IITB Trust Lab's Free SOC Project

Prof. G. Sivakumar discusses the motivation and goals behind the ongoing Security Operations Centre (SOC) project at IITB Trust Lab. This initiative simplifies complex security operations into a user-friendly, plug-and-play solution using open-source tools, enabling organizations to access top-tier cybersecurity without the hefty price tag. He also shares insights into current activities, with follow-up articles set to explore the technical details and future plans.

Every organization, today, needs a Digital presence, and consequently becomes a target for increasingly sophisticated cyber attacks, including by state sponsored actors. Substantial investments, both effort and resources, are needed to be resilient and provide trustworthy services in such a hostile environment.

At the heart of all defence is a Security Operations Centre (SOC) hosting a variety of tools to continuously monitor the network and system activities. A centralized system (SIEM) reacts intelligently to events and triggers. Combined with best processes for incident response, the Security Operations Centre is a sine qua non for defending and improving any organization’s security posture.

Of course, there is no one size fits all security solution appropriate for all organizations. Commercial banks, exchanges, power plants, which form a nation’s critical information infrastructure need and can afford proprietary, commercial tools and support provided by leading security product companies. However, there is a vast range of other organizations including academic institutions, medium sized industries and government departments, whose security can be immensely enhanced by using Free and Open Source (FOSS) tools.

 

The Trust Lab FOSSx Challenge

The most significant barrier to building a SOC using FOSS tools is captured well in the old adage Knowledge is Power! It takes time, effort and dedicated human resources to install, customize and utilize the excellent tools available. While most organizations realize that they cannot ignore or outsource their security strategy, they have neither the expertise, nor the desire to re-invent the wheel on how to effectively combine and deploy the wealth of FOSS tools available. And how to fine tune them to their organizations specific needs and threat perceptions.

IITB Trust Lab is working on building a plug and play SOC distribution based entirely on FOSS tools which will reduce, if not eliminate, this barrier.

Free and Open Source Software (FOSS) paradigm follows a “bazaar”-like approach for the entire tool lifecycle. From ideation to design to development to support and documentation – is done in the open. Public repositories host the source code which is freely available for anyone to study, improve and add more features. Building on the common base, this leads to very fast development cycles and also to very quick discovery and fixing of any bugs or security flaws. Linux, Apache, Postgres, Hadoop, Docker and Kubernetes is a tiny sample of major FOSS projects that have contributed significantly to the greater common good.

In the security tools domain too, there are a plethora of FOSS projects and tools which are actively being developed. Often, their features and capabilities are ahead of even the best commercial tools. To harness these, IITB Trust Lab has completed two useful activities described briefly below.

Team Summer of Code

In February 2024, the FOSSx challenge had enthusiastic participation from teams across the country and helped us identify and curate FOSS tools relevant to cybersecurity. Building on this, selected teams spent two months on a Summer of Code working on enhancing tools of their choice with interesting features. While doing this, an architecture for the SOC distribution has been designed and a proof-of-concept implementation is in progress.

A hands-on workshop is also planned for December to install and experiment with the FOSS-SOC distribution. While doing this, an architecture for the SOC distribution has been designed and a proof-of-concept implementation is in progress.