I’ve Never Monitored my Network, How Do I Start?

person pointing on padlock illustration

I’ve Never Monitored my Network, How Do I Start?

Congratulations on taking the first step to securing your network; admitting that it is not secure!  That can be a tough pill to swallow.  It can be even tougher if you realize it’s insecure but you still have to present that information to your boss!  Let’s assume your boss understands your point of view and agrees that you DO need to start monitoring your network.  What do you do now?  That is the question I aim to answer here in this post.

Now that you have permission to start monitoring your network you need to design your Security Operations Center (SOC) and decide how it will be staffed.  The first step in designing a SOC is understanding your budget.

Are you part of a large company with extra money just lying around waiting to be spent?  Or are you a 1-person IT shop supporting a small office?  The difference between the two extremes can cause some confusion about the right path to take.  I’m going to assume you are a part of a small company, maybe 10 – 50 employees, and that you have no budget to get the SOC up and running.

Is it difficult to set up a SOC?  No.  Not if you have decent hardware lying around.  Several open-source pieces of software will get your SOC up and running with your only cost being the initial training of your security analysts.

The Security Information Event Management (or SIEM) kit that I most recommend is the ELK stack.  ELK stands for Elasticsearch, Logstash, and Kibana.  Elasticsearch is a no-SQL database that is used for big data analysis… oh, and it’s free.  Logstash is the transport mechanism that Elasticsearch uses to get data into the database… oh, and it’s free.  Kibana is a visualization tool to lets you see, interact with, and query your data… and guess what?  It’s free!  You can even find Linux distros that already have the full ELK stack installed and ready to operate.  My favorite is Security Onion. 

Straight from the Security Onion website, “Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, OSSEC, Sguil, Squert, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!”

Security Onion is based on Ubuntu Linux so you know it is a solid base that is constantly updated to keep up with the latest security threats.  Security Onion is a series of tools installed on top of Ubuntu to provide network monitoring.  One of the best things about Security Onion is that it can be spun up as a VM in evaluation mode, which means it is completely self-contained.  It even comes with PCAPs you can run through the sensor to see how it responds to data and to allow you to do a full evaluation.

If you decide to use Security Onion it can be installed in production mode.  Production mode allows you to set some specific things that the evaluation mode does not like IP addresses, using Snort vs. Suricata, or setting up the network monitoring architecture as a distributed system.  Can Security Onion handle that network traffic?  I’ve met the guy with the second largest deployment of Security Onion with just over 800 distributed sensors and there was no problem coordinating and querying all of that data!

Security Onion in evaluation mode will let you and your security analysts get familiar with the system.  I highly recommend SIEM training for the analysts.  So far the best course that I have ever taken for understanding the ELK stack is SANS SEC555, SIEM with Tactical Analytics.  Now this is the part where your boss may balk at you.  The course is EXPENSIVE.  As of today, it costs $6,210 for the course and another $729 if you want to take the certification test.  I recommend that if you are taking the class you take the certification test as well.  This class completely explained how to set up, manage, tune, and find evil with the ELK stack.  It was amazing!  If that ends up not being an option, Security Onion offers some training as well.  I have not taken that training myself but with how prolific the SIEM is the training must be pretty decent.

The bottom line is that the initial setup of a SOC does not need to be costly.  You can learn to secure your network and protect your intellectual property and customer data.  If you need help getting up and running you can always reach out to us here at Bailey and Associates Consulting on our Contact page.

In this post, I have mentioned some resources.  They can be found at the following links:

Elasticsearch, Logstash, and Kibana can be found on the Elastic website.

Security Onion can be found on its website.

SANS SEC555 can be found here on the SANS website.