Topics In Demand
Notification
New

No notification found.

Leveraging Open Source Tools in Information Security Operations
Leveraging Open Source Tools in Information Security Operations

March 13, 2023

628

1

 

Information Security operations is a critical part of every organization operating in cyber space and refers to the ongoing processes and procedures for detecting, responding to, and mitigating cyber security incidents. In the prevailing times, with the rise in the incident landscape (phishing attacks  increased by 48%, cyber threats on supply chain increased by 40% & ransomware attacks increased by 41% *), there exists a greater need for automation and consistent fine tuning of the available repertoire of security products handling the cyber operational facet. In the COTS arena there are multiple players to meet this requirement, however, the high cost involved might be a hindrance to smaller and medium scale organisations to invest in this important function.

Thankfully, there are multiple open source products that can be utilised to fill this void. Due to the availability and transparency of open-source code, these products can be engineered to achieve superior level of quality, reliability, and security over an extended time periods.

The use of open source tools in security operations has several other advantages that may make them a valuable part of any security program. 

Flexibility and agility – Open source enables technology agility, typically offering multiple ways to solve problems. It’s vendor agnostic, instead of waiting for the vendor to deliver the capability organisations can create solutions on their own. An organization can add or modify features or integrate the tool with other solutions to enhance its capabilities based on their specific needs. This level of customization can lead to improved efficiency and better security outcomes. 

Speed – A great advantage of open source is the ability to adopt the community versions, get started, understand whether they can solve the business problems and deliver value right away. This allows one to get the best of both worlds – flexibility, agility, and the ability to get started quickly with minimal budgetary constraints. With the ability to mature to a large scale, fully supported, enterprise-grade implementation is an advantage for sure over the proprietary licensing model.

Cost- effectiveness – Open source is generally more cost-effective than a proprietary solution if adopted and steered correctly. It gives an enterprise the ability to start small and scale rapidly with equivalent or superior capabilities as needed.

Attract better talent – Most professional technologists are aware of open source and believe its where the industry is headed, and thus finding competent and eager professions is never a challenge.

There are numerous open source tools available for cyber security operations, each with its own strengths and weaknesses. Some of the most popular open source tools include the following:

  • Nmap - A free network discovery and security auditing tool
  • OpenVAS – A service and tool framework that provides extensive vulnerability scanning as well as management solutions.
  • Snort- An open-source computer network security software used for scanning networks and preventing network intrusion.
  • Suricata - An open-source detection engine that can act as an intrusion detection tool.
  • ClamAV- An excellent antivirus system for scanning data from many sources. It detects malware, viruses, and dangerous Trojans that aim to steal information.
  • Elasticsearch- It is a distributed, free, and open search and analytics engine for all types of data, including textual, numerical, geospatial, structured, and unstructured.
  • Phish Report- Works with providers to fight phishing sites from multiple vectors, Shares threat intelligence with security companies to track larger patterns.
  • Yara- A tool aimed at, but not limited to, helping malware researchers to identify and classify malware samples.
  • Wazuh- Tool used to collect, aggregate, index and analyze security data, helping organizations to detect intrusions, threats, and behavioral anomalies.
  • PFSense- A firewall/ router computer software distribution based on FreeBSD
  • The Hive - A scalable Security Incident Response Platform, tightly integrated with MISP (Malware Information Sharing Platform), designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.
  • Wireshark - Formerly known as Ethereal, Wireshark is an open-source network software that can efficiently analyze network protocols and enhance security in real time

Managing Open-Source Risk  

Notwithstanding, the advantages listed above, there exists an inherent risk that is associated with the use of open-source technologies. Some of these considerations are:

  1. Policies – Create and enforce open-source risk policies and processes. Policies would require consideration of an open-source components history, such as the density of known issues, version release frequency, and latency between issue identification and patch.
  2. Identification: It’s critical for organizations to identify & monitor the open source inventory, related dependencies & map those to the components used in the projects and environments.        
  3. Analyze: Track open-source vulnerabilities and licenses including signed artifact manifests.
  4. Remediate: An essential part of effective open-source risk management program is the ability to deliver within the quickest possible turnaround for resolving issues once they emerge. Hence, one  needs to continue focus on patch, upgrade and environment isolation. Organisations can leverage runtime protection & runtime usage analysis. 
  5. Audit/Monitoring: Even if an application is released without any known risks, new vulnerabilities are disclosed every day. Automation tools can help one create a vulnerability inventory, keep track of the vulnerabilities, prioritize remediation, approval workflow of the pull request based on the defined policies.

Any organization adopting open source in its business workflows would need to invest in management of the risk function to reap the actual benefits of the open source ecosystem.

*https://connect.comptia.org/blog/cyber-security-stats-facts#:~:text=Cybercrime%20Statistics%20by%20Attack%20Type&text=Phishing%20attacks%20increased%20by%2048,directly%20through%20the%20supply%20chain.

 

About the author:

Biplab Mukherjee, Director, Information Security, Lowe's

 

 


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


© Copyright nasscom. All Rights Reserved.