOC) implemented several open-source tools and platforms to detect and respond to sophisticated threats.

---

Deployment of Intrusion Detection and Capture Systems

1. Bro IDS:

• Bro IDS (now Zeek) plays a pivotal role in identifying malicious activity. It captures network traffic and stores it for forensic analysis.
• Key Features:
  • Customizable for specific network indicators of compromise (IOCs).
  • Capable of storing over six months of traffic logs.
  • Correlates over 2 billion events and 1 billion sessions daily at peak times.
• Technical Example: The IDS was deployed at the network’s edge to monitor all ingress and egress traffic. After implementing Bro, the SOC saw a marked increase in incident detection, leading to a 200% uptick in internal security tickets related to improper usage and other threats.

---

Full Packet Capture and Time Machine for Forensics

Full Packet Capture is a critical tool for security investigations and incident response. The SOC uses a Time Machine tool to capture and store approximately 30TB of network traffic per day, retaining the data for 90 days. This allows analysts to go back in time to investigate incidents and reconstruct security events.

• Technical Details:
  • Time Machine captures up to 50 billion packets per day.
  • This data, stored at a rate of 4TB per day, provides high-fidelity forensic evidence during security incidents.
  • Example: During a data breach investigation, full packet capture allowed analysts to reconstruct a series of malware-infected communications, identifying the exact time and method of infiltration.

---

Advanced Malware Prevention with Response Policy Zone (RPZ)

The SOC implemented Response Policy Zone (RPZ) to block malicious domains across the enterprise. This open-source DNS-based solution is crucial for preventing malware infections by blocking requests to known malicious domains. It updates automatically and redirects malicious domain traffic to a “walled garden,” preventing further damage.

• Statistics:
  • RPZ blocks over 50 million domains each week, with more than 80,000 unique domains in the blocklist.
  • Integrated with Department of Homeland Security (DHS) feeds for real-time updates on malicious indicators.
• Technical Example: A malicious domain responsible for distributing ransomware was blocked enterprise-wide, preventing over 10,000 attempted connections from internal machines. The incident was mitigated before any encryption of files occurred.

---

Enhanced Endpoint Visibility with Google Rapid Response (GRR)

The integration of Google Rapid Response (GRR) provided SOC analysts with unparalleled visibility into endpoints running Linux, OS X, and Windows. GRR enables efficient threat detection at the endpoint level, monitoring a large number of systems.

• Key Metrics:
  • Monitors over 130,000 nodes.
  • Logs over 3 billion network sessions daily.
  • Detects and evaluates more than 700 security alerts every day.
• Technical Example: Using GRR, analysts quickly identified compromised machines by correlating unusual network sessions and endpoint behavior. This reduced response time for malware-related tickets by 50%.

---

ELK Stack for Log Management and Big Data Analysis

To handle the massive amount of security data generated daily, the SOC deployed the ELK Stack (Elasticsearch, Logstash, and Kibana). This open-source solution provides robust log management and real-time analytics, handling multiple log types, including intrusion detection logs, firewall logs, and DNS logs.

• Performance Metrics:
  • Processes over 40 billion records, stored across a 121TB cluster, with data searchable in seconds.
  • Ingests logs from various sources, including IPS, firewalls, honeypots, and Windows systems.
• Technical Example: ELK allowed security analysts to create custom visualizations for GeoIP tagging and agency-specific logs. During a DDoS attack, real-time dashboards highlighted the attack sources, enabling the SOC to quickly initiate countermeasures.

---

DARPA Partnership for Advanced Network Defense

Through a collaboration with DARPA, the SOC enhanced its network defense capabilities. The partnership focuses on predictive analysis using Big Data and behavioral detection to identify threats proactively.

• Data Sets Shared:
  • Full Packet Capture (PCAP).
  • Netflow logs.
  • Bro logs.
• Technical Example: A custom algorithm analyzed traffic patterns over a 60-day period, identifying anomalous connections between internal machines and suspicious foreign IPs. This flagged an infiltration attempt before it could cause damage.

---

Conclusion

This case study demonstrates how open-source security tools such as Bro IDS, Time Machine, RPZ, GRR, and the ELK stack can be deployed at scale to improve network visibility, detect intrusions, and prevent malware infections. By integrating these tools with advanced analytics and threat intelligence feeds, SOCs can significantly improve their security posture while minimizing costs.

Stay tuned for more deep dives into the technical implementation of these solutions.