OSSIM

Last updated
LevelBlue OSSIM (Retired)
Original author(s) Dominique Karg, Julio Casal, Ignacio Cabrera and Alberto Román
Developer(s) LevelBlue
Stable release
5.8.11 / May 10, 2022
Operating system Linux
Type Security / SIEM
License GNU General Public License
Website levelblue.com

https://en.wikipedia.org/wiki/Software_release_life_cycle

Contents

OSSIM (Open Source Security Information Management) was formerly an open source security information and event management system, integrating a selection of tools designed to aid network administrators in computer security, intrusion detection and prevention.

In December, 2024, LevelBlue announced OSSIM is being retired. [1]

The project began in 2003 as a collaboration between Dominique Karg, [2] Julio Casal [3] and later Alberto Román. [4] In 2008 it became the basis for their company AlienVault. [5] Following the acquisition of the Eureka project label and completion of R&D, AlienVault began selling a commercial derivative of OSSIM ('AlienVault Unified Security Management'). AlienVault was acquired by AT&T Communications and renamed AT&T Cybersecurity in 2018. [6] In 2024, cybersecurity investor WillJam Ventures officially launched LevelBlue, a joint venture with AT&T, to form a new, standalone managed cybersecurity services business. [7]

OSSIM had four major-version releases [8] since its creation. An information visualization of the contributions to the source code for OSSIM was published at 8 years of OSSIM. The project has approximately 7.4 million lines of code. [9] The current version of OSSIM is 5.7.5 and was released on September 16, 2019. Information about this release and past versions can be found here

As a SIEM system, OSSIM was intended to give security analysts and administrators a more complete view of all the security-related aspects of their system, by combining log management which can be extended with plugins and asset management and discovery with information from dedicated information security controls and detection systems. This information was then correlated together to create contexts to the information not visible from one piece alone. Alarm and availability views along with reporting capabilities are provided to enhance the capabilities of the tool and its utility to the security and systems engineers.

OSSIM performed these functions using other well-known [10] open-source software security components, unifying them under a single browser-based user interface. The interface provided graphical analysis tools for information collected from the underlying open source software component (many of which are command line only tools that otherwise log only to a plain text file) and allowed centralized management of configuration options.

The software was distributed freely under the GNU General Public License. Unlike the individual components which may be installed onto an existing system, OSSIM was distributed as an installable ISO image designed to be deployed to a physical or virtual host as the core operating system of the host. OSSIM was built using Debian as its underlying operating system. Due to this core platform being open additional components abilities could be added and extended by the security administrators using standard packages and scripting as needed.

Components

OSSIM featured the following software components:

Deprecated Components

LevelBlue Labs Open Threat Exchange

LevelBlue maintains a crowd-sourced service for IP reputation information. It was launched in 2012 [14]

The LevelBlue Open Threat Exchange (OTX) is one of the largest open threat intelligence sharing communities in the world. With a global community of over 450,000 participants from 140 countries contributing threat indicators daily, OTX enables you to detect and respond to evolving threats faster and more effectively.

It enables collaborative research and can integrate with a security stack to strengthen defenses with enriched threat intelligence, including millions of enriched indicators of compromise (IoCs) and details on threat groups, their infrastructure, and TTPs they are using.

Related Research Articles

An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically either reported to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.

Network security consists of the policies, processes and practices adopted to prevent, detect and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator. Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs within their authority. Network security covers a variety of computer networks, both public and private, that are used in everyday jobs: conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access. Network security is involved in organizations, enterprises, and other types of institutions. It does as its title explains: it secures the network, as well as protecting and overseeing operations being done. The most common and simple way of protecting a network resource is by assigning it a unique name and a corresponding password.

<span class="mw-page-title-main">Snort (software)</span> Open-source intrusion prevention system

Snort is a free open source network intrusion detection system (IDS) and intrusion prevention system (IPS) created in 1998 by Martin Roesch, founder and former CTO of Sourcefire. Snort is now developed by Cisco, which purchased Sourcefire in 2013.

A host-based intrusion detection system (HIDS) is an intrusion detection system that is capable of monitoring and analyzing the internals of a computing system as well as the network packets on its network interfaces, similar to the way a network-based intrusion detection system (NIDS) operates. HIDS focuses on more granular and internal attacks through focusing monitoring host activities instead of overall network traffic. HIDS was the first type of intrusion detection software to have been designed, with the original target system being the mainframe computer where outside interaction was infrequent.

Sguil is a collection of free software components for Network Security Monitoring (NSM) and event driven analysis of IDS alerts. The sguil client is written in Tcl/Tk and can be run on any operating system that supports these. Sguil integrates alert data from Snort, session data from SANCP, and full content data from a second instance of Snort running in packet logger mode.

<span class="mw-page-title-main">Argus – Audit Record Generation and Utilization System</span>

Argus – the Audit Record Generation and Utilization System is the first implementation of network flow monitoring, and is an ongoing open source network flow monitor project. Started by Carter Bullard in 1984 at Georgia Tech, and developed for cyber security at Carnegie Mellon University in the early 1990s, Argus has been an important contributor to Internet cyber security technology over its 30 years..

Intrusion detection system evasion techniques are modifications made to attacks in order to prevent detection by an intrusion detection system (IDS). Almost all published evasion techniques modify network attacks. The 1998 paper Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection popularized IDS evasion, and discussed both evasion techniques and areas where the correct interpretation was ambiguous depending on the targeted computer system. The 'fragroute' and 'fragrouter' programs implement evasion techniques discussed in the paper. Many web vulnerability scanners, such as 'Nikto', 'whisker' and 'Sandcat', also incorporate IDS evasion techniques.

Prelude SIEM is a Security information and event management (SIEM).

<span class="mw-page-title-main">Sourcefire</span> American computer security company

Sourcefire, Inc was a technology company that developed network security hardware and software. The company's Firepower network security appliances were based on Snort, an open-source intrusion detection system (IDS). Sourcefire was acquired by Cisco for $2.7 billion in July 2013.

Computer security software or cybersecurity software is any computer program designed to influence information security. This is often taken in the context of defending computer systems or data, yet can incorporate programs designed specifically for subverting computer systems due to their significant overlap, and the adage that the best defense is a good offense.

Cisco Security Monitoring, Analysis, and Response System (MARS) was a security monitoring tool for network devices. Together with the Cisco Security Manager (CSM) product, MARS made up the two primary components of the Cisco Security Management Suite.

Security information and event management (SIEM) is a field within computer security that combines security information management (SIM) and security event management (SEM) to enable real-time analysis of security alerts generated by applications and network hardware. SIEM systems are central to security operations centers (SOCs), where they are employed to detect, investigate, and respond to security incidents. SIEM technology collects and aggregates data from various systems, allowing organizations to meet compliance requirements while safeguarding against threats.

<span class="mw-page-title-main">Icinga</span> Monitoring software

Icinga is an open-source computer system and network monitoring application. It was created as a fork of the Nagios system monitoring application in 2009.

Aanval is a commercial SIEM product designed specifically for use with Snort, Suricata, and Syslog data. Aanval has been in active development since 2003 and remains one of the longest running Snort capable SIEM products in the industry. Aanval is Dutch for "attack".

Homeland Open Security Technology (HOST) is a five-year, $10 million program by the Department of Homeland Security's Science and Technology Directorate to promote the creation and use of open security and open-source software in the United States government and military, especially in areas pertaining to computer security.

Used as part of computer security, IDMEF is a data format used to exchange information between software enabling intrusion detection, intrusion prevention, security information collection and management systems that may need to interact with them. IDMEF messages are designed to be processed automatically. The details of the format are described in the RFC 4765. This RFC presents an implementation of the XML data model and the associated DTD. The requirements for this format are described in RFC 4766, and the recommended transport protocol (IDXP) is documented in RFC 4767

The Co-Managed IT security service model entails security monitoring, event correlation, incident response, system tuning, and compliance support across an organization's entire IT environment. Co-Management allows organizations to collaborate with their managed security service providers by blending security expertise of the provider with the contextual knowledge of the customer to optimise security posture.

Open Threat Exchange (OTX) is a crowd-sourced computer-security platform. It has more than 180,000 participants in 140 countries who share more than 19 million potential threats daily. It is free to use.

A blue team is a group of individuals who perform an analysis of information systems to ensure security, identify security flaws, verify the effectiveness of each security measure, and make certain all security measures will continue to be effective after implementation.

Cybersecurity engineering is a tech discipline focused on the protection of systems, networks, and data from unauthorized access, cyberattacks, and other malicious activities. It applies engineering principles to the design, implementation, maintenance, and evaluation of secure systems, ensuring the integrity, confidentiality, and availability of information.

References

  1. "LevelBlue OSSIM Announcement". Dec 2024.
  2. "Dkarg / Profile".
  3. "Jcasal / Profile".
  4. "Alberto_r / Profile".
  5. "AT&T Cybersecurity Blog". 3 May 2024.
  6. "AT&T Story". 22 August 2018.
  7. "Forbes". 8 May 2024.
  8. "AlienVault OSSIM - Browse Files at SourceForge.net".
  9. https://www.ohloh.net/p/alienvault-ossim/analyses/latest/languages_summary
  10. "Home". sectools.org.
  11. AlienVault, "AlienVault OSSIM v4.0 Enhancement Summary", AlienVault OSSIM v4.0 Enhancement Summary, July 2012
  12. David Josephsen (27 March 2013). Nagios: Building Enterprise-Grade Monitoring Infrastructures for Systems and Networks. Prentice Hall. ISBN   978-0-13-313568-8.
  13. AlienVault, "AlienVault v5.0.3 Patch Release", AlienVault v5.0.3 Patch Release, June 2, 2015
  14. "Open Threat Exchange (OTX) | AT&T Cybersecurity". 10 May 2023.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.