After a one-week hiatus, we’re back. It’s been a busy couple weeks, and up first is the release of Kali Purple. This new tool from Kali Linux is billed as an SOC-in-a-box, that follows the NIST CSF structure. That is a veritable alphabet soup of abbreviated jargon, so let’s break this down a bit. First up, SOC IAB or SOC-in-a-box is integrated software for a Security Operation Center. It’s intrusion detection, intrusion prevention, data analysis, automated system accounting and vulnerability scanning, and more. Think a control room with multiple monitors showing graphs based on current traffic, a list of protected machines, and log analysis on demand.
NIST CSF is guidance published by the National Institute of Standards and Technology, a US government agency that does quite a bit of the formal ratification of cryptography and other security standards. CSF is the CyberSecurity Framework, which among other things, breaks cybersecurity into five tasks: identify, protect, detect, respond, and recover. The framework doesn’t map perfectly to the complexities of security, but it’s what we have to work with, and Kali Purple is tailor-made for that framework.
Putting that aside, what Purple really gives you is a set of defensive and analytical tools that rival the offensive tools in the main Kali distro. Suricata, Arkime, Elastic, and more are easily deployed. The one trick that really seems to be missing is the ability to deploy Kali Purple as the edge router/firewall. The Purple deployment docs suggest an OPNSense deployment for the purpose. Regardless, it’s sure to be worthwhile to watch the ongoing development of Kali Purple.