For a SOC (Security Operations Center) it is vital to continuously be informed about the events of the monitored network on a centralized platform. The SIEM (Security Information and Event Management) system performs this task. It harvests the information from various log sources and – in accordance with the settings – generates security events. The SIEM alerts the security specialists about past events. The question arises, what shall we do, if we want to secure our system in addition to monitoring and reacting to events. The answer is to broaden the security system with additional tools, which considering cost-effectivity may be open source tools. These tools are:
- Proactive security tools, such as IPS, vulnerability scanner, honeynet.
- Forensic tools.
The IPS performs real-time packet inspection on every packet that travels across the network. If any malicious or suspicious packets are detected, the IPS will carry out several effective defensive actions. An IPS (intrusion Prevention System) can prevent different threats by scanning network traffic, such as:
- Denial of Service (DoS)
- Distributed Denial of Service (DDoS)
- Known exploits
Tools approved and recommended by Black Cell: Snort, Suricata, Zeek
For a proactive security specialist, it is vital to have a vulnerability scanner. With the help of the vulnerability scanner, the specialist can check whether the systems and applications have the latest patches, or have a critical vulnerability that could lead to an attack.
Tools approved and recommended by Black Cell: OpenVAS, CIS Benchmark tool
Nowadays the attackers use more sophisticated tools than ever to gain unauthorized access tot he victims’ electronic information systems. With deception technologies, analysts can monitor and analyze the attack patterns without exposing the organization’s network to risk.
Tools approved and recommended by Black Cell: MHN (Modern Honey Network)
The static and dynamic malware analysis tools, malicious code analyzers are forensic tools that give a better understanding of potential vulnerabilities in the networks.
Tools approved and recommended by Black Cell: Autopsy, Network Miner
Full packet capture
Full packet capture is a technology that records every bit that travels on the network for later inspection. This allows for validation of IDS/IPS alerts and validation of events that netflow or log data is showing.
Tools approved and recommended by Black Cell: Security Onion, SELKS, Moloch