OpenDiD is a battle-tested Defense-in-Depth security framework developed in a live production environment by a team of 30+ security professionals. It integrates essential security tools including EDR, SIEM, IDS, deception technology, and incident response platforms, providing a comprehensive security posture for organizations.
🛡️ Key Features: • Complete integration flows and documentation • Production-tested configurations • Real-world deployment guides • Automated incident response playbooks • Comprehensive security workflows
Built with open-source tools and nonprofit licensing, OpenDiD demonstrates what's possible in building a robust security framework through community collaboration.
This repository represents a real-world Defense in Depth (DiD) security implementation that was developed as part of a nonprofit organization's CI/CD journey. It's essential to understand several key aspects about this project:
- This was not a theoretical exercise but a live production environment that evolved through continuous learning and improvement
- The infrastructure grew organically as our team learned, adapted, and enhanced our security posture
- Documentation and implementations reflect real-world challenges, solutions, and iterations
- Developed by a dedicated team of 30+ volunteer security professionals
- Each team member contributed 10+ hours weekly
- Project spanned approximately one year before the organization's dissolution
- Represents thousands of hours of collective security expertise and practical implementation
- This repository captures the state of our security infrastructure before the organization's dissolution
- While not "feature complete," it represents a robust, production-tested security foundation
- Contains valuable insights into building a comprehensive security stack from the ground up
- As a nonprofit organization, we operated under specific constraints:
- Utilized only open-source software or tools with nonprofit licensing
- Focused on maximizing security value within resource limitations
- Prioritized sustainable, maintainable solutions
This project serves as:
- A practical example of implementing Defense in Depth in a production environment
- A learning resource for organizations building their security infrastructure
- A starting point for similar security initiatives
- A real-world case study in security evolution
- This is not a turnkey solution but a foundation to build upon
- Implementation details reflect specific organizational needs and constraints
- Security configurations should be adapted to your specific requirements
- Consider this a reference architecture rather than a final product
A comprehensive, enterprise-grade security infrastructure implementing Defense-in-Depth principles with Zero Trust Architecture. This project demonstrates the implementation of a multi-layered security approach using industry-standard tools and best practices.
graph TD
subgraph "Layer 1: Endpoint Security"
A[Action1 MRR] -->|Manages| B[Endpoints]
C[BitDefender EDR] -->|Protects| B
end
subgraph "Layer 2: Network Security"
D[NVIS ZTNA] -->|Controls| E[Network Access]
P[PacketFence NAC] -->|Controls| E
R[RITA] -->|Analyzes| E
F[Firewalls] -->|Filters| E
end
subgraph "Layer 3: Security Monitoring"
G[Wazuh SIEM] -->|Forwards| H[Splunk SIEM]
G -->|Creates| I[TheHive Cases]
G -->|Notifies| J[Slack Alerts]
R -->|Beacons & C2| G
end
subgraph "Layer 4: Deception Technology"
K[Thinkst Canary] -->|Alerts| G
L[Canary Tokens] -->|Triggers| G
M[HoneyNet] -->|Activity| G
end
B -->|Logs| G
E -->|Logs| G
P -->|Auth Events| G
- Action1 MRR: Remote management and automated deployment
- BitDefender EDR: Advanced threat detection and response
- Configuration Management: Automated compliance enforcement
- NVIS Zero Trust: Software-defined perimeter
- PacketFence: Network Access Control (NAC)
- RITA: Network Traffic Analysis & Beacon Detection
- Network Segmentation: Role-based access control
- Traffic Analysis: Deep packet inspection
- Wazuh SIEM: Central security monitoring
- Splunk SIEM: Advanced security analytics
- TheHive: Security orchestration and response
- Slack Integration: Real-time alerts and collaboration
- Thinkst Canary: Network honeypots
- Canary Tokens: Document tracking
- HoneyNet: Deception network
- Threat Intelligence: Attack pattern analysis
- Device validation before network access
- Continuous trust evaluation
- Least privilege access control
- Identity-based security policies
- MITRE ATT&CK framework alignment
- Automated incident response
- Threat hunting capabilities
- Real-time alert correlation
- Regulatory compliance monitoring
- Automated compliance reporting
- Security metrics dashboard
- Audit trail maintenance
- RITA Capabilities:
- Beacon detection
- DNS tunneling detection
- C2 traffic identification
- Long connection analysis
- Data exfiltration detection
- PacketFence Features:
- BYOD management
- Guest access control
- 802.1X support
- Role-based access
- Device fingerprinting
- Automated software deployment
- Patch management
- EDR capabilities
- Device compliance enforcement
- Zero Trust architecture
- Microsegmentation
- Traffic monitoring
- Access control
- Log aggregation
- Event correlation
- Incident response
- Threat intelligence
- Network honeypots
- Document tracking
- Deception network
- Attack pattern analysis
- Enterprise Security Architecture
- Zero Trust Implementation
- SIEM Configuration & Management
- Security Automation & Orchestration
- Incident Response Planning
- Compliance Management
- Security Tool Integration
- Alert Management & Triage
- Defense in Depth
- Principle of Least Privilege
- Zero Trust Architecture
- Automated Response
- Continuous Monitoring
- Security Metrics & KPIs
- Threat Intelligence Platform Integration
- Machine Learning-based Threat Detection
- Cloud Security Posture Management
- Container Security
- DevSecOps Integration
- Extended EDR Capabilities
MIT License - See LICENSE for details