Log-Based Intrusion Detection, FIM, SIEM, SOAR: Atomic OSSEC

Log-Based Intrusion Detection, File Integrity Monitoring (FIM), Vulnerability Detection, Compliance, and SOAR

By Scott Shinn

Detect, analyze and respond to changes to computing systems and other signs of intruder activity with log-based IDS and XDR, including file integrity monitoring (FIM), from Atomicorp.

Atomic OSSEC is an extended detection and response (XDR) system that addresses six key information security and compliance functional areas: log-based intrusion detection, file integrity monitoring (FIM), compliance, antivirus (AV) management and optimization, vulnerability detection, and SOAR. The latest version of Atomic OSSEC, Atomic OSSEC, v.6.0.61, has been released and is available. Request a demo.

Log-based IDS, FIM, and other features, such as global threat intelligence, malware memory analysis, workload protection, and data loss prevention, enable organizations and federal agencies to extend prevention, detection, response, and recovery for defense-in-depth system and data protection.

Log-Based Intrusion Detection

The foundational function of Atomic OSSEC is as a log-based intrusion detection system (LIDS), and other security and compliance features feed from that. LIDS is the ability to analyze data from many different sources—whether it’s a security tool like an AV scanner, a file integrity monitoring (FIM) system, or logs coming off a third-party system. Atomic OSSEC then analyzes this data for signs of attack and cross references those data against one another. Although Atomic OSSEC provides LIDS and security information and event management (SIEM), the solution is much more than that, providing a proactive, defense-in-depth solution for detecting and thwarting malicious behavior, and resolving vulnerabilities and file and system anomalies. 

Jump right to the solution overview video on the Atomic OSSEC page.

File Integrity Monitoring (FIM)

The second key functional area and one I’m most passionate about is something called file integrity monitoring (FIM), and the term undersells what it can do. This is file-based intrusion detection. Generally where this gets applied is where there are compliance standards like PCI DSS, and also NIST 800-53 SI-7 controls. FIM enables user organizations to detect changes, but much more with Atomic OSSEC; which can be used as the mechanism to effectively revise file systems. Think of FIM as you are putting into place a real-time backup system. With Atomic OSSEC FIM, you have something that can detect changes, tell you who modified something, and even allow you to roll something back if a version changed in error. Organizations can also use Atomic OSSEC file integrity monitoring to detect and capture malware in a system as we demonstrate in the overview video.

Compliance – PCI DSS, NIST 800-53 SI-7, FISMA, and More

The third area is compliance. The Atomic OSSEC compliance engine and UI offers compliance benchmarking, system and data monitoring, built-in automated compliance rules, visualization, auditing, and reporting for CIS, PCI, NIST, JSIG, FISMA, and other compliance requirements such as GDPR. The compliance engine in Atomic OSSEC allows administrators to inspect systems—beyond benchmarking for compliance—and actually look at the way the system is configured (see the video on the Atomic OSSEC page). 

Central Antivirus Management and Load Optimization

The fourth area and this is where we have really leveraged OSSEC into not just looking at logs and FIM but actually being able to instrument and control other tools, in this case a real-time inline antivirus system that employs and optimizes ClamAV. This means you’re not just performing intrusion detection, you’re doing intrusion prevention. The AV and antimalware is implemented inline, in the file system, and in the kernel, where you can block intrusion and malware. Compared with a timer based approach or scheduler approach, this is fraction-of-a-second detection and prevention. It attractively lessens the load with optimized AV management that makes ClamAV and AV deployment more efficient (92 percent reduction in memory usage on Linux and AIX). 

Vulnerability Management – CVE and CWE Scanning and Resolution

The fifth key function is vulnerability detection. The Atomic OSSEC vulnerability detector can run daily and collect what is called a software bill of materials (SBOM) from each individual system it is monitoring. CVE scanning is covered, but the vulnerability detection goes beyond that . . .

Atomic OSSEC performs the analysis of the SBOM, on the hub server itself. This means you’ve got daily vulnerability scanning, and no risk or disruption on the scanned system because analysis occurs on the hub server. This is different from network-based vulnerability scanning where they’re performing the tests on the systems, which can be disruptive. It’s also more accurate because we’re looking at it from the perspective of the host and not the system on the network. In terms of processing impact, Atomic OSSEC lessens the load with optimized AV management that makes ClamAV and AV deployment more efficient (92 percent reduction in memory usage on Linux and AIX). 

SOAR: Doing More With Your Detection

Last, and sixth, is actions, or what we call SOAR (security orchestration, automation, and response) tools and capabilities. Everything we use in Atomic OSSEC generates an alert. The log-based IDS analyzes those alerts and tools such as the AV scanner, vulnerability detection system, and compliance engine, all of those components are feeding information into the IDS, and the IDS is what is categorizing these things on a scale of severity on affected file names and usernames and then pass that to an Action. Orchestrate the action where needed, it can be in a sandbox, or run the Action everywhere and create a shared defense model.

We can also tie into third party programs such as Slack for alerting, or VirusTotal for IoCs, aka indicators of compromise, to run analysis. But whatever Atomic OSSEC is working with, it creates alerts from the AV scanner, vulnerability detection system, FIM, and also the analysis engines we use for global threat intelligence.

Log-Based IDS, FIM, Vulnerability Detection, SIEM, SOAR, and Compliance in an XDR

Atomic OSSEC is not just a SIEM analyst platform, but a proactive, defense-in-depth solution for detecting and thwarting malicious behavior, and resolving vulnerabilities and file and system anomalies. It spans prevention, detection, response, and recovery, through the provisioning of global threat intelligence, AV, real-time FIM, real-time malware memory scanning and detection, CVE and CWE scanning and identification, automated response, air gapping, data loss prevention, and much more.

Visit the Atomic OSSEC page to read more or watch the Atomic OSSEC overview demonstration.

Schedule an Atomic OSSEC demo today.