I just finished my Cisco CCST Cybersecurity. The whole course of study is pretty much to get you skilled up enough to operate and understand the Security Onion console. The last half of the last class is all about handling the alerts.
Well, the CCST was a pretty cursory introduction to an extremely complicated platform. I checked out the vendor training, and its alright. Its a set of videos that walk you through setup and usage of a demo install. (See post link.) I’ve set it up at home, and I’m monitoring my network.
I know we use Security Onion at work, and I asked about it. Well apparently its completely broken, and my first task as a newly certified network security guy is to rebuild it.
Yup. I ate the Onion. … err … or I’m in process. Chomp, chomp, chomp.
You must log in or # to comment.
Ok, I know this is a little lazy, but I did scroll through rheir site first…
So, is it a linux distro with a load of tools loaded, or is it something custom they’ve created themselves?
I see there’s a hardware unit too - I guess that’s just to connect to SPAN ports somewhere?
Yes, its a distro with a bunch of tools. The tools are deployed together into a web app suite.
Security Onion is firstly an IDS. Intrusion Detection System.
The base install needs 2 NICs, a management NIC and an operational NIC. It’s a probe.
It also supports an army of Elastic Agents installed at sites or subnets.The package allows you to flag events via Suricata (I think that’s what’s behind Hunt), escalate Cases to track them, search the data in a surprising amount of ways, and drill right down to the packet level (that’s Wireshark). There’s a bunch of InfluxDB graphing. A thing called CyberChef that is a fukin badass on-the-fly decoding and decryption tool to open up the packets you gather.
Honestly, I’m just getting started. But if you hired a security analyst to watch your network, you’d want them checking this every day, digging in shit, sending you reports, escalating cases to you.
Ah, ok. Thanks, that’s a nice summary to get me on the right track… it might be something we need to evaluate for our team at work.
Thanks!
