MozDef – Mozilla Enterprise Defense Platform

The inspiration for MozDef comes from the large arsenal of tools available to attackers. Suites like metasploit, armitage, lair, dradis and others are readily available to help attackers coordinate, share intelligence and finely tune their attacks in real time. Defenders are usually limited to wikis, ticketing systems and manual tracking databases attached to the end of a Security Information Event Management (SIEM) system.

MozDef - Mozilla Enterprise Defense Platform
MozDef – Mozilla Enterprise Defense Platform

The Mozilla Enterprise Defense Platform (MozDef) seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers.

Some of the current supported features are:

  • Provide a platform for use by defenders to rapidly discover and respond to security incidents.
  • Automate interfaces to other systems like bunker, cymon, mig
  • Provide metrics for security events and incidents
  • Facilitate real-time collaboration amongst incident handlers
  • Facilitate repeatable, predictable processes for incident handling
  • Go beyond traditional SIEM systems in automating incident handling, information sharing, workflow, metrics and response automation

Some of the key events logged by the framework:

  • Authentication Events – Failed/Success logins Authentication is always an important event to log as it establishes traceability for later events and allows correlation of user actions across systems.
  • Authorization Events – Failed attempts to insert/update/delete a record or access a section of an application. Once a user is authenticated they usually obtain certain permissions. Logging when a user’s permissions do not allow them to perform a function helps troubleshooting and can also be helpful when investigating security events.
  • Account Lifecycle – Account creation/deletion/update Adding, removing or changing accounts are often the first steps an attacker performs when entering a system.
  • Password/Key Events – Password changed, expired, reset. Key expired, changed, reset.
  • Account Activations – Account lock, unlock, disable, enable.
  • Application Exceptions – Invalid input, fatal errors, known bad things.

You can read more and download the framework over here:

Notify of
Inline Feedbacks
View all comments