3 cutting-edge open source tools taking endpoint security to the next level

Adebayo Farouk
5 min readAug 20, 2018


The days of simple endpoint security by way of traditional antivirus softwares is coming to an end, because antivirus detects virus when they have signatures of the particular virus in their database. Modern viruses have evolved and antivirus are not able to detect them on time in order to sandbox them and mitigate their effects. Scanning, screening and protecting endpoints from viruses has become a very complex process for organizations who understand the consequences of cyber negligence. Sadly, most antiviruses and anti-malware tools only discover a small fraction of potential infections.

It’s no secret that distributing malware is a big business and the rapidly rising malware epidemic is only going to grow in the coming years. It has become easier to create and obtain crypters, botnets and zero-day exploits needed to execute high level attacks, as malware creation and management education is on the rise. Therefore, it is important for organizations to employ the use of stronger security options which provide more than just the basic antivirus protection.

By using endpoint security platforms, cyber security engineers are able to monitor, detect, investigate and mitigate suspicious activities and issues on endpoints.

Endpoint security platforms should be built on these basic principles for increased efficiency.

1. They should do more than just protection or prevention, they should have detection and behavioral analysis capabilities to mitigate attacks early on.

2. They should correlate data across the whole environment so that the system as a whole can learn and is able to easily mitigate similar attacks subsequently.

3. They should be able to monitor the endpoints and it’s activities without interfering with the normal workflow of the endpoints.

4. Good data visualization should be employed to display results for the benefits of technical as well as non-technical users.

Of course, elements of good endpoint security platforms are not limited to these, but these are the most basic points to look out for when considering endpoint security platforms.

There are plenty of advanced endpoint detection and response tools (EDR’s) which can find and block the most elusive attacks, even the ones which are programmed not to leave any footprints behind.

In this post, we will be reviewing 3 open source tools which take endpoint security to the next level by proactive monitoring and looking closely for malicious threats. They evaluate threats learnt and mitigated from each endpoint in a larger ecosystem by examining individual processes on each endpoint and sometimes combining it with the best aspects of network intrusion detection for better security. The good part is that they are available free of cost, open-source and according to reviews are effective in providing robust endpoint security to businesses and home users alike.


OSSEC is an open source host based intrusion detection and prevention system (HIPS) that performs profile and signature based analysis, real-time integrity monitoring, tracking of endpoint activities and prevents endpoint intrusion. It supports many operating systems such as windows, Linux and Solaris. OSSEC performs log analysis which allows the security analyst to review all the information exchange occurring on the endpoint. OSSEC collects, analyses and correlates these logs so the analyst can observe any attack, misuse or even the slightest anomaly. The program also performs frequent file integrity checks. Each attack on an endpoint changes the configuration of the system, the goal of file integrity checking is to detect these changes in real-time and alerts the administrator. Windows registry and rootkit monitoring is also part of OSSEC’s features. Using these tools OSSEC can mitigate unauthorised changes to the system and provide automatic alerts to nominated system’s administrator. OSSEC is indeed a very powerful endpoint detection and response security tool and it supports agent based and agentless monitoring. It also has a cross-platform architecture that enables the analyst to monitor multiple systems from a centralized location.

Security Onion

With security Onion, administrators can perform detailed activity monitoring, intrusion detection, enterprise security monitoring, log management and threat analysis from a user friendly, fully OS integrated platform. Security onion works with a variety of other security tools to achieve better efficiency. Security onion smoothly interweaves together three core functions. It is able to perform full packet capture, it posses network-based and host-based intrusion detection capabilities and it serves as a powerful analysis tool. Security onion is capable of performing thorough analysis due to the built-in security packages. The third party security packages being used by Security Onion are Snort and Suricata for rule based and analysis based network intrusion detection respectively. Additionally OSSEC is used for Host based intrusion detection and Squil and Kibana for data analysis.


Tripwire is available as both open source and enterprise variant. The efficiency of open source version of Tripwire is equally comparable in terms of features to the enterprise version. The enterprise version is feature rich with detailed logs and provide graph functionality. Just like the other tools mentioned above, Tripwire is able to monitor file integrity, configuration management, asset discovery, vulnerability and log collection. It runs only on Linux and Unix machines and there is currently no support for windows in the free version, but unsurprisingly windows support is available in the enterprise version. Tripwire monitors Linux systems to detect and report unauthorized changes to files and directories. It first creates a baseline of all files in an encrypted file and monitors the files for changes, including permissions, internal file changes and timestamp details. Cryptographic hashes are then used to detect changes in a file without storing its entire content in the database. Tripwire is useful for detecting intrusion after they’ve occurred, it can also serve many other purposes including policy compliance, change management and integrity assurance.

The list of open source endpoint security platforms keeps on growing everyday. This is critical because cyber-attacks have become a profit-making business and attackers are not shy in their efforts to commit cyber-crimes. Thanks to the effort of open source tools creators, attacks can be mitigated and stopped before causing network wide infections. Chert Security is a security consulting outfit that specializes in installation and management of open source and enterprise endpoint security platforms, amongst many other IT related services. Contact us today.