Can Security Onion replace your commercial IDS?

Back in the early oughts, a common complaint about Linux was that while it was free/libre, it came with no support and you had to pay expensive senior sysadmins to run Linux systems. Fast forward to today, and Linux has conquered basically every field except for the desktop market.

The same dynamic may be developing in the enterprise intrusion detection, network security monitoring and log management space, where VC-backed security offerings with eye-watering price tags go head to head with the free/libre Security Onion Linux distribution. Does Security Onion do exactly what you want it to do? Probably not. Will you have to tweak it to fit your enterprise? Probably yes. Will you need skilled security people to run it? Definitely yes.

Security Onion is looking more and more polished with every year that passes, and it may be worth considering if you’ve got a deep enough security bench to customize, deploy and maintain Security Onion for your enterprise.

What is Security Onion?

Security Onion is a free and open source intrusion detection system (IDS), security monitoring, and log management solution. With its witty slogan, “Peel back the layers of security in your enterprise,” it offers full packet capture, both network-based and host-based intrusion detection systems (NIDS and HIDS, respectively), but also includes powerful indexing, search, visualization and analysis tools to make sense of those mountains of data.

How does Security Onion work?

Buzzword warning: ELK stack. Security Onion is at its core an Elasticsearch, Logstash and Kibana (ELK) stack, plus a ton of other bells and whistles, including the Wazuh fork of the OSSEC HIDS, both the Snort and Suricata rule-based NIDS, as well as the analysis-driven NIDS Zeek (formerly known as Bro).

Logstash collects all the logs, Elasticsearch indexes them to make them easily searchable, and Kibana lets you visualize and analyze what’s going on from the safety of your security operation center (SOC). Kibana includes the ability to pivot to full packet capture and dig into the specifics of a suspected security incident.

That’s still a lot of data to dig through for indicators of compromise (IoCs), so Security Onion also comes with Sguil (and its browser-based cousin Squert), which lets SOC analysts view all Snort, Suricata and Wazuh alerts in one place, and also allows pivoting from alert into the relevant packet capture.

If all those options create decision paralysis, the website boasts that the “easy-to-use setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!” Your mileage may vary, of course. (The creators of Security Onion naturally also offer a paid consultancy service for those who want to stick to auditable free software and avoid vendor lock-in or recurring annual fees.)

The big challenge in SOCs today, though, is an avalanche of false positives. Sniffing all the things on your networks and devices is feasible using Security Onion. So is visualization and analysis. Will your SOC be able to survive the false positive rate? That’s a question that enterprise security teams will have to consider carefully before deciding to deploy Security Onion in a busy and alert-noisy production environment.

In their defense, Security Onion rightly points out in their documentation that security monitoring is a process, not a product, and spending a bunch of money on a product is not going to make your security woes magically disappear. “While automation and correlation can enhance intelligence and assist in the process of sorting through false positives and malicious indicators,” the Security Onion documentation states, “there is no replacement for human intelligence and awareness…. Security Onion isn’t a silver bullet that you can set up, walk away from and feel safe. Nothing is. And if that’s what you’re looking for you’ll never find it.”

What’s next for Security Onion?

Security Onion is under active development, and their public roadmap includes a move away from Debian package deployment to using Docker to support RHEL/CentOS systems more easily. What made us perk up, however, was the alpha release of their new Hybrid Hunter software, which includes The Hive, an open-source incident response platform.

Integration of The Hive, once Security Onion’s Hybrid Hunter code becomes production-ready, will make it possible for SOC analysts to escalate events in Kibana to active incident response cases. The Hive, of course, already boasts integration with the MISP project, the open-source threat intel sharing platform, essentially a free version of Virus Total that any organization can set up to share IoCs.

From raw packet capture to indexing, searching, visualization, analysis, incident response, and ultimately sharing threat intel, the open-source replacements for expensive commercial security products boasting artificial intelligence — well, we’re almost there, aren’t we? Security Onion lacks the fancy marketing, doesn’t call “All aboard!” on the hype train, most surely has some bugs, and probably requires tweaking to make it work in your enterprise. But hiring more security staffers to deploy and maintain Security Onion might well turn out to be cheaper — and more effective — in the long run.

Security Onion is a free and open-source IDS that’s easy to spin up, is a great educational tool for both staff and students, and may be right for enterprises with the inclination and resources to deploy and maintain their own IDS and monitoring solution. If nothing else, spinning up a test deployment of Security Onion is a great way to have something to benchmark against when evaluating those six-figure-per-seat-per-year solutions.

Do you deploy Security Onion in production? Or did you evaluate it within the last twelve months and decide it wasn’t right for you? We’d love to hear your thoughts. Send the author an email: jm_porup@idg.com