å°ãåã«ãSplunk ã¯å¥ã®ã©ã€ã»ã³ã¹ ã¢ãã«ãã€ãŸãã€ã³ãã©ã¹ãã©ã¯ã㣠ããŒã¹ã®ã©ã€ã»ã³ã¹ (
èŠãç®ã¯äžæ°å³ã§ããããã®ã¢ãŒããã¯ãã£ãå®çšŒåç°å¢ã§åäœããå ŽåããããŸãã è€éãã¯ã»ãã¥ãªãã£ãç Žå£ããäžè¬çã«ã¯ãã¹ãŠãç Žå£ããŸãã å®éããã®ãããªå Žå (ææã³ã¹ãã®åæžã«ã€ããŠè©±ããŠããã®ã§ã) ã®ããã«ãéäžãã°ç®¡ç (CLM) ãšããäžé£ã®ã·ã¹ãã ãååšããŸãã ããã«ã€ããŠ
- äºç®ãšäººå¡é 眮ã®å¶çŽãã»ãã¥ãªãã£ç£èŠèŠä»¶ãããã³ç¹å®ã®ãŠãŒã¹ã±ãŒã¹èŠä»¶ãããå Žåã¯ãCLM ã®æ©èœãšããŒã«ã䜿çšããŸãã
- SIEM ãœãªã¥ãŒã·ã§ã³ãé«äŸ¡ãŸãã¯è€éãããããšãå€æããå Žåã¯ãCLM ãå®è£ ããŠãã°åéããã³åææ©èœã匷åããŸãã
- å¹ççãªã¹ãã¬ãŒãžãé«éæ€çŽ¢ãæè»ãªèŠèŠåãåãã CLM ããŒã«ã«æè³ããŠãã»ãã¥ãªã㣠ã€ã³ã·ãã³ãã®èª¿æ»/åæãæ¹åããè åšãã³ãã£ã³ã°ããµããŒãããŸãã
- CLM ãœãªã¥ãŒã·ã§ã³ãå®è£ ããåã«ã該åœããèŠå ãšèæ ®äºé ãèæ ®ãããŠããããšã確èªããŠãã ããã
ãã®èšäºã§ã¯ãã©ã€ã»ã³ã¹ã®ã¢ãããŒãã®éãã«ã€ããŠèª¬æããCLM ãç解ãããã®ã¯ã©ã¹ã®ç¹å®ã®ã·ã¹ãã ã«ã€ããŠèª¬æããŸãã
ãã®èšäºã®åé ã§ãSplunk ã©ã€ã»ã³ã¹ã«å¯Ÿããæ°ããã¢ãããŒãã«ã€ããŠèª¬æããŸããã ã©ã€ã»ã³ã¹ã®çš®é¡ã¯ã¬ã³ã¿ã«ãŒæéãšæ¯èŒã§ããŸãã ãã®ã¢ãã«ã¯ãCPU ã®æ°ã®èŠ³ç¹ãããèµ°è¡è·é¢ãšã¬ãœãªã³ãç¡å¶éã®çµæžçãªè»ã§ãããšæ³åããŠã¿ãŸãããã è·é¢å¶éãªãã§ã©ãã«ã§ãè¡ãããšãã§ããŸãããããŸãéã移åããããšã¯ã§ããªããããXNUMX æ¥ã«äœããã¡ãŒãã«ã移åããããšã«ãªããŸãã ããŒã¿ ã©ã€ã»ã³ã¹ã¯ãXNUMX æ¥ã®èµ°è¡è·é¢ã¢ãã«ãåããã¹ããŒã ã«ãŒã«äŒŒãŠããŸãã é·è·é¢ãç¡è¬ã«é転ããããšãã§ããŸãããXNUMXæ¥ã®èµ°è¡è·é¢å¶éãè¶
ãããšè¿œå æéãæ¯æãå¿
èŠããããŸãã
è² è·ããŒã¹ã®ã©ã€ã»ã³ã¹ã®ã¡ãªããã享åããã«ã¯ãããŒããããããŒã¿ã® GB ã«å¯Ÿãã CPU ã³ã¢ã®æ¯çãå¯èœãªéãäœãããå¿
èŠããããŸãã å®éã«ã¯ãããã¯æ¬¡ã®ãããªæå³ã«ãªããŸãã
- ããŒããããããŒã¿ã«å¯Ÿããã¯ãšãªã®å¯èœãªæå°æ°ã
- ãœãªã¥ãŒã·ã§ã³ã®å¯èœãªãŠãŒã¶ãŒã®æå°æ°ã
- å¯èœãªéãåçŽã§æ£èŠåãããããŒã¿ (åŸç¶ã®ããŒã¿åŠçãåæ㧠CPU ãµã€ã¯ã«ãç¡é§ã«ããå¿ èŠããªãããã«)ã
ããã§æãåé¡ãšãªãã®ã¯æ£èŠåãããããŒã¿ã§ãã SIEM ãçµç¹å ã®ãã¹ãŠã®ãã°ã®ã¢ã°ãªã²ãŒã¿ãŒã«ãããå Žåã解æãšåŸåŠçã«å€å€§ãªåŽåãå¿ èŠã«ãªããŸãã è² è·ãããã£ãŠã厩å£ããªãã¢ãŒããã¯ãã£ã«ã€ããŠãèããå¿ èŠãããããšãå¿ããªãã§ãã ããã è¿œå ã®ãµãŒããŒããããã£ãŠè¿œå ã®ããã»ããµãå¿ èŠã«ãªããŸãã
ããŒã¿ ããªã¥ãŒã ã©ã€ã»ã³ã¹ã¯ãSIEM ã® maw ã«éä¿¡ãããããŒã¿ã®éã«åºã¥ããŠããŸãã ããŒã¿ã®è¿œå ãœãŒã¹ã¯ã«ãŒãã« (ãŸãã¯ä»ã®é貚) ã«ãã£ãŠçœ°ãããããããæ¬åœã«åéããããªãã£ããã®ã«ã€ããŠèããããããŸãã ãã®ã©ã€ã»ã³ã¹ ã¢ãã«ã欺ãã«ã¯ãããŒã¿ã SIEM ã·ã¹ãã ã«æ¿å ¥ãããåã«ããŒã¿ãåãããšãã§ããŸãã æ¿å ¥åã®ãã®ãããªæ£èŠåã®äžäŸã¯ãElastic Stack ããã³ãã®ä»ã®åçš SIEM ã§ãã
ãã®çµæãã€ã³ãã©ã¹ãã©ã¯ãã£å¥ã®ã©ã€ã»ã³ã¹ã¯ãæå°éã®ååŠçã§ç¹å®ã®ããŒã¿ã®ã¿ãåéããå¿ èŠãããå Žåã«å¹æçã§ãããããªã¥ãŒã å¥ã®ã©ã€ã»ã³ã¹ã§ã¯ãã¹ãŠãåéããããšã¯ã§ããŸããã äžéãœãªã¥ãŒã·ã§ã³ãæ€çŽ¢ãããšã次ã®åºæºãå°ãåºãããŸãã
- ããŒã¿ã®éèšãšæ£èŠåãç°¡çŽ åããŸãã
- ãã€ãºã®å€ãããŒã¿ãéèŠåºŠã®äœãããŒã¿ã®ãã£ã«ã¿ãªã³ã°ã
- åææ©èœãæäŸããŸãã
- ãã£ã«ã¿ãªã³ã°ããã³æ£èŠåãããããŒã¿ã SIEM ã«éä¿¡ãã
ãã®çµæãã¿ãŒã²ãã SIEM ã·ã¹ãã ã¯åŠçã«è¿œå ã® CPU ãã¯ãŒã浪費ããå¿ èŠããªããªããäœãèµ·ãã£ãŠãããã®å¯èŠæ§ãæãªãããšãªãæãéèŠãªã€ãã³ãã®ã¿ãèå¥ã§ãããšããã¡ãªãããåŸãããŸãã
çæ³çã«ã¯ããã®ãããªããã«ãŠã§ã¢ ãœãªã¥ãŒã·ã§ã³ã¯ãæœåšçã«å±éºãªã¢ã¯ãã£ããã£ã®åœ±é¿ã軜æžããã€ãã³ãã®ã¹ããªãŒã å šäœã SIEM åãã®æçšã§ã·ã³ãã«ãªããŒã¿éã«éçŽããããã«äœ¿çšã§ãããªã¢ã«ã¿ã€ã ã®æ€åºããã³å¿çæ©èœãæäŸããå¿ èŠããããŸãã SIEM ã䜿çšãããšãè¿œå ã®éèšãçžé¢ãã¢ã©ãŒã ããã»ã¹ãäœæã§ããŸãã
ãããšåãç¥ç§çãªäžéãœãªã¥ãŒã·ã§ã³ããèšäºã®åé ã§è¿°ã¹ã CLM ã«ä»ãªããŸããã Gartner ã¯æ¬¡ã®ããã«èŠãŠããŸãã
ããã§ãInTrust ã Gartner ã®æšå¥šäºé
ã«ã©ã®ããã«æºæ ããŠãããã確èªããŠã¿ãŸãããã
- ä¿åããå¿ èŠãããããŒã¿ã®ããªã¥ãŒã ãšçš®é¡ã«å¿ããå¹ççãªã¹ãã¬ãŒãžã
- æ€çŽ¢é床ãéãã
- èŠèŠåæ©èœã¯åºæ¬ç㪠CLM ã«å¿ èŠãªãã®ã§ã¯ãããŸããããè åšãã³ãã£ã³ã°ã¯ã»ãã¥ãªãã£ãšããŒã¿åæã®ããã® BI ã·ã¹ãã ã®ãããªãã®ã§ãã
- ããŒã¿ ãšã³ãªããã¡ã³ããçããŒã¿ãæçšãªã³ã³ããã¹ã ããŒã¿ (å°çäœçœ®æ å ±ãªã©) ã§åŒ·åããŸãã
Quest InTrust ã¯ãæ倧 40:1 ã®ããŒã¿å§çž®ãšé«ééè€æé€ãåããç¬èªã®ã¹ãã¬ãŒãž ã·ã¹ãã ã䜿çšããCLM ããã³ SIEM ã·ã¹ãã ã®ã¹ãã¬ãŒãž ãªãŒããŒããããåæžããŸãã
Google ã®ãããªæ€çŽ¢ãåãã IT ã»ãã¥ãªã㣠ãµãŒã ã³ã³ãœãŒã«
ç¹æ®ãª Web ããŒã¹ã® IT ã»ãã¥ãªãã£æ€çŽ¢ (ITSS) ã¢ãžã¥ãŒã«ã¯ãInTrust ãªããžããªå ã®ã€ãã³ã ããŒã¿ã«æ¥ç¶ã§ããè åšãæ€çŽ¢ããããã®ã·ã³ãã«ãªã€ã³ã¿ãŒãã§ã€ã¹ãæäŸããŸãã ã€ã³ã¿ãŒãã§ãŒã¹ã¯ãã€ãã³ã ãã° ããŒã¿ã«å¯Ÿã㊠Google ã®ããã«æ©èœãããŸã§ç°¡çŽ åãããŠããŸãã ITSS ã¯ã¯ãšãªçµæã®ã¿ã€ã ã©ã€ã³ã䜿çšããã€ãã³ã ãã£ãŒã«ããããŒãžããã³ã°ã«ãŒãåããŠãè åšãã³ãã£ã³ã°ãå¹æçã«æ¯æŽããŸãã
InTrust ã¯ãã»ãã¥ãªãã£èå¥åããã¡ã€ã«åãã»ãã¥ãªã㣠ãã°ã€ã³èå¥åã䜿çšã㊠Windows ã€ãã³ãã匷åããŸãã ãŸããInTrust ã¯ã€ãã³ããåçŽãª W6 ã¹ããŒã (誰ããäœããã©ãã§ããã€ã誰ããã©ãããæ¥ãã®ã) ã«æ£èŠåãããããããŸããŸãªãœãŒã¹ (Windows ãã€ãã£ã ã€ãã³ããLinux ãã°ããŸã㯠syslog) ããã®ããŒã¿ãåäžã®åœ¢åŒã§åäžã®ãã¡ã€ã«ã§ç¢ºèªã§ããããã«ãªããŸãããµãŒãã³ã³ãœãŒã«ã
InTrust ã¯ãäžå¯©ãªã¢ã¯ãã£ããã£ã«ãã被害ãæå°éã«æããããã® EDR ã®ãããªã·ã¹ãã ãšããŠäœ¿çšã§ããããªã¢ã«ã¿ã€ã ã®ã¢ã©ãŒããæ€åºãããã³å¯Ÿå¿æ©èœããµããŒãããŠããŸãã çµã¿èŸŒã¿ã®ã»ãã¥ãªã㣠ã«ãŒã«ã¯ã次ã®è åšãæ€åºããŸããããããã«éå®ãããŸããã
- ãã¹ã¯ãŒãã¹ãã¬ãŒã
- ã±ã«ããã¹ãã£ã³ã°ã
- Mimikatz ã®å®è¡ãªã©ã®äžå¯©ãª PowerShell ã¢ã¯ãã£ããã£ã
- äžå¯©ãªããã»ã¹ (LokerGoga ã©ã³ãµã ãŠã§ã¢ãªã©)ã
- CA4FS ãã°ã䜿çšããæå·åã
- ã¯ãŒã¯ã¹ããŒã·ã§ã³äžã§ç¹æš©ã¢ã«ãŠã³ãã䜿çšããŠãã°ã€ã³ããŸãã
- ãã¹ã¯ãŒãæšæž¬æ»æã
- ããŒã«ã« ãŠãŒã¶ãŒ ã°ã«ãŒãã®äžå¯©ãªäœ¿çšã
ããã§ãInTrust èªäœã®ã¹ã¯ãªãŒã³ã·ã§ãããããã€ããèŠãããŠããã®æ©èœã®å°è±¡ãã€ããã§ããã ããŸãã
æœåšçãªè匱æ§ãæ€çŽ¢ããããã®äºåå®çŸ©ããããã£ã«ã¿ãŒ
çããŒã¿ãåéããããã®ãã£ã«ã¿ãŒã®ã»ããã®äŸ
æ£èŠè¡šçŸã䜿çšããŠã€ãã³ãã«å¯Ÿããåå¿ãäœæããäŸ
PowerShell è匱æ§æ€çŽ¢ã«ãŒã«ã®äŸ
è匱æ§ã®èª¬æãå«ãçµã¿èŸŒã¿ã®ãã¬ããžããŒã¹
InTrust ã¯ãäžã§èª¬æããããã«ãã¹ã¿ã³ãã¢ãã³ ãœãªã¥ãŒã·ã§ã³ãšããŠããŸã㯠SIEM ã·ã¹ãã ã®äžéšãšããŠäœ¿çšã§ãã匷åãªããŒã«ã§ãã ããããããã®ãœãªã¥ãŒã·ã§ã³ã®äž»ãªå©ç¹ã¯ãã€ã³ã¹ããŒã«åŸããã«äœ¿çšãéå§ã§ããããšã§ãã InTrust ã«ã¯ãè åšãæ€åºããããã«å¯Ÿå¿ãã (ãŠãŒã¶ãŒã®ãããã¯ãªã©) ããã®ã«ãŒã«ã®å€§èŠæš¡ãªã©ã€ãã©ãªããããŸãã
ãã®èšäºã§ã¯ãããã¯ã¹åãããçµ±åã«ã€ããŠã¯è§ŠããŸããã§ããã ãã ããã€ã³ã¹ããŒã«çŽåŸã«ãSplunkãIBM QRadarãMicrofocus Arcsight ã«ããŸã㯠Webhook çµç±ã§ä»ã®ã·ã¹ãã ã«ã€ãã³ããéä¿¡ããããã«æ§æã§ããŸãã 以äžã¯ãInTrust ããã®ã€ãã³ãã䜿çšãã Kibana ã€ã³ã¿ãŒãã§ã€ã¹ã®äŸã§ãã Elastic Stack ãšã®çµ±åã¯ãã§ã«è¡ãããŠãããElastic ã®ç¡æçã䜿çšããŠããå Žåã¯ãInTrust ãè åšã®ç¹å®ãããã¢ã¯ãã£ããªã¢ã©ãŒãã®å®è¡ãéç¥ã®éä¿¡ã®ããã®ããŒã«ãšããŠäœ¿çšã§ããŸãã
ãã®èšäºã§ãã®è£œåã«ã€ããŠå°ãã§ãç解ããŠããã ããã°å¹žãã§ãã åœç€Ÿã§ã¯ããã¹ããŸãã¯ãã€ããã ãããžã§ã¯ãã®å®æœã®ããã« InTrust ãæäŸããæºåãã§ããŠããŸãã ã¢ããªã±ãŒã·ã§ã³ã¯ãã®ãŸãŸã«ããŠããããšãã§ããŸã
æ
å ±ã»ãã¥ãªãã£ã«é¢ããä»ã®èšäºããèªã¿ãã ããã
åºæïŒ habr.com