SESSION ID: OST-R02 Peel Back the Layers of Your Enterprise and Make Your Adversaries Cry Doug Burks CEO Security Onion Solutions, LLC @dougburks #RSAC #RSAC My Incident Response Horror Story 2 Incident Response Lessons Learned IR is going to be slow and difficult if you don’t have the right data at your fingertips Traditional security tools can be prohibitively expensive It’s fundamentally unjust that attackers have amazing free tools but defenders can’t afford the tools to defend themselves 3 #RSAC #RSAC Security Onion Started in 2008 Free and open source platform IDS, NSM, ESM, DFIR, Threat Hunting Network and Endpoint Visibility 4 Security Onion – Flexible Platform Download our ISO image (over 900,000 downloads!) OR Install our packages on top of Ubuntu (moving towards container deployment…more on that later) 5 #RSAC Best of Breed Open Source Tools for Network Security Monitoring NIDS alerts Protocol metadata Full packet capture 6 #RSAC Best of Breed Open Source Tools for Slicing and Dicing Logs Elasticsearch Logstash Kibana 7 #RSAC Integrates with Best of Breed Tools for Endpoint Telemetry Wazuh HIDS Elastic Beats Sysmon Autoruns osquery 8 #RSAC #RSAC Use Cases Small Forensics VM import pcaps and/or logs Production Deployment - Standalone Production Deployment – Distributed – Master Server – Multiple Forward Nodes – Multiple Storage Nodes On-prem or cloud 9 #RSAC Case Study: Real World Incident 10 New! Security Onion Hybrid Hunter Ubuntu packages  Docker containers Orchestrated via saltstack Supports both Ubuntu and RedHat/CentOS Currently in testing 11 #RSAC Security Onion Hybrid Hunter – New Additions TheHive Osquery ATT&CK integration Sigma integration Our custom Playbook workflow 12 #RSAC #RSAC Summary Let’s give defenders more advantages Let’s be ready when the next attack comes Ready to peel back the layers of your enterprise and make your adversaries cry? https://securityonion.net 13 Apply What You Have Learned Today Next week you should: – Download Security Onion from https://securityonion.net, install in a VM, and use so-import-pcap to get a quick feel for the platform In the first month following this presentation you should: – Build a production Security Onion box collecting live traffic and logs – Review alerts and do some threat hunting – Peel back the layers of your enterprise! Within two months you should: – Expand your Security Onion box to a distributed deployment to cover blind spots in your visibility – Make your adversaries cry! 14 #RSAC