åªãã IT ã»ãã¥ãªã㣠ã¹ãã·ã£ãªã¹ãã¯ãæ®éã® IT ã»ãã¥ãªã㣠ã¹ãã·ã£ãªã¹ããšã©ãéãã®ã§ãããã? ãããããããŒãžã£ãŒã®ã€ãŽãŒã«ãæšæ¥ååã®ããªã¢ã«éã£ãã¡ãã»ãŒãžã®æ°ããã€ã§ãèšæ¶ããæããããšãã§ãããšããäºå®ã«ãã£ãŠã§ã¯ãããŸããã åªããã»ãã¥ãªãã£å°é家ã¯ãéåã®å¯èœæ§ãäºåã«ç¹å®ããŠãªã¢ã«ã¿ã€ã ã§ææããã€ã³ã·ãã³ããç¶ç¶ããªãããã«ããããåªåãæããŸãã ã»ãã¥ãªã㣠ã€ãã³ã管çã·ã¹ãã (SIEMãã»ãã¥ãªãã£æ
å ±ããã³ã€ãã³ã管çãã) ã䜿çšãããšãéåè¡çºã®è©Šã¿ãè¿
éã«èšé²ããŠãããã¯ããã¿ã¹ã¯ã倧å¹
ã«ç°¡çŽ åãããŸãã
åŸæ¥ãSIEM ã·ã¹ãã ã¯ãæ
å ±ã»ãã¥ãªãã£ç®¡çã·ã¹ãã ãšã»ãã¥ãªã㣠ã€ãã³ã管çã·ã¹ãã ãçµã¿åãããŠããŸããã ãã®ã·ã¹ãã ã®éèŠãªæ©èœã¯ãã»ãã¥ãªã㣠ã€ãã³ãããªã¢ã«ã¿ã€ã ã§åæããããšã§ãæ¢åã®æ害ãçºçããåã«ã»ãã¥ãªã㣠ã€ãã³ãã«å¯Ÿå¿ã§ããããã«ãªããŸãã
SIEM ã·ã¹ãã ã®äž»ãªã¿ã¹ã¯:
- ããŒã¿ã®åéãšæ£èŠå
- ããŒã¿çžé¢
- ã¢ã©ãŒã
- èŠèŠåããã«
- ããŒã¿ã¹ãã¬ãŒãžã®æ§æ
- ããŒã¿ã®æ€çŽ¢ãšåæ
- å ±å
SIEM ã·ã¹ãã ã®éèŠãé«ãçç±
æè¿ãæ å ±ã·ã¹ãã ã«å¯Ÿããæ»æã®è€éããšé£æºã¯å€§å¹ ã«å¢å ããŠããŸãã åæã«ããããã¯ãŒã¯ããã³ãã¹ãããŒã¹ã®äŸµå ¥æ€ç¥ã·ã¹ãã ãDLP ã·ã¹ãã ããŠã€ã«ã¹å¯Ÿçã·ã¹ãã ãšãã¡ã€ã¢ãŠã©ãŒã«ãè匱æ§ã¹ãã£ããŒãªã©ã䜿çšãããæ å ±ã»ãã¥ãªã㣠ããŒã«ã®è€éãããŸããŸãè€éã«ãªã£ãŠããŸãã åã»ãã¥ãªã㣠ããŒã«ã¯ãããŸããŸãªè©³çŽ°ã¬ãã«ã®ã€ãã³ã ã¹ããªãŒã ãçæããŸããå€ãã®å Žåãæ»æã¯ãç°ãªãã·ã¹ãã ããã®ã€ãã³ããéè€ããããšã«ãã£ãŠã®ã¿ç¢ºèªã§ããŸãã
ããããçš®é¡ã®åçš SIEM ã·ã¹ãã ã«ã€ããŠã¯ãããããããŸã
AlienVault OSSIM
AlienVault OSSIM ã¯ãäž»èŠãªåçš SIEM ã·ã¹ãã ã® XNUMX ã€ã§ãã AlienVault USM ã®ãªãŒãã³ãœãŒã¹ ããŒãžã§ã³ã§ãã OSSIM ã¯ãSnort ãããã¯ãŒã¯äŸµå ¥æ€ç¥ã·ã¹ãã ãNagios ãããã¯ãŒã¯ããã³ãã¹ãç£èŠã·ã¹ãã ãOSSEC ãã¹ãããŒã¹ã®äŸµå ¥æ€ç¥ã·ã¹ãã ãOpenVAS è匱æ§ã¹ãã£ããªã©ãããã€ãã®ãªãŒãã³ ãœãŒã¹ ãããžã§ã¯ãã§æ§æããããã¬ãŒã ã¯ãŒã¯ã§ãã
ããã€ã¹ãç£èŠããã«ã¯ããã¹ããã syslog 圢åŒã§ãã°ã GELF ãã©ãããã©ãŒã ã«éä¿¡ãã AlienVault Agent ã䜿çšãããŸãããŸãã¯ãCloudflare Web ãµã€ãã®ãªããŒã¹ ãããã· ãµãŒãã¹ã Okta ãã«ã ãµãŒãã¹ãªã©ã®ãµãŒãããŒã㣠ãµãŒãã¹ãšã®çµ±åã«ãã©ã°ã€ã³ã䜿çšã§ããŸãã -èŠçŽ èªèšŒã·ã¹ãã ã
USM ããŒãžã§ã³ã¯ OSSIM ãšã¯ç°ãªãããã°ç®¡çãã¯ã©ãŠã ã€ã³ãã©ã¹ãã©ã¯ãã£ã®ç£èŠãèªååãææ°ã®è åšæ å ±ãšèŠèŠåã®ããã®æ©èœã匷åãããŠããŸãã
å©ç¹
- å®èšŒæžã¿ã®ãªãŒãã³ãœãŒã¹ ãããžã§ã¯ãã«åºã¥ããŠæ§ç¯ãããŠããŸãã
- ãŠãŒã¶ãŒãšéçºè ã®å€§èŠæš¡ãªã³ãã¥ããã£ã
å¶éäºé
- ã¯ã©ãŠã ãã©ãããã©ãŒã (AWS ã Azure ãªã©) ã®ç£èŠã¯ãµããŒããããŠããŸããã
- ãã°ç®¡çãèŠèŠåãèªååããŸãã¯ãµãŒãããŒã㣠ãµãŒãã¹ãšã®çµ±åã¯ãããŸããã
MozDef (Mozilla é²åŸ¡ãã©ãããã©ãŒã )
Mozilla ãéçºãã MozDef SIEM ã·ã¹ãã ã¯ãã»ãã¥ãªã㣠ã€ã³ã·ãã³ãåŠçããã»ã¹ãèªååããããã«äœ¿çšãããŸãã ãã®ã·ã¹ãã ã¯ããã€ã¯ããµãŒãã¹ ã¢ãŒããã¯ãã£ã䜿çšããŠãæ倧ã®ããã©ãŒãã³ã¹ãã¹ã±ãŒã©ããªãã£ããã©ãŒã«ã ãã¬ã©ã³ã¹ãå®çŸããããã«ãŒãããèšèšãããŠãããåãµãŒãã¹ã¯ Docker ã³ã³ããå ã§å®è¡ãããŸãã
OSSIM ãšåæ§ã«ãMozDef ã¯ãElasticsearch ãã°ã®ã€ã³ããã¯ã¹äœæãšæ€çŽ¢ã¢ãžã¥ãŒã«ãæè»ãª Web ã€ã³ã¿ãŒãã§ã€ã¹ãæ§ç¯ããããã® Meteor ãã©ãããã©ãŒã ãèŠèŠåãšããããã®ããã® Kibana ãã©ã°ã€ã³ãªã©ãå®çžŸã®ãããªãŒãã³ ãœãŒã¹ ãããžã§ã¯ãã«åºã¥ããŠæ§ç¯ãããŠããŸãã
ã€ãã³ãã®é¢é£ä»ããšã¢ã©ãŒã㯠Elasticsearch ã¯ãšãªã䜿çšããŠå®è¡ãããŸããããã«ãããPython ã䜿çšããŠç¬èªã®ã€ãã³ãåŠçããã³ã¢ã©ãŒã ã«ãŒã«ãäœæã§ããŸãã Mozilla ã«ãããšãMozDef 㯠300 æ¥ããã XNUMX å以äžã®ã€ãã³ããåŠçã§ããŸãã MozDef 㯠JSON 圢åŒã®ã€ãã³ãã®ã¿ãåãå ¥ããŸããããµãŒãããŒãã£ã®ãµãŒãã¹ãšã®çµ±åããããŸãã
å©ç¹
- ãšãŒãžã§ã³ãã䜿çšããŸãã - æšæºã® JSON ãã°ã§åäœããŸãã
- ãã€ã¯ããµãŒãã¹ ã¢ãŒããã¯ãã£ã®ãããã§ç°¡åã«æ¡åŒµã§ããŸãã
- AWS CloudTrail ã GuardDuty ãªã©ã®ã¯ã©ãŠã ãµãŒãã¹ ããŒã¿ ãœãŒã¹ããµããŒãããŸãã
å¶éäºé
- æ°ããããŸã 確ç«ãããŠããªãã·ã¹ãã ã
ãã
Wazuh ã¯ãæã人æ°ã®ãããªãŒãã³ãœãŒã¹ SIEM ã® XNUMX ã€ã§ãã OSSEC ã®ãã©ãŒã¯ãšããŠéçºãéå§ããŸããã ãããŠä»ã§ã¯ãæ°ããæ©èœããã°ä¿®æ£ãæé©åãããã¢ãŒããã¯ãã£ãåããç¬èªã®ãŠããŒã¯ãªãœãªã¥ãŒã·ã§ã³ãšãªã£ãŠããŸãã
ãã®ã·ã¹ãã 㯠ElasticStack ã¹ã¿ã㯠(ElasticsearchãLogstashãKibana) äžã«æ§ç¯ãããŠããããšãŒãžã§ã³ãããŒã¹ã®ããŒã¿åéãšã·ã¹ãã ãã°ã®åã蟌ã¿ã®äž¡æ¹ããµããŒãããŠããŸãã ããã«ããããã°ãçæããããšãŒãžã§ã³ãã®ã€ã³ã¹ããŒã«ããµããŒãããªãããã€ã¹ (ãããã¯ãŒã¯ ããã€ã¹ãããªã³ã¿ãŒãåšèŸºæ©åš) ãç£èŠããå Žåã«å¹æçã«ãªããŸãã
Wazuh ã¯æ¢åã® OSSEC ãšãŒãžã§ã³ãããµããŒãããOSSEC ãã Wazuh ãžã®ç§»è¡ã«é¢ããã¬ã€ãã³ã¹ãæäŸããŸãã OSSEC ã¯äŸç¶ãšããŠç©æ¥µçã«ãµããŒããããŠããŸãããWazuh ã¯ãæ°ãã Web ã€ã³ã¿ãŒãã§ã€ã¹ãREST APIãããå®å šãªã«ãŒã« ã»ããã®è¿œå ãããã³ãã®ä»ã®å€ãã®æ¹åç¹ã«ãããOSSEC ã®ç¶ç¶ãšã¿ãªãããŸãã
å©ç¹
- 人æ°ã® SIEM OSSEC ã«åºã¥ããŠããããããšäºææ§ããããŸãã
- ããŸããŸãªã€ã³ã¹ããŒã« ãªãã·ã§ã³ããµããŒã: DockerãPuppetãChefãAnsibleã
- AWS ã Azure ãªã©ã®ã¯ã©ãŠã ãµãŒãã¹ã®ç£èŠããµããŒãããŸãã
- è€æ°ã®çš®é¡ã®æ»æãæ€åºããããã®å æ¬çãªã«ãŒã«ã®ã»ãããå«ãŸããŠãããPCI DSS v3.1 ããã³ CIS ã«åŸã£ãŠããããæ¯èŒã§ããŸãã
- Splunk ãã° ã¹ãã¬ãŒãžããã³åæã·ã¹ãã ãšçµ±åããŠãã€ãã³ãã®èŠèŠåãš API ãµããŒããå®çŸããŸãã
å¶éäºé
- è€éãªã¢ãŒããã¯ã㣠- Wazuh ããã¯ãšã³ã ã³ã³ããŒãã³ãã«å ããŠãå®å šãª Elastic Stack ãããã€ãå¿ èŠã§ãã
ãã¬ãªã¥ãŒãOS
Prelude OSS ã¯ããã©ã³ã¹ã® CS 瀟ãéçºããåçš Prelude SIEM ã®ãªãŒãã³ãœãŒã¹ ããŒãžã§ã³ã§ãã ãã®ãœãªã¥ãŒã·ã§ã³ã¯ãè€æ°ã®ãã°åœ¢åŒããµããŒãããOSSECãSnortãSuricata ãããã¯ãŒã¯æ€åºã·ã¹ãã ãªã©ã®ãµãŒãããŒã㣠ããŒã«ãšçµ±åãããæè»ãªã¢ãžã¥ãŒã«åŒ SIEM ã·ã¹ãã ã§ãã
åã€ãã³ã㯠IDMEF 圢åŒã䜿çšããŠã¡ãã»ãŒãžã«æ£èŠåãããä»ã®ã·ã¹ãã ãšã®ããŒã¿äº€æãç°¡çŽ åãããŸãã ããããè»èã«ã¯ããšãããŸããPrelude OSS ã¯ãPrelude SIEM ã®åçšããŒãžã§ã³ãšæ¯èŒããŠããã©ãŒãã³ã¹ãšæ©èœãéåžžã«å¶éãããŠãããã©ã¡ãããšãããšå°èŠæš¡ãããžã§ã¯ãããŸã㯠SIEM ãœãªã¥ãŒã·ã§ã³ã®ç 究㚠Prelude SIEM ã®è©äŸ¡ãç®çãšããŠããŸãã
å©ç¹
- 1998 幎以æ¥éçºãããå®çžŸã®ããã·ã¹ãã ã
- ããŸããŸãªãã°åœ¢åŒããµããŒãããŸãã
- ããŒã¿ã IMDEF 圢åŒã«æ£èŠåããä»ã®ã»ãã¥ãªã㣠ã·ã¹ãã ãžã®ããŒã¿è»¢éã容æã«ããŸãã
å¶éäºé
- ä»ã®ãªãŒãã³ãœãŒã¹ SIEM ã·ã¹ãã ãšæ¯èŒããŠãæ©èœãšããã©ãŒãã³ã¹ãå€§å¹ ã«å¶éãããŠããŸãã
ã»ãŒã¬ã³
Sagan ã¯ãSnort ãšã®äºææ§ãéèŠããé«æ§èœ SIEM ã§ãã Snort çšã«äœæãããã«ãŒã«ã®ãµããŒãã«å ããŠãSagan 㯠Snort ããŒã¿ããŒã¹ã«æžã蟌ãããšãã§ããShuil ã€ã³ã¿ãŒãã§ã€ã¹ã§äœ¿çšããããšãã§ããŸãã åºæ¬çã«ããã㯠Snort ãŠãŒã¶ãŒã«ãšã£ãŠäœ¿ãããããã®ã§ãããªãããæ°æ©èœãæäŸãã軜éã®ãã«ãã¹ã¬ãã ãœãªã¥ãŒã·ã§ã³ã§ãã
å©ç¹
- Snort ããŒã¿ããŒã¹ãã«ãŒã«ããŠãŒã¶ãŒ ã€ã³ã¿ãŒãã§ã€ã¹ãšå®å šãªäºææ§ããããŸãã
- ãã«ãã¹ã¬ãã ã¢ãŒããã¯ãã£ã«ããé«ãããã©ãŒãã³ã¹ãæäŸãããŸãã
å¶éäºé
- ã³ãã¥ããã£ãå°ããæ¯èŒçè¥ããããžã§ã¯ãã
- ãœãŒã¹ãã SIEM å šäœãæ§ç¯ããè€éãªã€ã³ã¹ããŒã« ããã»ã¹ã
ãŸãšã
ããã§èª¬æãã SIEM ã·ã¹ãã ã«ã¯ããããç¬èªã®ç¹æ§ãšå¶éããããããã©ã®çµç¹ã«ãšã£ãŠãæ®éçãªãœãªã¥ãŒã·ã§ã³ãšã¯èšããŸããã ãã ãããããã®ãœãªã¥ãŒã·ã§ã³ã¯ãªãŒãã³ãœãŒã¹ã§ãããããé床ã®ã³ã¹ãããããã«å°å ¥ããã¹ããè©äŸ¡ãè¡ãããšãã§ããŸãã
ãã®ããã°ã§ä»ã«äœãèå³æ·±ããã®ãèªãããšãã§ããŸãã?
â
â
â
â
â
賌èªããŠãã ãã
åºæïŒ habr.com