Kedu otu ezigbo ọkachamara nchekwa IT si dị iche na nke nkịtị? Ee e, ọ bụghị n'eziokwu na n'oge ọ bụla ọ nwere ike ịkpọ aha site na ebe nchekwa nọmba ozi nke onye njikwa Igor zigara onye ọrụ ibe ya Maria ụnyaahụ. Ezigbo ọkachamara nchekwa na-agbalị ịchọpụta mmebi ndị nwere ike ime tupu oge eruo wee jide ha ozugbo, na-eme mgbalị ọ bụla iji hụ na ihe ahụ merenụ adịghị aga n'ihu. Sistemụ njikwa ihe omume nchekwa (SIEM, sitere na ozi nchekwa na njikwa mmemme) na-eme ka ọrụ dị mfe nke idekọ ngwa ngwa na igbochi mmejọ ọ bụla.
Na omenala, sistemụ SIEM na-ejikọta usoro njikwa nchekwa ozi yana usoro njikwa ihe omume nchekwa. Otu ihe dị mkpa nke usoro ahụ bụ nyocha nke ihe nchebe na oge, nke na-enye gị ohere ịzaghachi ha tupu mmebi dị ugbu a emee.
Isi ọrụ nke sistemụ SIEM:
- Nchịkọta data na normalization
- Mmekọrịta data
- Njikere
- Ogwe nlegharị anya
- Nhazi nke nchekwa data
- Ọchụchọ data na nyocha
- Na-akọ akụkọ
Ihe kpatara nnukwu ọchịchọ maka sistemụ SIEM
N'oge na-adịbeghị anya, mgbagwoju anya na nhazi nke mbuso agha na usoro ozi abawanyela nke ukwuu. N'otu oge ahụ, mgbagwoju nke ngwaọrụ nchekwa ozi ejiri na-aghọwanye mgbagwoju anya - netwọkụ na sistemụ nyocha intrusion dabeere na ndị ọbịa, sistemu DLP, sistemu mgbochi nje na firewalls, nyocha adịghị ike, wdg. Ngwá ọrụ nchekwa ọ bụla na-emepụta ọtụtụ ihe omume nwere ọkwa dị iche iche nke nkọwa, na mgbe mgbe, a na-ahụ ọgụ naanị site na ihe omume jikọtara ọnụ site na sistemụ dị iche iche.
Enwere ọtụtụ ihe gbasara sistemụ SIEM azụmahịa niile , mana anyị na-enye nkọwa dị nkenke nke sistemụ SIEM na-emeghe n'efu, nke zuru oke nke na-enweghị ihe mgbochi artificial na ọnụ ọgụgụ ndị ọrụ ma ọ bụ olu nke data echekwara anabatara, ma na-adịkwa mfe scalable na nkwado. Anyị na-atụ anya na nke a ga-enyere aka nyochaa ikike nke usoro ndị dị otú ahụ ma kpebie ma ngwọta ndị dị otú ahụ bara uru itinye n'ime usoro azụmahịa nke ụlọ ọrụ ahụ.
AlienVault OSSIM
AlienVault OSSIM bụ ụdị mepere emepe nke AlienVault USM, otu n'ime sistemụ SIEM azụmahịa na-eduga. OSSIM bụ usoro nke nwere ọtụtụ ọrụ mepere emepe, gụnyere sistemu nyocha intrusion netwọk Snort, netwọkụ Nagios na sistemu nlekota ndị ọbịa, sistemụ nyocha intrusion dabere na OSSEC, yana nyocha ihe ọghọm OpenVAS.
Iji nyochaa ngwaọrụ, a na-eji AlienVault Agent, nke na-eziga ndekọ n'aka onye ọbịa na syslog usoro na GELF ikpo okwu, ma ọ bụ ngwa mgbakwunye nwere ike iji maka njikọta na ọrụ ndị ọzọ, dị ka Cloudflare webụsaịtị reverse proxy service ma ọ bụ Okta multi - usoro nyocha ihe.
Ụdị USM dị iche na OSSIM nwere arụmarụ arụ ọrụ maka njikwa log, nlekota akụrụngwa igwe ojii, akpaaka, yana ozi iyi egwu emelitere na nhụta.
Uru
- Ewubere na oru ngo mepere emepe egosipụtara;
- Nnukwu obodo nke ndị ọrụ na ndị mmepe.
-adịghị emezi emezi
- Anaghị akwado nlekota nke nyiwe igwe ojii (dịka ọmụmaatụ, AWS ma ọ bụ Azure);
- Enweghị njikwa log, ọhụhụ, akpaaka ma ọ bụ njikọta na ọrụ ndị ọzọ.
MozDef (Mozilla Defence Platform)
A na-eji sistemu MozDef SIEM nke Mozilla mebere iji megharịa usoro nhazi ihe nchekwa. Emebere usoro a site na ala ruo iji nweta oke arụmọrụ, scalability na nnabata mmejọ, yana ihe nrụpụta microservice - ọrụ ọ bụla na-agba n'ime akpa Docker.
Dị ka OSSIM, a na-ewu MozDef na oru ngo mepere emepe nwalere oge, gụnyere Elasticsearch log indexing and search modul, Meteor platform for build a change web interface, and the Kibana plugin for visuals and plotting.
A na-eme mmekọ ihe omume na ịdọ aka ná ntị site na iji ajụjụ Elasticsearch, nke na-enye gị ohere iji Python dee iwu nhazi na ịdọ aka ná ntị nke gị. Dị ka Mozilla si kwuo, MozDef nwere ike ịhazi ihe karịrị nde 300 kwa ụbọchị. MozDef na-anabata naanị mmemme n'ụdị JSON, mana enwere njikọ na ọrụ ndị ọzọ.
Uru
- Adịghị eji ndị ọrụ - na-arụ ọrụ na ọkọlọtọ JSON ndekọ;
- Mfe akpịrịkpa ekele maka microservice architecture;
- Na-akwado isi mmalite data ọrụ igwe ojii gụnyere AWS CloudTrail na GuardDuty.
-adịghị emezi emezi
- Ọhụrụ na obere usoro.
Wazuh
Wazuh malitere mmepe dị ka ndụdụ nke OSSEC, otu n'ime isi mmalite mepere emepe SIEM. Ma ugbu a, ọ bụ ihe ngwọta pụrụ iche nke ya nwere ọrụ ọhụrụ, ndozi ahụhụ na arụ ọrụ kachasị mma.
Ewubere sistemu a na ngwungwu ElasticStack (Elasticsearch, Logstash, Kibana) ma na-akwado ma nnakọta data dabere na nnọchite yana ntinye ndekọ sistemụ. Nke a na-eme ka ọ dị irè maka nlekota ngwaọrụ ndị na-emepụta ndekọ mana anaghị akwado ntinye onye ọrụ - ngwaọrụ netwọk, ndị na-ebi akwụkwọ na peripherals.
Wazuh na-akwado ndị nnọchi anya OSSEC dị na ọbụna na-enye ntụzịaka maka ịkwaga OSSEC gaa Wazuh. Ọ bụ ezie na a ka na-akwado OSSEC nke ọma, a na-ahụ Wazuh dị ka ihe na-aga n'ihu nke OSSEC n'ihi mgbakwunye nke ntanetị weebụ ọhụrụ, REST API, usoro iwu zuru oke na ọtụtụ mmezi ndị ọzọ.
Uru
- Dabere na dakọtara na SIEM OSSEC na-ewu ewu;
- Na-akwado nhọrọ nrụnye dị iche iche: Docker, Puppet, Chef, kwere omume;
- Na-akwado nlekota oru igwe ojii, gụnyere AWS na Azure;
- Gụnyere usoro iwu zuru oke iji chọpụta ụdị ọgụ dị iche iche ma na-enye gị ohere iji ha tụnyere PCI DSS v3.1 na CIS.
- Na-ejikọta ya na nchekwa ndekọ na usoro nyocha Splunk maka nleba anya ihe omume yana nkwado API.
-adịghị emezi emezi
- Ihe owuwu gbagwojuru anya - chọrọ nrụnye Stack Elastic zuru oke na mgbakwunye na akụrụngwa azụ azụ Wazuh.
Buru ụzọ OS
Prelude OSS bụ ụdị mepere emepe nke azụmahịa Prelude SIEM, nke ụlọ ọrụ French CS mepụtara. Ihe ngwọta bụ usoro SIEM na-agbanwe agbanwe, modular nke na-akwado ọtụtụ usoro log, ntinye na ngwaọrụ ndị ọzọ dị ka OSSEC, Snort na usoro nchọpụta netwọk Suricata.
A na-ahazi mmemme ọ bụla ka ọ bụrụ ozi site na iji usoro IDMEF, nke na-eme ka mgbanwe data dị mfe na sistemụ ndị ọzọ. Ma e nwere ijiji na ude - Prelude OSS dị oke oke na arụmọrụ na arụmọrụ ma e jiri ya tụnyere ụdị azụmahịa nke Prelude SIEM, ma ezubere ya maka obere ọrụ ma ọ bụ maka ịmụ ihe ngwọta SIEM na nyochaa Prelude SIEM.
Uru
- Usoro a nwalere oge, mepụtara kemgbe 1998;
- Na-akwado ọtụtụ ụdị log dị iche iche;
- Na-edozi data na usoro IMDEF, na-eme ka ọ dị mfe ịnyefe data na sistemụ nchekwa ndị ọzọ.
-adịghị emezi emezi
- Enwere oke oke na arụmọrụ yana arụmọrụ atụnyere sistemụ SIEM ndị ọzọ mepere emepe.
sagan
Sagan bụ SIEM dị elu nke na-emesi ike ndakọrịta na Snort. Na mgbakwunye na iwu nkwado e dere maka Snort, Sagan nwere ike idegara Snort nchekwa data ma nwee ike iji ya na Shuil interface. N'ụzọ bụ isi, ọ bụ ihe ngwọta multi-threaded dị arọ nke na-enye atụmatụ ọhụrụ ka ọ na-anọgide na-enwe enyi na ndị ọrụ Snort.
Uru
- Dakọtara nke ọma na nchekwa data Snort, iwu na interface onye ọrụ;
- Multi-threaded architecture na-enye ọrụ dị elu.
-adịghị emezi emezi
- Ọrụ na-eto eto nke nwere obere obodo;
- Usoro nrụnye dị mgbagwoju anya nke gụnyere iwulite SIEM dum site na isi iyi.
nkwubi
Onye ọ bụla n'ime usoro SIEM akọwapụtara nwere njirimara ya na njedebe ya, yabụ enweghị ike ịkpọ ha ngwọta zuru ụwa ọnụ maka nzukọ ọ bụla. Otú ọ dị, ngwọta ndị a bụ ebe mepere emepe, na-enye ohere ka ebuga, nwalee, na nyochaa n'ebughị oke ụgwọ.
Kedu ihe ọzọ na-adọrọ mmasị ị nwere ike ịgụ na blọgụ?
→
→
→
→
→
Debanye aha na anyị - ọwa ka ị ghara ịgbaghara isiokwu na-esote! Anyị na-ede ihe karịrị ugboro abụọ n'izu na naanị na azụmahịa.
isi: www.habr.com