Security Onion Set Up Part 1: Planning UPDATE

Security Onion Set Up Part 1: Planning for Version 16.04

The guidance in the article “Security Onion Set Up Part 1: Planning” no longer applies if you’re using the new Security Onion image because it uses Elastic Stack instead of ELSA. Elastic Stack might be a resource hog, but the workflow is superior compared to ELSA in the way you can visualize data in the dashboard and pick from pre-configured searches that touch on almost everything you would need to look at out-of-the-box. (more…)

get it right

Get it right or get out of the way

When a company has a break down in its processes blame is assigned based on whom the process owner is and the individual(s) responsible for completing the missed or an improperly executed task. When a low-level process is broken such as the case was with Experian and the missing Apache Struts patch that allowed an attacker to gain a foothold in their information system and steal 152 million records, I see little reason to start chopping off the heads of senior leadership. Processes should be reviewed at a regular interval that is appropriate for the businesses operational environment (annually, semi-annually, quarterly, or monthly). In Experian’s case, I believe there was a systematic breakdown where the process was broken, and no one up the chain of command was notified. A CIO and CSO at a company as large as Experian don’t have the time or resources to personally check-up on every department nor should they be required to micro-manage. Mid-level and upper-level management should be feeding data to the C-suite at their meetings and if something was off or missing it should’ve been addressed. (more…)

security onion set up part 3

Security Onion Set Up Part 3: Configuration of Version 14.04

Before we begin configuring Security Onion, it’s a good idea to get an Oinkcode from snort.org if you’re going to use Snort.

Snort can also use the Emerging Threat rulesets.

There are three options available to obtain an Oinkcode.

  1. Community Edition – the rules are updated every 30 days, no support – FREE
  2. Personal – the rules are released daily, can submit false positives, home network or educational environments only – $29.99 per year
  3. Business – the rules are updated daily, priority support for false positives and Talos (the parent company) will work directly with you, for use in businesses, colleges, government, etc. – $399 per sensor per year

Once you create an account and pay for a subscription or not, you can find the Oink code by clicking on the email address in the upper right-hand corner of the page then select Oinkcode. (more…)