Tuesday, March 28, 2023

Security Onion 2.4 Beta 1 Release Now Available!

At Security Onion Conference 2022, we showed a sneak peek of Security Onion 2.4: https://blog.securityonion.net/2022/10/sneak-peek-at-security-onion-24.html

We have been overwhelmed by the excitement from our community and customers about Security Onion 2.4!


Today, we are excited to release the first Beta version of Security Onion 2.4. This release builds on the success of 2.3 but is easier to install, configure, and maintain. In addition, it's more powerful yet more streamlined!


New Features


Let’s start by talking about some of the many new features in Security Onion 2.4!


Configuration Interface


With the introduction of the configuration interface, we hope to reduce the overall time spent to manage and administer the grid. The goal is to make editing files at the command line a thing of the past. The configuration interface will help lower the barrier of entry for new users to the platform as well as be a nice convenience for our more seasoned users.



Enhanced Grid Status Interface


In addition to the configuration interface, we’ve also enhanced the SOC Grid page to give you more information about the status of your grid.



New Grid Members Interface


There is a new Grid Members interface used to review and accept new nodes that attempt to join the grid.



Simplified Setup


The installer has been greatly simplified and configuring new members of the grid will take place in the configuration interface. This removes the need for the soremote account and ssh access to the manager. 


Elastic Agent and Elastic Fleet


Our primary endpoint agent will be Elastic Agent. It replaces osquery, Beats, and Wazuh and is easily managed in Elastic Fleet, giving more control over upgrades. Users will also be able to deploy agents in standalone (unmanaged) mode if they choose to do so.


Security Onion Virtual Appliance based on Rocky Linux 9


When we were laying out features for Security Onion 2.4, we really wanted to shift the focus away from the OS and more into features that help our users find evil. We felt that we needed to shift to more of a virtual appliance model to allow us to continue to grow and scale to the needs of the future. We are basing this new appliance model on Rocky Linux 9. This change will allow us to deliver features faster and simplify support of the platform. Rocky Linux 9 has an EOL date of March 2032 allowing us to continue to innovate on the platform for years to come. Users will be able to install Security Onion either from our ISO image or on top of a minimal installation of Rocky Linux 9. Below we explain how this will impact Ubuntu-based deployments.


Simplified Updates


For this new virtual appliance model, all packages will be distributed from the manager similar to the current Airgap mode. You can optionally override the package source to some other source which hosts specific signed packages. In non-Airgap deployments, the manager or repo will sync daily with the upstream Security Onion repo to ensure updates are downloaded from the Internet. Airgap deployments will continue to pull their updates from the latest ISO image as they do in 2.3.


Improved Health Metric Visualizations


Security Onion 2.4 includes InfluxDB 2 and some improved health metric visualizations.



Component Changes in Security Onion 2.4


Security Onion 2.4 has some major changes, including components that have been retired or are being phased out:


  • Ubuntu support

  • Wazuh

  • FleetDM 

  • Dedicated osquery agents

  • Filebeat for SO components


Phasing Out Support for Ubuntu


Back in 2009, the first release of Security Onion was based on Ubuntu 9.04 and we have continued to support Ubuntu through Security Onion 2.3. Since Security Onion 2.4 is shifting to more of an appliance model based on Rocky Linux 9 (as described above), we are phasing out support for Ubuntu. Users running a large distributed grid of Ubuntu 20.04 nodes will be able to gradually migrate those nodes to the new appliance structure as long as the manager runs Rocky Linux 9. We will release more details on this as we finalize the process.


Endpoint Agent Changes


As mentioned above, our primary endpoint agent will be Elastic Agent:

  • Since Elastic Agent has osquery built in, it will be taking the place of the current osquery agent.
  • Security Onion 2.4 will also use the Elastic Agent to send alerts and metadata from the sensors to the back end, replacing the current Filebeat agent.
  • Users will be able to manage all of their Elastic Agents using Elastic Fleet in Kibana.
  • Since Elastic Agent covers most of the Wazuh use cases used in Security Onion, Wazuh is being removed as well.
This single agent architecture will save resources, streamline administrative processes, and ease the upgrade process in Security Onion.


Known Issues


Here are some known issues that should be resolved in later releases:


  • You cannot do an in-place upgrade from 2.3 to 2.4. We are still investigating the feasibility of migrating data.

  • You must perform a new installation of Rocky Linux 9 Minimal and have full Internet access. We hope to have a 2.4 ISO image in a future release.

  • Upgrades from this 2.4 Beta release to anything else will not be supported. Starting in RC2 we will support soup to upgrade 2.4 grids.

  • Airgap mode is not supported at this time. This is due to a 3rd party dependency but will be supported in RC1. 

  • Ubuntu 20.04 support is not available until RC1. This has to do with a 3rd party dependency. 

  • Elastic agents will connect directly to the Elasticsearch cluster. Future releases will have the Elastic agents sending their data to Logstash similar to how the data pipeline works in version 2.3.

  • ATT&CK Navigator doesn’t work correctly yet.

  • so-import-evtx imports logs but they don't get parsed correctly.

  • The following installation modes are NOT supported at this time:

    • Heavy Node

    • Receiver Node

    • Analyst Workstation

    • Dedicated Elastic Fleet Node


Transition from 2.3 to 2.4


When we release the final version of Security Onion 2.4, we will announce an End Of Life (EOL) date for Security Onion 2.3. Security Onion 2.3 will continue to receive security patches and priority bug fixes until it reaches EOL.


Documentation


You can find 2.4 documentation at:

https://docs.securityonion.net/en/2.4/


Documentation is always a work in progress. If you find documentation that needs to be updated, please let us know as described in the Feedback section below.


Warnings and Disclaimers


  • This is Beta software. It is not a finished product.

  • Beta software is not officially supported for production usage.

  • Ask your doctor if Beta software is right for you.

  • Using Beta software can cause a disruption in the space time continuum.
  • If it breaks, you get to keep both pieces!


Enough warnings and disclaimers? Let’s go!


Installation


Our Security Onion 2.4 ISO image is not quite ready yet so for now you'll need to download Rocky Linux 9 Minimal: https://download.rockylinux.org/pub/rocky/9/isos/x86_64/Rocky-9.1-x86_64-minimal.iso


Then check the checksum: https://download.rockylinux.org/pub/rocky/9/isos/x86_64/CHECKSUM


Next, install Rocky Linux 9 and start our Security Onion installation as shown here:

https://docs.securityonion.net/en/2.4/installation.html#installation-on-rocky-linux-or-ubuntu


Once you've installed Rocky Linux 9 Minimal and started our Setup wizard, we highly recommend that you start with a simple IMPORT installation as shown here:

https://docs.securityonion.net/en/2.4/first-time-users.html


Once you have verified proper IMPORT installation, you can then try EVAL, STANDALONE, and DISTRIBUTED deployments as described here:

https://docs.securityonion.net/en/2.4/configuration.html


Questions, Problems, and Feedback


If you have any questions or problems relating to Security Onion 2.4, please use the new 2.4 category at our Discussions site:

https://github.com/Security-Onion-Solutions/securityonion/discussions/categories/2-4


We welcome your detailed feedback!


Screenshot Tour



























Monday, March 27, 2023

Final Reminder about Ubuntu 18.04

We recently posted about Ubuntu 18.04 support:
https://blog.securityonion.net/2023/02/ubuntu-1804-reaches-end-of-ubuntu.html

This is one final reminder that if you're still running Security Onion on Ubuntu 18.04, you'll need to upgrade or replace it:
https://docs.securityonion.net/en/2.3/appendix-b.html

Friday, March 3, 2023

Save the Date for 10th Annual Security Onion Conference 2023 with Dave Kennedy as Keynote Speaker

Our 10th annual Security Onion Conference is currently scheduled to be held in person in beautiful Augusta, GA on Friday, October 6, 2023 (please mark your calendar!). Our keynote speaker will be Dave Kennedy!

If you use, or are considering using, Security Onion then you should attend Security Onion Conference! Find out what's new with Security Onion, learn best practices and exchange ideas with other users. Even if you're not a Security Onion user, you should consider attending if you're generally interested in things like intrusion detection, network security monitoring, enterprise security monitoring, log management, hunting, and blue teaming.

Registration and CFP will open in the coming months, so stay tuned for further details. In the meantime, check out the recordings from previous Security Onion Conferences!

https://securityonion.net/conf



Wednesday, March 1, 2023

Security Onion 2.3.220 Hotfix 20230301 Now Available!

We recently released Security Onion 2.3.220:
https://blog.securityonion.net/2023/02/security-onion-23220-now-available.html

Today, we are releasing a hotfix which resolves an issue with Curator:
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-20230301-changes

New Installations

If you want to perform a new installation, please review the documentation and then you can find instructions here:
https://docs.securityonion.net/en/2.3/download.html

Existing 2.3 Installations

If you haven't yet updated to 2.3.220, then you should review all links at the top of this post so that you are aware of all recent changes.

WARNING! If you have an existing Security Onion 2.3 installation and update to Security Onion 2.3.140 or higher, the Elastic components will undergo a major version upgrade to version 8. Please review and follow the steps at the link below. Failure to do so could result in loss of access to all data stored inside of Elastic and a non-functioning Security Onion installation.

https://docs.securityonion.net/en/2.3/soup.html#elastic-8

Please be aware that custom settings in Kibana may be overwritten during upgrade. We recommend that you test the upgrade process on a test deployment before deploying to production. If you have a distributed deployment, then we recommend monitoring SOC Grid while your update is running to verify that all nodes update properly. If there are issues, you can review logs, services, and containers for any additional clues. If you need help, please see our support information below.

If you have custom Elasticsearch templates, please see:
https://docs.securityonion.net/en/2.3/elasticsearch.html#custom-templates

For more information about the update process, please see:
https://docs.securityonion.net/en/2.3/soup.html

Security Onion 16.04

If you are still running Security Onion 16.04, please note that it is past End Of Life. Please take this opportunity to upgrade to Security Onion 2:
https://docs.securityonion.net/en/2.3/appendix.html

Questions or Problems

If you have questions or problems, please see our support options:
https://docs.securityonion.net/en/2.3/support.html