That's what the SIEM does, see ones such as IBM QRadar [1]; aggregates all the logs and network flows from across your estate and then uses rules/algorithms to determine threats and security events.
From my limited understanding MozDef is more targeted at ticketing/following through from intelligence gleaned from a SIEM as most times, people then just stick it in Remedy or Jira.
Sorry it's a bit tough to understand. You can think of MozDef as an open source SIEM (taking in logs, parsing, alerting, correlating) plus incident handling workflow with a focus on being open, extensible, visual and realtime. It is early, early days but promising so far!
That's an IDS, a specific security measure, akin to firewalls, AV, IPS, Vuln Scanners.
MozDef seems to be trying to make a relevant/niche ticketing system to run over the top of a SIEM (Security Information and Event Manager) which in turn runs over the top of IDS/IPS/AV/FW etc etc this allows single view and correlation between events i.e remote login from contracter over VPN using chinese IP address, escalating privileges on a unix box, new admin account on DB, increase in data flow outbound from DB, none of these events is individually significant but together its pretty obvious something might be wrong, thats why you pay good money for a SIEM.
The issue most companies face is they have awesome security intelligence platforms or SIEMS but then have to translate it into awful business process ticketing systems (like Remedy or Jira) not designed to handle such critical and quick moving issues.
>> The inspiration for MozDef comes from the large arsenal of tools available to attackers. Suites like metasploit, armitage, lair, dradis. Defenders are usually limited to wikis, ticketing systems and manual tracking databases attached to the end of a Security Information Event Management (SIEM) system.
I read this as: attackers are usually one step ahead at least, and "defenders" (sic: developers (?) ) do not like pentesting? These tools are available to anyone..
Defenders are usually companies or a consultancies ERT (emergency repsonse team) or in their SOC (Security Operations Center) to monitor real time security threats to their business and Triage, mitigate, investigate, block etc.
Some of the enterprise tools (QRadar, Arcsight, EnVision) for these are really advanced but run into the 100's of thousands cost, so I think MozDef is an open sources initiative for smaller teams who don't have the resources for the above.
And now, there's an other public facing service on your server than can be tried for vulnerabilities :)
Joke aside, I like the initiative, security is still something that seems to me not taken seriously enough by day to day sysadmins and developers.
From what I understand, its main use it to report it when attacks were attempted. Does it also check for what is probably the biggest security concern on the wild, aka outdated softwares that have updates available (better safe than sorry)?
one?
"""
MozDef is based on open source technologies including:
Nginx (http(s) based log input)
Rabbit-MQ (message queue)
UWSGI (supervisory control of python-based workers)
bottle.py (simple pyhon interface for web request handling)
Elastic Search (scalable indexing and searching of JSON documents)
Meteor (responsive framework for Node.js enabling real-time data sharing)
Mongo DB (scalable data store, tightly integrated to Meteor)
..
"""
I hope this project will get traction. It's always a nightmare for sysadmin (and developers) to discover on Friday nights that most of their apps will require an upgrade in the next couple of hours because an exploit is out (of nowhere most of the time).
And in any case, the architecture put in place is interesting. I'm eager to see how they made use of Meteor.
One of the ways a proof of concept can become a full blown project is by attracting contributors. A project attracts contributors if the project is talked about.
