How does a good IT security officer differ from a regular one? No, not by the fact that at any given time he will call from memory the number of messages that the manager Igor sent yesterday to his colleague Maria. A good security officer tries to identify possible violations in advance and catch them in real time, making every effort so that there is no continuation of the incident. Security event management systems (SIEM, from Security information and event management) greatly simplify the task of quickly fixing and blocking any violation attempts.
Traditionally, SIEM systems combine an information security management system and a security event management system. An important feature of the systems is the analysis of security events in real time, which allows you to respond to them before the onset of existing damage.
The main tasks of SIEM systems:
- Data collection and normalization
- Data correlation
- Alert
- Visualization panels
- Organization of data storage
- Data search and analysis
- Reporting
Reasons for the high demand for SIEM systems
Recently, the complexity and coordination of attacks on information systems have greatly increased. At the same time, the complex of information protection tools used is also becoming more complex - network and host intrusion detection systems, DLP systems, anti-virus systems and firewalls, vulnerability scanners, and so on. Each protection tool generates a stream of events with different details, and often you can only see an attack by superimposing events from different systems.
There are a lot of things about all kinds of commercial SIEM systems
AlienVault OSSIM
AlienVault OSSIM is the open-source version of AlienVault USM, one of the leading commercial SIEM systems. OSSIM is a framework consisting of several open source projects, including the Snort network intrusion detection system, the Nagios network and host monitoring system, the OSSEC host intrusion detection system, and the OpenVAS vulnerability scanner.
Device monitoring uses AlienVault Agent, which sends logs from the host in syslog format to the GELF platform, or a plug-in can be used to integrate with third-party services, such as Cloudflare's website reverse proxy service or Okta's multi-factor authentication system.
The USM version differs from OSSIM in enhanced log management, cloud infrastructure monitoring, automation, and up-to-date threat information and visualization.
Advantages
- Built on proven open-source projects;
- Large community of users and developers.
Disadvantages
- Does not support cloud platform monitoring (such as AWS or Azure);
- There is no log management, visualization, automation and integration with third-party services.
MozDef (Mozilla Defense Platform)
Mozilla's MozDef SIEM system is used to automate security incident handling processes. The system is designed from the ground up for maximum performance, scalability and fault tolerance, with a microservice architecture - each service runs in a Docker container.
Like OSSIM, MozDef is built on time-tested open source projects, including the Elasticsearch log indexing and search module, the Meteor framework for building a flexible web interface, and the Kibana plugin for visualization and plotting.
Event correlation and alerting is done using an Elasticsearch query, allowing you to write your own event handling and alerting rules using Python. According to Mozilla, MozDef can handle over 300 million events per day. MozDef only accepts events in JSON format, but there is integration with third-party services.
Advantages
- Does not use agents - works with standard JSON logs;
- Easily scalable thanks to microservice architecture;
- Supports cloud service data sources including AWS CloudTrail and GuardDuty.
Disadvantages
- A new and less established system.
Wazuh
Wazuh started out as a fork of OSSEC, one of the most popular open source SIEMs. And now it's its own unique solution with new functionality, bug fixes and an optimized architecture.
The system is built on ElasticStack (Elasticsearch, Logstash, Kibana) and supports both agent-based data collection and system log ingestion. This makes it effective for monitoring devices that generate logs but do not support agent installation - network devices, printers, and peripherals.
Wazuh supports existing OSSEC agents and even provides guidance on migrating from OSSEC to Wazuh. Although OSSEC is still actively maintained, Wazuh is seen as a continuation of OSSEC due to the addition of a new web interface, REST API, a more complete set of rules, and many other improvements.
Advantages
- Based on and compatible with the popular SIEM OSSEC;
- Supports various installation options: Docker, Puppet, Chef, Ansible;
- Supports monitoring of cloud services, including AWS and Azure;
- Includes a comprehensive set of rules to detect many types of attacks and allows them to be compared in accordance with PCI DSS v3.1 and CIS.
- Integrates with the Splunk log storage and analysis system, event visualization and API support.
Disadvantages
- Complex architecture - Requires a full Elastic Stack deployment in addition to Wazuh server components.
Prelude OS
Prelude OSS is an open-source version of the commercial Prelude SIEM developed by the French company CS. The solution is a flexible modular SIEM system that supports many log formats, integration with third-party tools such as OSSEC, Snort, and the Suricata network detection system.
Each event is normalized into an IDMEF message, which simplifies data exchange with other systems. But there is also a fly in the ointment - Prelude OSS is very limited in performance and functionality compared to the commercial version of Prelude SIEM, and is intended more for small projects or for studying SIEM solutions and evaluating Prelude SIEM.
Advantages
- Time-tested system developed since 1998;
- Supports many different log formats;
- Normalizes data to the IMDEF format, which makes it easy to transfer data to other security systems.
Disadvantages
- Significantly limited in functionality and performance compared to other open-source SIEM systems.
History
Sagan is a high performance SIEM that emphasizes compatibility with Snort. In addition to supporting rules written for Snort, Sagan can write to the Snort database and can even be used with the Shuil interface. Basically, it's a lightweight, multi-threaded solution that offers new features while remaining friendly to Snort users.
Advantages
- Fully compatible with the Snort database, rules, and user interface;
- Multi-threaded architecture ensures high performance.
Disadvantages
- Relatively young project with a small community;
- A complex installation process, including building the entire SIEM from source.
Conclusion
Each of the described SIEM systems has its own characteristics and limitations, so they cannot be called a universal solution for any organization. However, these solutions are open-source, allowing them to be deployed, tested, and evaluated without incurring excessive costs.
What else can you read on the blog?
β
β
β
β
β
Subscribe to our
Source: habr.com