Why Security Operation Centres Love Linux OS

Why Security Operation Centres Love Linux OS

Why Security Operation Centres Love Linux OS




Linux is an operating system that was created in 1991. Linux is open-source, fast, reliable, and small. It requires very little hardware resources to run and is highly customizable. Unlike other operating systems such as Windows and Mac OS X, Linux was created and is currently maintained by, a community of programmers. Linux is part of several platforms and can be found on devices anywhere from “wristwatches to supercomputers”. In this article, I will talk about why Security Operation Centres love Linux OS.


Another important aspect of Linux is that it is designed to be connected to the network, which makes it much simpler to write and use network-based applications. Because Linux is open-source, any person or company can get the kernel’s source code, inspect it, modify it, and re-compile it at will. They are also allowed to redistribute the program with or without charges.


A Linux distribution is the term used to describe packages created by different organizations. Linux distributions (or distros) include the Linux kernel with customized tools and software packages. While some of these organizations may charge for their Linux distribution support (geared towards Linux-based businesses), the majority of them also offer their distribution for free without support. Debian, Red Hat, Ubuntu, CentOS, and SUSE are just a few examples of Linux distributions.

The Value of Linux

Linux is often the operating system of choice in the Security Operations Center (SOC). These are some of the reasons to choose Linux:

#1 Linux is open-source 

Any person can acquire Linux at no charge and modify it to fit specific needs. This flexibility allows analysts and administrators to tailor-build an operating system specifically for security analysis.


#2 The Linux CLI is very powerful

While a GUI makes many tasks easier to perform, it adds complexity and requires more computer resources to run. The Linux Command Line Interface (CLI) is extremely powerful and enables analysts to perform tasks not only directly on a terminal, but also remotely.


#3 The user has more control over the OS 

The administrator user in Linux, known as the root user, or superuser, has absolute power over the computer. Unlike other operating systems, the root user can modify any aspect of the computer with a few keystrokes. This ability is especially valuable when working with low level functions such as the network stack. It allows the root user to have precise control over the way network packets are handled by the operating system.


#4 It allows for better network communication control 

Control is an inherent part of Linux. Because the OS can be adjusted in practically every aspect, it is a great platform for creating network applications. This is the same reason that many great network-based software tools are available for Linux only.

Linux in the SOC

The flexibility provided by Linux is a great feature for the SOC. The entire operating system can be tailored to become the perfect security analysis platform. For example, administrators can add only the necessary packages to the OS, making it lean and efficient. Specific software tools can be installed and configured to work in conjunction, allowing administrators to build a customized computer that fits perfectly in the workflow of a SOC.


The figure shows Sguil, which is the cybersecurity analyst console in a special version of Linux called Security Onion. Security Onion is an open source suite of tools that work together for network security analysis. We will work with Security Onion later in this course.

The image is a picture of the SGUIL console running on Security Onion. The top status bar says SGUIL-0.9.0-Connected to localhost. The menu bar shows the choices:File, Query, Reports. The menu bar also shows status items. Sound: Off, ServerName: localhost, UserName: analyist, UserID:2.  At the right  side of the menu bar is a date and time stamp.  The center section has two tabs: RealTime Events and Escalated  events. The tab RealTime Events is active. Security events are shown listed in the center section under the headings:  ST, CNT, Sensor, Alert ID, Date/Time, Src IP, SPort, Dst IP, DPort, Pr and Event Message.  An alert is highlighted that reads ST=RT, CNT=1,Sensor=seconion, Alert ID=51599, Date/Time=2020-05-10 21:29:13, Src IP=, SPort=52460, Dst IP=, DPort=80, Pr=6, Event Message=ET TROJAN Probable OneLouder. The lower section of the screen displays two windows. In the left window four tabs are displayed: IP Resolution, Agent Status, Snort Statistics and System Messages.  The Agent Status tab is active. A table is displayed that has the headings:  Sid, Net, Hostname, Type and Last.  In the window on the right side there is a display of  packet data.  On the menu bar at the top of the right window there are two checkboxes.  One checkbox is Show Packet Data which is checked.  The other checkbox is Show Rule and it is also checked. Below the  menu bar is the text of a rule: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (MSG ET TROJAN Probable OneLouder doenloader (Zeus P2P); flow to_server established content Get, http_method.  The table below has three sections: IP, TCP, and DATA. The contents of an HTTP GET packet is shown.

The table lists a few tools that are often found in a SOC.

SOC Tool Description
Network packet capture software
  • A crucial tool for a SOC analyst as it makes it possible to observe and understand every detail of a network transaction.
  • Wireshark is a popular packet capture tool.
Malware analysis tools These tools allow analysts to safely run and observe malware execution without the risk of compromising the underlying system.
Intrusion detection systems (IDSs)
  • These tools are used for real-time traffic monitoring and inspection.
  • If any aspect of the currently flowing traffic matches any of the established rules, a pre-defined action is taken.
Firewalls This software is used to specify, based on pre-defined rules, whether traffic is allowed to enter or leave a network or device.
Log managers
  • Log files are used to record events.
  • Because a network can generate a very large number of log entries, log manager software is employed to facilitate log monitoring.
Security information and event management (SIEM) SIEMs provide real-time analysis of alerts and log entries generated by network appliances such as IDSs and firewalls.
Ticketing systems Task ticket assignment, editing, and recording is done through a ticket management system. Security alerts are often assigned to analysts through a ticketing system.

Linux Tools

In addition to SOC-specific tools, Linux computers that are used in the SOC often contain penetration testing tools. Also known as PenTesting, a penetration test is the process of looking for vulnerabilities in a network or computer by attacking it. Packet generators, port scanners, and proof-of-concept exploits are examples of PenTesting tools.


Kali Linux is a Linux distribution groups many penetration tools together in a single Linux distribution. Kali contains a great selection of tools. The figure shows a screenshot of Kali Linux. Notice all the major categories of penetration testing tools.

The image is a screenshot of the Kali Linux desktop with the Applications menu open. On the top of the screen is a status bar that contains two menu choices: Applications and Places. At the center of the status bar is a timestamp that reads Mon 20:37. At the far right on the status bar, icons are shown for additional features and functions.  In the open applications menu, there are two columns: the column on the left is titled Favorites and lists commonly accessed items,  the column on the right shows icon and titles for available applications.  Listed in the Favorites are: 01-Information Gathering, 02-Vulnerability Analysis, 03-Web Application Analysis, 04-Database Assessment, 05-Password Attacks, 06-Wireless Attacks, 07-Reverse Engineering, 08-Exploitation Tools, 09-Sniffing & Spoofing, 10-Post Exploitation, 11-Forensics, 12-Reporting Tools, 13-Social Engineering Tools, 14-System Services, and Usual applications.  The right side column lists the following applications:  Firefox ESR, Terminal, Files folder, metasploit, armitage, burpsuite, beef xss, faraday IDE, Leafpad, and Tweak Tool.

Action Point

I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.

Download Our App.


Follow Us On Telegram

CEHNigeria On Google Playstore







Join Our Whatsapp Group

Follow Us On Twitter and I will Follow Back


Follow Us On Twitter

Kindly follow me on Twitter and I promise I will follow back. Aside you will get updated when we post new articles.

About Adeniyi Salau 889 Articles
I am an IT enthusiast and a man of many parts. I am a Certified Digital Marketer, Project Manager and a Real Estate Consultant. I love writing because that's what keeps me going. I am running this blog to share what I know with others. I am also a Superlife Stem Cell Distributor. Our Stem Cell Products can cure many ailments.

Be the first to comment

Leave a Reply

Your email address will not be published.


CommentLuv badge