Open Source Security Information Management

Open source security information management is an open source system of tools to help network administrators with intrusion detection and prevention.

A common problem faced by IT security professionals is how to efficiently analyze data from a wide variety of sources, such as operating systems, applications, firewalls, routers, and cloud resources to identify potential vulnerabilities and threats. With so much information contained in logs and many security events to investigate and respond to, security information management can be incredibly time-consuming and, if a serious security event or vulnerability fails to be identified and mitigated, the consequences can be severe.

Security information management (SIM) and security information and event management (SIEM) systems are software solutions that automate the collection, monitoring, and analysis of security-related data. They draw data from disparate sources including intrusion prevention systems (IPS), intrusion detection systems (IDS), firewalls, routers, antivirus software, servers, file systems, and cloud resources, and monitor events in real-time and help security professionals make sense of the data.

SIM and SIEM systems translate data into a common format, aggregate and correlate data from multiple sources, and can generate alerts and automate incident responses. However, despite the level of automation, IT security professionals must invest time and effort into the analysis of data, and strict policies and procedures must often be implemented to support SIM/SIEM systems.

A wide range of commercial SIM/SIEM solutions are available such as Cisco Security MARS, ArcSight ESM, and Snare, and there is also the Open Source Security Information Management (OSSIM) solution for IT professionals who feel more comfortable having an open source security solution.

Open Source Security Information Management is a project that was started in 2003 by AlientVault founders Dominique Karg and Julio Casal, along with Alberto Román. AlienVault then developed a commercial SIEM system based on open source security information management code.

Open Source Security Information Management incorporates a variety of powerful open source software components, including intrusion detection systems (Suricata/Snort), network monitoring and real-time asset detection (PRADS), traffic analysis (Munin), local system monitoring (Nagios), a passive fingerprinting tool (P0f), vulnerability assessment (OpenVAS), and a variety of self-developed tools. The solution also draws data from the crowd-sourced threat intelligence service AlienVault Open Threat Exchange (AV-OTX).

OSSIM consists of four main components: Sensor – which connects to security devices and management servers; Management Server – the OSSIM server and framework daemon used to control the components; Front End – the web-based management interface; and Database – a MySQL database that stores configurations and event data.

OSSIM gives IT security teams a comprehensive view of all security-related aspects of their systems, correlates data from different sources, and adds context. The output is visible in one place – a single browser-based interface. While many of the tools used by OSSIM are command line only, OSSIM also includes graphical analysis tools.

What are the Benefits of Open Source Security Information Management?

OSSIM has an impressive range of features and provides complete visibility without the complexity of using a wide variety of single-use tools. By combining such a wide range of different tools, and making them accessible through a single interface, the benefits of OSSIM are far greater than the sum of its parts.

OSSIM has Debian as its underlying operating system and is available as an installable ISO image that can be implemented on physical or virtual hosts as the core operating system, which means it is simple to install and also has a powerful and user-friendly interface.

Large organizations may want enhanced features and support – such as those provided through AlienVault’s Unified Security Management (USM) solution – but, for many companies, OSSIM will provide all the features they need to increase security visibility, gain greater control of their networks, and cut down the time that needs to be committed to security information management.