Thursday, February 2, 2023

Security Onion in 2022 and 2023

Here's a quick review of some of the major improvements we made to Security Onion 2.3 in the past year!

Security Onion 2.3.100 added SOC Cases for Case Management and a new Receiver Node option for pipeline redundancy:
https://blog.securityonion.net/2022/01/security-onion-23100-now-available.html

Security Onion 2.3.110 added SOC Multi-Factor Authentication (MFA) and Intrusion Detection Honeypot (IDH) functionality:
https://blog.securityonion.net/2022/03/security-onion-23110-now-available.html

Security Onion 2.3.120 added Analyst Desktop improvements:
https://blog.securityonion.net/2022/04/security-onion-23120-now-available.html

Security Onion 2.3.130 added SOC Dashboards, Analyzers, and much more:
https://blog.securityonion.net/2022/06/security-onion-23130-now-available.html

Security Onion 2.3.140 improved SOC Dashboards and Cases:
https://blog.securityonion.net/2022/07/security-onion-23140-now-available.html

Security Onion 2.3.150 updated the TLP options in SOC Cases to align with TLP 2.0:
https://blog.securityonion.net/2022/08/security-onion-23150-now-available.html

Security Onion 2.3.160 added an Advanced toggle for SOC Alerts and Cases:
https://blog.securityonion.net/2022/08/security-onion-23160-now-available.html

Security Onion 2.3.170 improved Windows log parsing:
https://blog.securityonion.net/2022/09/security-onion-23170-now-available.html

Security Onion 2.3.180 added more SOC dashboards for sysmon logs:
https://blog.securityonion.net/2022/10/security-onion-23180-now-available.html

Security Onion 2.3.190 added coverage for lots of ICS/SCADA protocols:
https://blog.securityonion.net/2022/12/security-onion-23190-now-available.html

Security Onion 2.3.200 added more improvements for SOC dashboards and sysmon support:
https://blog.securityonion.net/2023/01/security-onion-23200-now-available.html

New Features in 2023

In 2023, we plan to release Security Onion 2.4 and it will bring some exciting new features!

  • Configuration Interface
  • Enhanced Grid Status Interface
  • Simplified Setup
  • Elastic Agent and Elastic Fleet
  • Security Onion Virtual Appliance based on Rocky Linux 9
  • Simplified Updates
  • Improved Health Metric Visualizations

Configuration Interface

This feature has us really excited! With the introduction of the configuration interface, we hope to reduce the overall time spent to manage and administer the grid. The goal is to make editing files at the command line a thing of the past. The configuration interface will help lower the barrier of entry for new users to the platform as well as be a nice convenience for our more seasoned users.

Enhanced Grid Status Interface

In addition to the configuration interface, we’ve also enhanced the SOC Grid page to give you more information about the status of your grid.

Simplified Setup

The installer has been greatly simplified and configuring new members of the grid will take place in the configuration interface. This removes the need for the soremote account and ssh access to the manager. 

Elastic Agent and Elastic Fleet

Our primary endpoint agent will be Elastic Agent. It replaces osquery, beats, and Wazuh and is easily managed in Elastic Fleet, giving more control over upgrades. Users will also be able to deploy agents in standalone (unmanaged) mode if they choose to do so.

Security Onion Virtual Appliance based on Rocky Linux 9

When we were laying out features for Security Onion 2.4, we really wanted to shift the focus away from the OS and more into features that help our users find evil. Users should be able to image a system or run a script to easily provision their grid. We felt that we needed to shift to more of a virtual appliance model to allow us to continue to grow and scale to the needs of the future. We are basing this new appliance model on Rocky Linux 9. This change will allow us to deliver features faster and simplify support of the platform. Rocky Linux 9 has an EOL date of March 2032 allowing us to continue to innovate on the platform for years to come. Users will be able to install Security Onion either from our ISO image or on top of a minimal installation of Rocky Linux 9. Below we explain how this will impact Ubuntu-based deployments.

Simplified Updates

For this new virtual appliance model, all packages will be distributed from the manager similar to the current Airgap mode. You can optionally override the package source to some other source which hosts specific signed packages. In non-Airgap deployments, the manager or repo will sync daily with the upstream Security Onion repo to ensure updates are downloaded from the Internet. Airgap deployments will continue to pull their updates from the latest ISO image as they do in 2.3.

Improved Health Metric Visualizations

Security Onion 2.4 will include InfluxDB 2 and some improved health metric visualizations.

Component Changes in Security Onion 2.4

Security Onion 2.4 will have some major changes, including components that will be removed. If you are running Security Onion today and planning to run 2.4, you will want to ensure you are prepared. The following technologies will be retired or phased out:

  • Ubuntu support
  • Wazuh
  • FleetDM 
  • Dedicated osquery agents
  • Filebeat for SO components

Phasing Out Support for Ubuntu

Back in 2009, the first release of Security Onion was based on Ubuntu 9.04 and we have continued to support Ubuntu through Security Onion 2.3. Since Security Onion 2.4 is shifting to more of an appliance model based on Rocky Linux 9 (as described above), we are phasing out support for Ubuntu. Users running a large distributed grid of Ubuntu 20.04 nodes will be able to gradually migrate those nodes to the new appliance structure as long as the manager runs Rocky Linux 9. We will release more details on this as we finalize the process.

Endpoint Agent Changes

As mentioned above, our primary endpoint agent will be Elastic Agent. Since Elastic Agent has osquery built in, it will be taking the place of the current osquery agent. Security Onion 2.4 will also use the Elastic Agent to send alerts and metadata from the sensors to the back end, replacing the current Filebeat agent. Users will be able to manage all of their Elastic Agents using Elastic Fleet in Kibana. Since Elastic Agent covers most of the Wazuh use cases used in Security Onion, Wazuh is being removed as well. This single agent architecture will save resources, streamline administrative processes, and ease the upgrade process in Security Onion.

Post 2.4 Release

After releasing Security Onion 2.4, we plan to launch some additional projects that will change some core elements of the platform. Notably, we intend to add more features to the SOC Grid interface. We also want to integrate the functions of Playbook directly into SOC. There are no release dates for these improvements, so please continue to monitor our social media for updates on these and other changes.

No comments:

Search This Blog

Featured Post

Security Onion 2.4.111 now available!

In October, we released version 2.4.110: https://blog.securityonion.net/2024/10/security-onion-24110-hurricane-helene.html Last week, Surica...

Popular Posts

Blog Archive