5 open-source security event management systems

How does a good IT security worker differ from the usual? No, not by the fact that at any time he will call from memory the number of messages that manager Igor sent yesterday to his colleague Maria. A good bezopasnik tries to identify possible violations in advance and catch them in real time, applying all the forces so that there is no continuation of the incident. Security event management systems (SIEM, from Security information and event management) greatly simplify the task of quickly fixing and blocking any attempted violations.

Traditionally, SIEM-systems combine the information security management system and the security event management system. An important feature of the systems is the analysis of security events in real time, which makes it possible to react to them before the onset of existing damage.

The main tasks of SIEM-systems:
')

• Data collection and normalization
• Data correlation
• Alert
• Render panels
• Data storage organization
• Search and analysis of data
• Reporting

The reasons for the high demand for SIEM-systems

Recently, the complexity and coordination of attacks on information systems have greatly increased. However, the complex of information security tools — network and host intrusion detection systems, DLP systems, anti-virus systems and firewalls, vulnerability scanners, and so on — is becoming more complex. Each security tool generates a stream of events with different details and often you can only see the attack by overlaying events from different systems.

A lot of things have been written about various commercial SIEM systems, but we offer a brief overview of free full-fledged open source SIEM systems that do not have artificial limitations on the number of users or the amount of received / stored data, as well as being easily scaled and supported. We hope this will help assess the potential of such systems and decide whether to integrate such solutions into the company's business processes.

AlienVault OSSIM

AlienVault OSSIM is an open-source version of AlienVault USM, one of the leading commercial SIEM systems. OSSIM is a framework consisting of several open source projects, including the Snort network intrusion detection system, Nagios network monitoring system and nodes, the OSSEC host intrusion detection system, and the OpenVAS vulnerability scanner.

AlienVault Agent is used to monitor the devices, which sends logs from the host in syslog format to the GELF platform or can be used by the plugin to integrate with third-party services, such as Cloudflare's reverse proxying service or Okta multi-factor authentication system.

The USM version differs from OSSIM in its enhanced log management, cloud infrastructure monitoring, automation, and updated threat and visualization information.

Benefits

• Built on proven open-source projects;
• A large community of users and developers.

disadvantages

• Does not support monitoring of cloud platforms (for example, AWS or Azure);
• There is no log management, visualization, automation and integration with third-party services.

Source

MozDef (Mozilla Defense Platform)

Developed by Mozilla, the SIEM-system MozDef is used to automate security incident handling processes. The system is designed from scratch for maximum performance, scalability and fault tolerance, with microservice architecture - each service runs in a Docker container.

Like OSSIM, MozDef is built on time-tested open-source projects, including the indexing and search indexing module Elasticsearch, the Meteor platform for building a flexible web interface, and the Kibana plugin for visualization and graphing.

Event correlation and alerting is performed using the Elasticsearch query, which allows you to write your own event handling and notification rules using Python. According to Mozilla, MozDef can handle more than 300 million events per day. MozDef accepts events only in JSON format, but there is integration with third-party services.

Benefits

• Does not use agents - works with standard JSON logs;
• Easy to scale due to microservice architecture;
• Supports cloud data sources, including AWS CloudTrail and GuardDuty.

disadvantages

• New and less well-established system.

Source

Wazuh

Wazuh began developing as a fork of OSSEC, one of the most popular open source SIEM. And now it’s own unique solution with new functionality, bug fixes and optimized architecture.

The system is built on the ElasticStack stack (Elasticsearch, Logstash, Kibana) and supports both data collection based on agents and receiving system logs. This makes it effective for monitoring devices that generate logs, but do not support agent installation — network devices, printers, and peripherals.

Wazuh supports existing OSSEC agents and even provides guidance on migrating from OSSEC to Wazuh. Although OSSEC is still actively supported, Wazuh is viewed as a continuation of OSSEC due to the addition of a new web interface, REST API, a more complete set of rules and many other improvements.

Benefits

• Based and compatible with the popular SIEM OSSEC;
• It supports various installation options: Docker, Puppet, Chef, Ansible;
• Supports monitoring of cloud services, including AWS and Azure;
• Includes a comprehensive set of rules for detecting multiple types of attacks and allows you to match them in accordance with PCI DSS v3.1 and CIS.
• Integrates with Splunk log storage and analysis system for event visualization and API support.

disadvantages

• Complicated architecture - requires the full deployment of Elastic Stack in addition to the Wazuh server components.

Source

Prelude OSS

Prelude OSS is an open-source commercial version of the Prelude SIEM, developed by the French company CS. The solution is a flexible modular SIEM system that supports multiple log formats, integration with third-party tools such as OSSEC, Snort, and Suricata network detection system.

Each event is normalized to the message according to the IDMEF format, which simplifies data exchange with other systems. But there is also a fly in the ointment - the Prelude OSS is severely limited in performance and functionality compared to the commercial version of the Prelude SIEM, and is intended more for small projects or for studying SIEM solutions and evaluating Prelude SIEM.

Benefits

• Time-tested system developed since 1998;
• Supports many different log formats;
• Normalizes data to IMDEF format, which makes it easy to transfer data to other security systems.

disadvantages

• Significantly limited in functionality and performance compared to other open-source SIEM systems.

Source

Sagan

Sagan is a high-performance SIEM that emphasizes Snort compatibility. In addition to supporting the rules written for Snort, Sagan can write to the Snort database and can even be used with the Shuil interface. In fact, it is an easy multi-threaded solution that offers new features, while remaining friendly to Snort users.

Benefits

• Fully compatible with Snort database, rules, and user interface;
• Multi-threaded architecture provides high performance.

disadvantages

• A relatively young project with a small community;
• Complex installation process, including the assembly of all SIEM from source.

Source

Conclusion

Each of the described SIEM-systems has its own characteristics and limitations, so they cannot be called a universal solution for any organization. However, these solutions have open code that allows you to deploy, test and evaluate them without excessive costs.

What else is interesting you can read in the blog Cloud4Y

→ VNIITE planet of the whole: how in the USSR the “smart home” system was invented
→ How neurointerfaces help humanity
→ Cyber ​​insurance on the Russian market
→ Light, camera ... cloud: how clouds change the movie industry
→ Football in the clouds - fashion or necessity?

Subscribe to our Telegram channel to not miss another article! We write no more than twice a week and only in the case.