Yes! all below are open source, I have used all in prod environments with success.
Security Onion:
SIEM, I call it a "SOC in a box" It is the quickest (free) way to setup monitoring in an environment.
Velociraptor: Digital Forensics and Incident Response tool (indispensable IR tool, Virtual File Systems, VQL)
OPN/PFsense: Firewalls/Routers (I prefer Opnsense)
PiHole: DNS Blackhole (its good to have some upper layer controls, aside from playing whack-a-mole with IPs) blocking domains by TLD and fine tuned regex is very powerful, it even has API integrations for SOAR.
Greenbone OpenVAS: Vulnerability Scanner if you cant afford nessus, its half decent.
Yeah this is pretty much the only one I came across that is viable,
I must say though,
when I write that I "implemented SOAR functionality" on my C.V
I am really talking about micro-automation with various scripts (python, ps1, bash etc.)
In my experience, python scripts can accomplish a lot of what you may look for in a "SOAR platform"
You have some community editions of SOAR solutions in the market. They are considerably limited, but they can be an option. (Splunk Phantom, Cortex XSOAR, etc).
If you seek less limited tools for SOAR, Shuffle is a good option. You can always adapt any generic automation software for it, but you will end up creating custom scripts.
From what I can remember, The Hive Project / Cortex had some interesting integrations. Maybe you’ll find there something you need.
[https://www.sans.org/white-papers/33744/](https://www.sans.org/white-papers/33744/)
An oldie but a goodie.
A Small Business No Budget Implementation of the SANS 20 Security Controls
Nice. I'm old, and the original paper's author was an old mentor. I saw him present it back in the day, so it springs quickly to mind. Good to see that people are keeping the fire lit.
True & Not true. Yes their premium highest tier is expensive AF. Although TheHive5 Community edition ver5.2, I am running, which is the latest. Gives ya 2 free users, 1 cortex instance, fully functioning API. Share a login with a small team, work within the limitations. I hook to both the TheHive & Cortex API, also have an automation platform talk directly to both hive and cortex enabling analyzer runs from other platforms. :)
Naturally. :) Wazuh XDR is for sure professional, along with the others, except a couple. All of these except TheHive5, are fully capable and scalable for business use in regards to "open source" solutions as the OP indicated. Even TheHive5 community can be stretched if you know a lot about API's.
We are both correct. :) How about that. :) If he knows Linux, self hosts, TheHive5 community can work in smaller business environments. Wazuh XDR I cannot recommend enough, personally have a production instance with just about 2000 endpoints. OpenCTI instance setup with 85M entities largest one in existence that I am aware of. Both Wazuh and OpenCTI are excellent Open Source awesome FREE tools that would benefit anybody, just need a little bit of elbow grease and Linux and Docker knowledge, that's about it.
> open-source (or very low cost) security controls
That would be CIS. https://www.cisecurity.org/controls/v8
you may be asking about software to meet control objectives, but thats too broad a question really without more details on your environment, your risk profile, and and what controls you are wanting to meet.
wazuh is a nice HIDS. can run it without the search engine/ui for cheap too
on the cloud:
aws route 53 dns firewall is pretty cheap. $0.60/million requests or so. 3 cents/month/instance by my estimate
aws systems manager patch manager will patch your ec2s on a schedule for free
prowler is a nice cli tool that connects to your cloud and tells you about vulnerabilities/misconfigs
If you’re very budget constrained then you likely don’t have the budget to hire staff to manage tools like this. You need to think about opportunity cost. There’s probably a better use of limited time and resources that doesn’t involve managing some piece of open source software on your own without any support or help with integration, managing and actioning alerts, etc.
Adding to this - I've seen very small environments try to reach high security requirements for little or no money, and few if any staff.
A LOT can be done with configuration. Assuming AD/Group Policy/Intune/M365/Google Workspace (or JAMF), some examples:
* Disable Incognito mode. Allow clearing of cookies / cache, but not history. Bam! Poor web logging. Use Nirsoft Browsing History View application to perform investigations remotely.
* Set Microsoft logging to the recommended levels (the defaults aren't even close!). While there, also increase the default log retention size to maximum. https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations
* BORROW a policy from a .gov. You paid for it, take it and make it your own. Now you have a good IT policy and acceptable use policy. This can take as little as a few hours!
* Have a policy that if MFA is an option, it must be used, especially for online accounts. Your company Staples login needs MFA.
* Adopt a control framework. CIS is good and free. If you have legally protected data (credit cards, medical data, legal data) take note of them - these are golden for pushing for better security through legal requirements. Add these requirements on top of the adopted framework.
* Review other horrible defaults. By default, all users can join 10 computers to the domain. Yes, the guy who mows the lawn and has no permissions can bring his Acer laptop he bought at Walmart and join it to the domain. So can attackers. This is a default setting! In Microsoft 365 - users can default grant full access to their emails and account to anyone who asks - through your M365 logon prompt/portal. It doesn't just look like a convincing phish - it is your REAL M365 login! Once the attacker gets that permission, they register an OTP. Even if you revoke all login sessions and change the user's password - the attacker still has access, because they never got or needed the password. This is a horrible default setting responsible for almost all M365 account takeovers currently.
* Backup your data. Have at least one "offline" copy that a complete attack on your systems cannot reach. Automate as much of this as possible. As arduous as it is - test these, aim for twice a year.
* Schedule a monthly Cybersecurity Hygiene Audit "meeting" that is just a bullet list of things to do/review. Invite at least one backup person. Keep the bullets and list to things that can be done in an hour or two. These are things like account management (reviewing old users and old devices to ensure they are disabled), check a few logs (if nothing else you get used to what the normal logs look like), check devices are getting updates, etc. The longer and harder this list is, the less likely anything on it will get done - keep it simple and limit it to the most important and effective things.
* So many more cheap and free things. I'm out of time for now.
> Disable Incognito mode. Allow clearing of cookies / cache, but not history. Bam! Poor web logging. Use Nirsoft Browsing History View application to perform investigations remotely.
inb4 just nuking the user profile
I think he was reffering to the free publications that many National Institutes have available in regards to security controls, NIST for example in US, CSE in Canada...
"Acceptable Use" site:.gov
Add "county" or "city of" for smaller org examples.
Works created by US government, county and city governments in the US are public domain.
Louder for those in the back. Free tools aren't free. They require much more time on part of the person setting them up. While you might not wanna pay a vendor $50k for a turn-key solution, an engineer getting $100k/year taking 6 months to setup a tool will be paid exactly the same, and you MIGHT get similar results.
Sometimes investing in an entire vendor platform is the way to go.
Focus on config or what you've already paid for, not 3rd party products.
Do you have Microsoft LAPS deployed? Windows Firewall?
Do you have your workstations deployed to at least an L1 level on CIS Benchmarks?
Are you utilizing everything you have paid for? (for example - whatever security tools are included in your M365 licenses - but really make sure you are using everything reasonable you are licensed for across all products)
Do you have well designed security policies, plans and playbooks?
If you have a PKI environment, has it been checked for the SpecterOps vulnerabilities released in 2021?
Are your conditional access policies (or equivalent) as tight as they can be?
Do you have a good software/hardware inventory? Are your data flows mapped?
Do you have solid controls around your supply chain and vendors?
Do you have privileged access well managed (PIM, PAW, etc)?
This list could be huge. There are a ton of things someone can do to improve an environment without an organization spending a penny outside what they are already paying you. It really depends on where you are starting from. You can get some ideas by looking through frameworks like NIST CSF also. But really in most organizations there is a least a little, and usually a lot, they could do for "free".
a bit off topic, but often i find that the reason why i resort to open-source low cost solutions, is because some self-confident idiot blew the budget buying cybersecurity snakeoil that didn’t work, and i was called in to fix the mess.
Probably someone has answered or went down this path. Why can’t open source tools be grouped into one platform which makes easy to setup basic security program for small businesses or companies which can’t afford expensive security teams and tooling.
This is what the Security Onion project aims to do, and does quite well.
its all in a single ISO, setup is very straightforward, documentation is there.
CyberGrizzly,
What are you trying to accomplish? Is this for learning, home office, or SMB?
Depending on your use case, you may want to be careful using an open source or low-cost solution.
With limited resources, you’re better off looking at some configuration and policy changes before you go down the path of open source tools (which others have already listed anyway). In Australia, the government suggests carrying out the “Essential 8” for small businesses they work with, increasing the maturity level of the 8 depending on your needs.
https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-explained
It’s basically an outline of how best to increase your security with the minimum amount of effort / resources. Then you can build on this plan with the open source tools mentioned in this thread, as your resources allow.
It doesn't sound like you are looking for tools, more governance stuff? NIST is free and has a decent control framework. [https://www.nist.gov/cyberframework](https://www.nist.gov/cyberframework)
They have a lot of resources for establishing a control governance framework, policy templates, incident response resources and they are all free.
All of the suggestions and products people have provided are capable products, but products alone done provide security or solve problems. The first layer of controls are and always will be effective policies which your staff are trained in and follow. The next important step is to have a documented security plan. Neither of these have any “purchase “ cost involved. Armed with these, then you can effectively implement and operationalize any products you choose. Also remember that the biggest cost is in the care and feeding of your security stack and training your staff to use it, not the purchases. They and implement a minimal security stack that provides the best coverage. Three or four well implemented products, are usually more effective than ten products with superficial deployments, no operationalization or training. Depending on your situation, this is why many organizations find it cheaper to implement a few core commercial products that are ubiquitous in the industry industry where there is a rather large pool of potential employees who are already experienced with the tools rather than have to grow the skills from scratch in house.
If you're going cheap (read: free) make sure that whatever opensource you're using has an active and stable community. The real cost is going to be the personhours spent patching, troubleshooting issues, figuring how how it will integrate with log systems, lack of 'real support'.
CIS controls are nice, but they don't tell you 'how' to do it, just that you 'should' do it... some of those items are easily a year's worth of work just to get adoption from teams/mgmt, implement, and if you try to do all those things, you'll never finish. Unless you have unilateral approval to do 'everything' on the list and have a group people, you're gonna be dealing with a bunch of shit... logging = #0 yes, fix your egress = fuck yes. Configuration management = holy hell yes. I'd suggest inventory, but I've never seen any place do a convincing job of inventory at scale... triage the important systems, patch those first, and when you can, implement some sort of passwordless login function. You'll be surprised at how much time is saved.
A good MSSP wouldn't go amiss monitoring logs and potential issues while you're configuring everything else to work.
Really depends on what your organization is using, if you're a Microsoft365 customer, there's a lot that you can do with just smart configuration of your instance. Also security controls is a pretty large domain, you looking for AV, network monitoring, SIEM, vulnerability scanner, etc?
For CSPM [Fix](https://fix.security/) or [Prowler Pro](https://prowler.com/). Esp. Fix is pretty affordable.
Or their self hosted/open source equivalents [Fix Inventory](https://github.com/someengineering/fixinventory) or [Prowler](https://github.com/prowler-cloud/prowler).
Worth pointing out that HELK hasn’t seen an update in years. May be worthwhile to consider unsupported FOSS will take more effort to run than supported FOSS.
File execution control on macos: https://github.com/google/santa
Anything by Pat Wardle: https://objective-see.org/tools.html
Not open source, but little snitch: https://www.obdev.at/products/littlesnitch-mini/index.html
If you’re in an enterprise environment you really shouldn’t be skimping on security tools. There are OSS vuln scanners and stuff but you’ll have to do more work to stitch things together for reporting purposes.
OpenZiti (https://github.com/openziti) - its a very trust network overlay that allows you to embed zero trust networking and SDN/SDWAN principles into (almost) anything including, clouds, devices, hosts, IoT, inside apps with an SDK. Ziti has its own CA/PKI while being able to accept external IdP/JWT systems. We use this as the basis for authenticate-before-connect, mTLS and E2E encryption, outbound tunnelling, private DNS, posture checks, microsegmentation, least-privilege, and more. Ziti also has a smart routing mesh overlay network with massive obsfucation (think MPLS but as SW on any underlay network). When using ziti, you do not need inbound firewall ports, VPNs, public DNS, SDWAN, and more. I work on the project.
It's an overgeneralization but I took it to heart when a colleague told me "Linux is free if your time is worthless". It's more a comment on capex versus opex. Just because you bring it into your environment at zero cost, doesn't mean it's going to save you money in the long run.
Yes! all below are open source, I have used all in prod environments with success. Security Onion: SIEM, I call it a "SOC in a box" It is the quickest (free) way to setup monitoring in an environment. Velociraptor: Digital Forensics and Incident Response tool (indispensable IR tool, Virtual File Systems, VQL) OPN/PFsense: Firewalls/Routers (I prefer Opnsense) PiHole: DNS Blackhole (its good to have some upper layer controls, aside from playing whack-a-mole with IPs) blocking domains by TLD and fine tuned regex is very powerful, it even has API integrations for SOAR. Greenbone OpenVAS: Vulnerability Scanner if you cant afford nessus, its half decent.
SOC in a box! Has to be the best description of Security Onion I’ve seen so far.
Any soar solutions?
Look at shuffler.io
Yeah this is pretty much the only one I came across that is viable, I must say though, when I write that I "implemented SOAR functionality" on my C.V I am really talking about micro-automation with various scripts (python, ps1, bash etc.) In my experience, python scripts can accomplish a lot of what you may look for in a "SOAR platform"
Yes but sadly the c suite likes GUI and reporting.
You have some community editions of SOAR solutions in the market. They are considerably limited, but they can be an option. (Splunk Phantom, Cortex XSOAR, etc). If you seek less limited tools for SOAR, Shuffle is a good option. You can always adapt any generic automation software for it, but you will end up creating custom scripts. From what I can remember, The Hive Project / Cortex had some interesting integrations. Maybe you’ll find there something you need.
[https://www.sans.org/white-papers/33744/](https://www.sans.org/white-papers/33744/) An oldie but a goodie. A Small Business No Budget Implementation of the SANS 20 Security Controls
Solid white paper. Got me curious if there was something out there a bit more up to date and came across this https://sansorg.egnyte.com/dl/nv5gO9B640
Nice. I'm old, and the original paper's author was an old mentor. I saw him present it back in the day, so it springs quickly to mind. Good to see that people are keeping the fire lit.
Wazuh, Midpoint etc
Wazuh XDR, IntelOwl, OpenCTI, PWpush, Malcolm IDS, TheHive/Cortex, OpenBAS (OpenEX Filigran), OpenVas Greenbone CE, Sn1per, Security Onion, Graylog, [OpenCVE.io](http://OpenCVE.io), Technitium DNS.
[удалено]
True & Not true. Yes their premium highest tier is expensive AF. Although TheHive5 Community edition ver5.2, I am running, which is the latest. Gives ya 2 free users, 1 cortex instance, fully functioning API. Share a login with a small team, work within the limitations. I hook to both the TheHive & Cortex API, also have an automation platform talk directly to both hive and cortex enabling analyzer runs from other platforms. :)
[удалено]
Sorry, working on multiple things and ripping off responses. Don't be Grouchy.. lol
Naturally. :) Wazuh XDR is for sure professional, along with the others, except a couple. All of these except TheHive5, are fully capable and scalable for business use in regards to "open source" solutions as the OP indicated. Even TheHive5 community can be stretched if you know a lot about API's.
[удалено]
We are both correct. :) How about that. :) If he knows Linux, self hosts, TheHive5 community can work in smaller business environments. Wazuh XDR I cannot recommend enough, personally have a production instance with just about 2000 endpoints. OpenCTI instance setup with 85M entities largest one in existence that I am aware of. Both Wazuh and OpenCTI are excellent Open Source awesome FREE tools that would benefit anybody, just need a little bit of elbow grease and Linux and Docker knowledge, that's about it.
> open-source (or very low cost) security controls That would be CIS. https://www.cisecurity.org/controls/v8 you may be asking about software to meet control objectives, but thats too broad a question really without more details on your environment, your risk profile, and and what controls you are wanting to meet.
wazuh is a nice HIDS. can run it without the search engine/ui for cheap too on the cloud: aws route 53 dns firewall is pretty cheap. $0.60/million requests or so. 3 cents/month/instance by my estimate aws systems manager patch manager will patch your ec2s on a schedule for free prowler is a nice cli tool that connects to your cloud and tells you about vulnerabilities/misconfigs
If you’re very budget constrained then you likely don’t have the budget to hire staff to manage tools like this. You need to think about opportunity cost. There’s probably a better use of limited time and resources that doesn’t involve managing some piece of open source software on your own without any support or help with integration, managing and actioning alerts, etc.
Adding to this - I've seen very small environments try to reach high security requirements for little or no money, and few if any staff. A LOT can be done with configuration. Assuming AD/Group Policy/Intune/M365/Google Workspace (or JAMF), some examples: * Disable Incognito mode. Allow clearing of cookies / cache, but not history. Bam! Poor web logging. Use Nirsoft Browsing History View application to perform investigations remotely. * Set Microsoft logging to the recommended levels (the defaults aren't even close!). While there, also increase the default log retention size to maximum. https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations * BORROW a policy from a .gov. You paid for it, take it and make it your own. Now you have a good IT policy and acceptable use policy. This can take as little as a few hours! * Have a policy that if MFA is an option, it must be used, especially for online accounts. Your company Staples login needs MFA. * Adopt a control framework. CIS is good and free. If you have legally protected data (credit cards, medical data, legal data) take note of them - these are golden for pushing for better security through legal requirements. Add these requirements on top of the adopted framework. * Review other horrible defaults. By default, all users can join 10 computers to the domain. Yes, the guy who mows the lawn and has no permissions can bring his Acer laptop he bought at Walmart and join it to the domain. So can attackers. This is a default setting! In Microsoft 365 - users can default grant full access to their emails and account to anyone who asks - through your M365 logon prompt/portal. It doesn't just look like a convincing phish - it is your REAL M365 login! Once the attacker gets that permission, they register an OTP. Even if you revoke all login sessions and change the user's password - the attacker still has access, because they never got or needed the password. This is a horrible default setting responsible for almost all M365 account takeovers currently. * Backup your data. Have at least one "offline" copy that a complete attack on your systems cannot reach. Automate as much of this as possible. As arduous as it is - test these, aim for twice a year. * Schedule a monthly Cybersecurity Hygiene Audit "meeting" that is just a bullet list of things to do/review. Invite at least one backup person. Keep the bullets and list to things that can be done in an hour or two. These are things like account management (reviewing old users and old devices to ensure they are disabled), check a few logs (if nothing else you get used to what the normal logs look like), check devices are getting updates, etc. The longer and harder this list is, the less likely anything on it will get done - keep it simple and limit it to the most important and effective things. * So many more cheap and free things. I'm out of time for now.
> Disable Incognito mode. Allow clearing of cookies / cache, but not history. Bam! Poor web logging. Use Nirsoft Browsing History View application to perform investigations remotely. inb4 just nuking the user profile
Thank you for this. Wow. Some really fantastic ideas in there
Where have you found policies on .gov? I think I’m looking at the wrong thing
I think he was reffering to the free publications that many National Institutes have available in regards to security controls, NIST for example in US, CSE in Canada...
Ahhhh that makes more sense. Thank you!
"Acceptable Use" site:.gov
Works created by US government, county and city governments in the US are public domain. "acceptable use" "city of" site:.gov
Can explain about borrowing a policy from .gov with example ?
"Acceptable Use" site:.gov Add "county" or "city of" for smaller org examples. Works created by US government, county and city governments in the US are public domain.
Thanks for calling this out. Open source solutions still need to be hardened/secured.
Louder for those in the back. Free tools aren't free. They require much more time on part of the person setting them up. While you might not wanna pay a vendor $50k for a turn-key solution, an engineer getting $100k/year taking 6 months to setup a tool will be paid exactly the same, and you MIGHT get similar results. Sometimes investing in an entire vendor platform is the way to go.
True BUT $50k per seat for a license for 1 year for a turn key solution. Total Cost of Ownership applies to Open Source.
This should be the number 1 comment. Good operations of a tool takes time and talent. I
Temu?
[удалено]
Mao Muses West Taiwan Thumbdrives
😂😂😂
😅😅😂
Focus on config or what you've already paid for, not 3rd party products. Do you have Microsoft LAPS deployed? Windows Firewall? Do you have your workstations deployed to at least an L1 level on CIS Benchmarks? Are you utilizing everything you have paid for? (for example - whatever security tools are included in your M365 licenses - but really make sure you are using everything reasonable you are licensed for across all products) Do you have well designed security policies, plans and playbooks? If you have a PKI environment, has it been checked for the SpecterOps vulnerabilities released in 2021? Are your conditional access policies (or equivalent) as tight as they can be? Do you have a good software/hardware inventory? Are your data flows mapped? Do you have solid controls around your supply chain and vendors? Do you have privileged access well managed (PIM, PAW, etc)? This list could be huge. There are a ton of things someone can do to improve an environment without an organization spending a penny outside what they are already paying you. It really depends on where you are starting from. You can get some ideas by looking through frameworks like NIST CSF also. But really in most organizations there is a least a little, and usually a lot, they could do for "free".
THIS. This is absolutely the answer. Work with what you currently have. Everyone in this thread is getting caught up in recommending tools.
Isn’t that what the OP is asking for..? Rather than making an assumption on something we don’t know about.
OP said security "controls" which makes me think compliance and things beyond tools. Both are good.
Not mutually exclusive, The tools others recommended are good, and this is very very sound advice.
a bit off topic, but often i find that the reason why i resort to open-source low cost solutions, is because some self-confident idiot blew the budget buying cybersecurity snakeoil that didn’t work, and i was called in to fix the mess.
*"why would he hire an expert full time when this software salesman has got a silver bullet that will do everything we could ever want"* FELT.
Probably someone has answered or went down this path. Why can’t open source tools be grouped into one platform which makes easy to setup basic security program for small businesses or companies which can’t afford expensive security teams and tooling.
This is what the Security Onion project aims to do, and does quite well. its all in a single ISO, setup is very straightforward, documentation is there.
Wazuh, teleport pam, micromdm ios h-mdm for andriod, squid proxy, opencti, calmav, freeotp freeipa, rspamd
CyberGrizzly, What are you trying to accomplish? Is this for learning, home office, or SMB? Depending on your use case, you may want to be careful using an open source or low-cost solution.
With limited resources, you’re better off looking at some configuration and policy changes before you go down the path of open source tools (which others have already listed anyway). In Australia, the government suggests carrying out the “Essential 8” for small businesses they work with, increasing the maturity level of the 8 depending on your needs. https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-explained It’s basically an outline of how best to increase your security with the minimum amount of effort / resources. Then you can build on this plan with the open source tools mentioned in this thread, as your resources allow.
It doesn't sound like you are looking for tools, more governance stuff? NIST is free and has a decent control framework. [https://www.nist.gov/cyberframework](https://www.nist.gov/cyberframework) They have a lot of resources for establishing a control governance framework, policy templates, incident response resources and they are all free.
All of the suggestions and products people have provided are capable products, but products alone done provide security or solve problems. The first layer of controls are and always will be effective policies which your staff are trained in and follow. The next important step is to have a documented security plan. Neither of these have any “purchase “ cost involved. Armed with these, then you can effectively implement and operationalize any products you choose. Also remember that the biggest cost is in the care and feeding of your security stack and training your staff to use it, not the purchases. They and implement a minimal security stack that provides the best coverage. Three or four well implemented products, are usually more effective than ten products with superficial deployments, no operationalization or training. Depending on your situation, this is why many organizations find it cheaper to implement a few core commercial products that are ubiquitous in the industry industry where there is a rather large pool of potential employees who are already experienced with the tools rather than have to grow the skills from scratch in house.
If you're going cheap (read: free) make sure that whatever opensource you're using has an active and stable community. The real cost is going to be the personhours spent patching, troubleshooting issues, figuring how how it will integrate with log systems, lack of 'real support'. CIS controls are nice, but they don't tell you 'how' to do it, just that you 'should' do it... some of those items are easily a year's worth of work just to get adoption from teams/mgmt, implement, and if you try to do all those things, you'll never finish. Unless you have unilateral approval to do 'everything' on the list and have a group people, you're gonna be dealing with a bunch of shit... logging = #0 yes, fix your egress = fuck yes. Configuration management = holy hell yes. I'd suggest inventory, but I've never seen any place do a convincing job of inventory at scale... triage the important systems, patch those first, and when you can, implement some sort of passwordless login function. You'll be surprised at how much time is saved. A good MSSP wouldn't go amiss monitoring logs and potential issues while you're configuring everything else to work.
Really depends on what your organization is using, if you're a Microsoft365 customer, there's a lot that you can do with just smart configuration of your instance. Also security controls is a pretty large domain, you looking for AV, network monitoring, SIEM, vulnerability scanner, etc?
CIS
For CSPM [Fix](https://fix.security/) or [Prowler Pro](https://prowler.com/). Esp. Fix is pretty affordable. Or their self hosted/open source equivalents [Fix Inventory](https://github.com/someengineering/fixinventory) or [Prowler](https://github.com/prowler-cloud/prowler).
Helk https://thehelk.com/intro.html
Worth pointing out that HELK hasn’t seen an update in years. May be worthwhile to consider unsupported FOSS will take more effort to run than supported FOSS.
ooof, you are correct. I had not noticed that.
Not quite controls, but great value phishing simulations over at [PhishDeck](https://phishdeck.com)
GoPhish is nice too, and free/open source
Tons of them. Can you be more specific in what you are looking for?
File execution control on macos: https://github.com/google/santa Anything by Pat Wardle: https://objective-see.org/tools.html Not open source, but little snitch: https://www.obdev.at/products/littlesnitch-mini/index.html
thank you all for the software tips, been going through some of them and Wazuh looks amazing
This guide from CISA will probably be helpful https://storage.pardot.com/799323/1694810927NC0iZQGR/CIS_Controls__Cost_of_Cyber_Defense__2023_08.pdf
Are there any good EDR open source tooling too? Looking for that specific myself (homelab). So besides Wazuh.
Open EDR isn't too bad
Thanks, giving that a try. Might be looking into Huntress etc. too, but was wondering if there are any good opensource ones.
SIEMonster Community...ties in Wazuh, praeco alerts, the hive/ cortex CTI, MISP, Shuffle SOAR, and more.
thank you for the content for my next stream... I'm gonna look forward to making comments on the comments...
Cloudflare. Free
If you’re in an enterprise environment you really shouldn’t be skimping on security tools. There are OSS vuln scanners and stuff but you’ll have to do more work to stitch things together for reporting purposes.
I agree, but there's more than enterprises out there. Not everyone has the budget to make a 3y, 6 figure p.a. contract with [Wiz.io](http://Wiz.io)
OpenZiti (https://github.com/openziti) - its a very trust network overlay that allows you to embed zero trust networking and SDN/SDWAN principles into (almost) anything including, clouds, devices, hosts, IoT, inside apps with an SDK. Ziti has its own CA/PKI while being able to accept external IdP/JWT systems. We use this as the basis for authenticate-before-connect, mTLS and E2E encryption, outbound tunnelling, private DNS, posture checks, microsegmentation, least-privilege, and more. Ziti also has a smart routing mesh overlay network with massive obsfucation (think MPLS but as SW on any underlay network). When using ziti, you do not need inbound firewall ports, VPNs, public DNS, SDWAN, and more. I work on the project.
It's an overgeneralization but I took it to heart when a colleague told me "Linux is free if your time is worthless". It's more a comment on capex versus opex. Just because you bring it into your environment at zero cost, doesn't mean it's going to save you money in the long run.
It's mostly dockers these day tho
[Pomerium](https://www.pomerium.com/) is open source and used by even cybersecurity companies like ExtraHop.