Best SecOps Tools: 50 Must-Have Tools for Your SecOps Arsenal, Part 1

SecOps is a multi-faceted function tasked with a variety of responsibilities, not the least of which is coming up with secure software and applications while maintaining the development and release cadence users demand. It's no longer enough to just concern yourself with writing code and developing software. 

Fortunately, a number of tools can help SecOps professionals meet these demands and achieve business goals. From dashboards that let SecOps pros view all the essential metrics about their apps in one place, to hunting tools that help users detect patterns and pinpoint potential vulnerabilities, to tools that issue alerts when anomalies arise, to attack modeling tools that create a standardized taxonomy of security threats, and more, there are many types of tools that today's SecOps pros should have in their arsenal.

In this series, we've rounded up 50 of the most useful tools for SecOps teams in the following categories. We'll cover the first three in this article. 

• Dashboards
• Automation
• Hunting
• ChatOps
• Sharing
• Visualization
• Attack Modeling
• Red Team
• Alerting
• Secret Management
• Threat Intelligence
• Testing

Dashboards

1. Grafana

@grafana

Grafana allows you to centralize all the relevant data into one beautiful dashboard. These dashboards are composed of different panels to make it easier to visualize, query, and comprehend the data you have - no matter where data is stored. Grafana is fully customizable so you can fine-tune your dashboard and the information you get to only what you need. What's more, Grafana is completely open source and has an active community to back you up just in case you hit a roadblock or need some technical help. A strong and supportive community also means that you can find plugins and pre-built dashboards in Grafana's official library.

Key Features: 

• See your data the way you want it.
• Choose from graphs, maps, histograms, and heat maps, among others.
• Set up alerts while you are looking at the data, such as setting thresholds on the graph itself.
• Easily share your dashboard with anyone.

2. Kibana

@elastic

Kibana condenses thousands of log entries into a single graphic that is easy to understand. You can use Kibana for operational intelligence, time series analytics, and application monitoring. It integrates with Elasticsearch, so if you have data stored in Elasticsearch, Kibana is a must-have tool.

Key Features:

• Interactive charts.
• Ability to manipulate how you see your data (zoom into a subset or see the big picture).
• Mapping support, allowing you to add location information to your data and see it on a map.
• Built-in filters and aggregations.
• Ability to share your dashboards with other team members.

Automation

3. StackStorm

@Stack_Storm

StackStorm positions itself as the IFTTT for your ops. Like IFTTT, StackStorm can detect when a certain event happens and sets forth different actions that you want it to do, according to the rules you set. Unlike other current automation tools, StackStorm does not rely on human input. Instead, it autonomously gets information from sensors and actions and sets your rules into motion.

Key Features:

• Set up workflows for multiple rules and actions, executed in order (i.e., automated remediation, such as cleaning up logs when the disk runs out of space).
• Escalate issues for human intervention.
• Automate anything with StackStrom, from controlling home appliances to tools, the Internet of Things (IoT), and more.
• Select from more than 450 integrations.
• Choose to write your own rules.

Hunting

4. GRR Rapid Response

@grrresponse

GRR Rapid Response is a tool used for investigations and forensics, allowing you to respond to incidents by getting live forensics remotely. SecOps professionals can assign different levels of urgency to attacks and analyze the situation remotely. You would need to deploy the GRR client on the systems that you want to look into. These clients would poll the users when they run a particular action, such as listing directories or downloading files. You should also get the GRR server deployed because this is what gives you the user interface and API endpoint. You can get GRR Rapid Response at GitHub here.

Key Features: 

• Gathers and processes data from many machines and devices.
• Use GRR to remotely check on machines.
• Analyze one or more machines for vulnerabilities.

5. Mig

@mozilla

Mig stands for Mozilla InvestiGator. It is a tool for investigating remote endpoints. Mig makes use of easy-to-deploy, lightweight, and secure agents that you install on your infrastructure's systems. You can then search for information related to file systems, the memory of the endpoint device, configuration of the endpoint device, and network state. You can get Mig on GitHub here.

Key Features:

• Works with Linux, MacOS, and Windows (with varying feature sets).
• Inspect files and memory (on all platforms); partial network inspection on Windows.
• Vulnerability management and system audits on Linux.

6. Mirador

@fathominfo

Mirador is a tower or turret that gives you a full view of what's around you. It is also the Spanish term for "vantage point," as well as the name of a tool that allows you to visually explore even the most complex datasets - so you can easily understand your data, see trends and patterns, and even get new insights from it.

Key Features:

• Interact with your data; perform open-ended searches.
• See the factors that may predict relevant outcomes.
• Allows for visual representation and measuring of correlations.
• Can be used for statistical modeling, finding and ranking correlations, and other use cases.

7. Moloch

Developed by AOL, Moloch is an open source database system that can complement your existing security infrastructure. It will store and index your network traffic, making it easier and faster to access. Moloch makes use of the PCAP format, but can also handle JSON data. It gives you more visibility into your current Intrusion Detection Systems (IDS), although it's not intended to be a replacement for your IDS. It works with the following operating systems out of the box: CentOS 7, Ubuntu 14.04 and 16.04, and FreeBSD 9 and 10.0, and there are some workarounds for other operating systems, such as CentOS 6 and Ubuntu 12.04. You can get Moloch on GitHub here.

Key Features: 

• High focus on security.
• Intuitive user interface.
• Scalability.
• Easily works with a number of clustered systems.
• Handles several gigabits of traffic per second with ease.
• APIs for downloading PCAP and JSON session data.

8. MozDef

Developed by Mozilla, MozDef is a response to the tools used by hackers to coordinate their attacks, share information, and even tweak their attacks as they happen. On the other hand, IT professionals and those who are trying to ward off these attacks do not have these capabilities. MozDef, or the Mozilla Defense Platform, gives defenders a platform to quickly uncover and then respond to security breaches. MozDef is available on GitHub here, and it is currently handling at least 300 million security events daily.

Key Features: 

• Statistics on security incidents and events.
• Collaborate with fellow security handlers in real time.
• Works with Mig, Bunker, Banhammer, and others.

9. OSQuery

@osquery

OSQuery lets you query your computer, smartphone, and different operating systems as though they are databases. OSQuery is an open source project that can run almost every operating system, including MacOS, FreeBSD, Linux OS, Windows, and CentOS. A very active community supports this tool, and you can find curated projects on the OSQuery website. Additionally, there is also an extensive list of documentation that can help you along.

Key Features:

• Use simple SQL commands to see what’s happening with your OSs.
• Insights such as open network connections, currently loaded kernel modules, and currently running processes.
• Interactive OSQuery for testing new queries and easily exploring your OS.
• Schedule queries throughout your entire infrastructure.

10. OSSEC

@ossecproject

Note: At Threat Stack, we strongly advise against a build-your-own approach to security or centering your strategy on open source security solutions. In the case of build-your-own, there's a large number of hidden issues that will cost time and money and demand expertise that's almost certainly beyond your core competency. And remember this about open source tools: open source is only free if your time is worth nothing. Most open source tools require DIY deployment, which calls for an extensive investment in resources and expertise, and then there's the ongoing issue of upgrades, maintenance, integrations, and so on.

For a thorough discussion of these issues, please take a look at these two posts:

• Calculating TCO: The Real Cost of Cloud Security
• To Build or Buy Your Own Security Platform: That is the Question

OSSEC, an open source tool, helps you know when your system has been breached. OSSEC can watch and analyze everything from FTP servers, to mail servers, databases, web applications and servers, firewalls, antivirus, event logs, remote access logs, NIDS, and security tools, among many others. Like other tools here, this host-based intrusion detection system is backed by a big group of developers, IT personnel, and other tech users. You can get OSSEC on GitHub here.

Key Features:

• Analyze logs, check system integrity, monitor Windows registry, detect root kits, and more.
• Issues threat alerts.
• Compatible with Windows, FreeBSD, Solaris, OS X, and Linux.