CHAPTER 7Network Security Monitoring

Many of the events that we have discussed so far are recorded on endpoints within your network; however, valuable information can also be found on the network itself. Network security monitoring (NSM) techniques are used to monitor network communications for security‐relevant events. For maximum effect, we recommend a combination of full‐packet capture in addition to logging network activity. One of the most robust open‐source solutions to address NSM is Security Onion. This Linux distribution combines a multitude of different open‐source projects into an expandable solution that rivals any commercial NSM product available. Although this chapter is focused on network activity, we will also explore the Elastic Stack and ways to integrate host‐based data to provide enhanced visibility across your network.

Security Onion

The Security Onion project, started by Doug Burks in 2008, has evolved into a leading, open‐source NSM platform. Since 2014, the project has been supported by both community volunteers and the team at Security Onion Solutions (, who offer commercial support services and online training courses for the tool. Security Onion integrates several powerful open‐source projects to provide visibility into network traffic as well as host‐based indicators of compromise. We will examine the architecture for deployment of Security Onion in an enterprise, examine each of the major tools integrated into ...

Get Applied Incident Response now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.