Kuvassa näkymä öisestä suurkaupungista. Photo:

DIY Cybersecurity: Open-Source Cybersecurity for SMEs

30.09.2024

SMEs make up 99% of all businesses operating within the EU and have created 85% of all total jobs, accounting for more than two-thirds of the employment on the continent.

The Digital Decade project’s strategic roadmaps, which drive the integration of digital services to EU member states infrastructure, aim to achieve the digital transformation of SMEs so that 90% of all businesses have AI, cloud, and data analytics as integral parts of their operations by 2030.

As cybersecurity concerns rise, most support for SMEs’ cybersecurity solutions comes from the private sector; the fact remains that cybersecurity services are expensive and, for many SMEs, economically non-feasible as they do not directly offer a steady monetary return on investment.

Open-source software could potentially be a solution

The issue with open-source software is that adapting this technology can be difficult without the relevant expertise and experience. However, with the NIS2 directive coming into effect through national legislation of EU member states in October 2024 and with the goals of the Digital Decade project, cybersecurity implementations are not optional.

We believe that open-source software for cybersecurity needs to be more widely considered by SMEs, and we hope to build more supportive programs for adapting these technologies in the future.

Candidates for DIY Open-Source cybersecurity

1. Wazuh: Open Source XDR and SIEM

Wazuh is a free security monitoring platform that provides a wide range of features. It integrates with various operating systems and cloud platforms.

Key Features:

Intrusion Detection: Wazuh uses signature-based detection to identify potential threats like unauthorized access attempts or malware activity. It analyzes logs from various sources, such as firewalls, web servers, and antivirus software, to detect suspicious behavior.

File Integrity Monitoring: Tracks changes to critical system files and directories, alerting to unauthorized modifications that could indicate a security breach.

Vulnerability Detection: Wazuh regularly scans your systems for known vulnerabilities, applying necessary patches and updates.

Wazuh works through deployment agents, which collect and analyze data from devices and provide alerts and incident reports through a web-based dashboard.

2. Suricata: High-Performance Network Threat Detection

Suricata is a powerful open-source tool. It is an intrusion detection and prevention system capable of inspecting network traffic in real time, detecting and blocking threats before they reach your systems.

Key Features of Suricata:

Deep Packet Inspection: Suricata can analyze the contents of network packets, allowing it to detect complex threats such as advanced persistent threats (APTs) and zero-day exploits.

Protocol Identification: The tool automatically identifies network protocols, even when traffic is obfuscated, which helps detect unauthorized or malicious communication channels.

Integration with Other Tools: Suricata can be integrated with other security tools, such as Wazuh, for comprehensive threat detection and response.

Suricata requires some technical knowledge to set up, but it provides an invaluable layer of protection for your network. The community around Suricata is very active, offering plenty of resources to help you get started.

3. OSSEC: Host-Based Intrusion Detection

OSSEC is a robust, open-source, host-based intrusion detection system (HIDS) that monitors system logs, file integrity, and user activity. It is designed to detect signs of intrusion or malicious behavior on individual hosts.

Key Features of OSSEC:

Log Analysis: OSSEC analyzes logs from a wide variety of sources, including system logs, application logs, and firewall logs, to detect potential security incidents.

File Integrity Monitoring: OSSEC tracks changes to critical files and directories, alerting you to unauthorized modifications.

Rootkit Detection: OSSEC can detect rootkits, which are malicious tools designed to gain unauthorized root access to a system.

Active Response: OSSEC can be configured to automatically respond to certain threats, such as blocking an IP address after multiple failed login attempts.

OSSEC is lightweight and highly customizable, allowing you to tailor it to the specific needs of your environment. It is also suitable for IoT devices.

Cyber-resilient Kymenlaakso project is co-funded by European Union via Regional Council of Kymenlaakso from Just Transition Fund (JTF) of the European union.  Project duration is 1.9.2023–31.12.2025.

Writer Krista Pesonen

Writer works as RDI specialist in South-Eastern Finland University of Applied Sciences.