Kodi katswiri wabwino wa chitetezo cha IT amasiyana bwanji ndi wamba? Ayi, osati chifukwa chakuti nthawi iliyonse amatha kutchula pamtima chiwerengero cha mauthenga omwe bwanayo Igor adatumiza dzulo kwa mnzake Maria. Katswiri wabwino wachitetezo amayesa kuzindikira zolakwa zomwe zingachitike pasadakhale ndikuzigwira mu nthawi yeniyeni, akuyesetsa kuonetsetsa kuti zomwe zikuchitika sizikupitilira. Machitidwe oyang'anira zochitika zachitetezo (SIEM, kuchokera ku Zidziwitso za Chitetezo ndi kasamalidwe ka zochitika) amathandizira kwambiri ntchito yojambulira mwachangu ndikuletsa kuphwanya kulikonse.
Mwachikhalidwe, machitidwe a SIEM amaphatikiza kasamalidwe ka chitetezo chazidziwitso komanso kasamalidwe ka zochitika zachitetezo. Chinthu chofunika kwambiri cha machitidwe ndi kusanthula zochitika zachitetezo mu nthawi yeniyeni, zomwe zimakulolani kuti muwayankhe zisanachitike kuwonongeka komwe kulipo.
Ntchito zazikulu zamakina a SIEM:
- Kusonkhanitsa deta ndi normalization
- Kulumikizana kwa Data
- Chenjezo
- Makanema owonera
- Bungwe la kusungirako deta
- Kusaka ndi Kusanthula Deta
- Lipoti
Zifukwa zakufunika kwakukulu kwa machitidwe a SIEM
Posachedwapa, zovuta ndi kugwirizana kwa kuukira kwa machitidwe a chidziwitso kwawonjezeka kwambiri. Panthawi imodzimodziyo, zovuta za zida zotetezera zidziwitso zomwe zimagwiritsidwa ntchito zikukhalanso zovuta kwambiri-maukonde ndi makina owonetsetsa kuti alowemo, machitidwe a DLP, ma anti-virus ndi ma firewall, scanner vulnerability, etc. Chida chilichonse chachitetezo chimapanga mndandanda wa zochitika zokhala ndi tsatanetsatane wosiyanasiyana, ndipo nthawi zambiri kuwukira kumawonedwa kokha ndi zochitika zomwe zikudutsana kuchokera pamakina osiyanasiyana.
Pali zambiri zamitundu yonse yamakina amalonda a SIEM , koma timapereka chidule cha machitidwe a SIEM aulere, athunthu otseguka omwe alibe zoletsa zachiwerengero cha ogwiritsa ntchito kapena kuchuluka kwa data yolandilidwa yosungidwa, komanso amawonjezedwa mosavuta ndikuthandizidwa. Tikukhulupirira kuti izi zithandiza kuwunika kuthekera kwa machitidwe otere ndikusankha ngati mayankho otere akuyenera kuphatikizidwa munjira zamabizinesi akampani.
AlienVault OSSIM
AlienVault OSSIM ndi mtundu wotsegulira wa AlienVault USM, imodzi mwazinthu zotsogola zamalonda za SIEM. OSSIM ndi chimango chomwe chili ndi mapulojekiti angapo otseguka, kuphatikiza makina ozindikira a Snort network, Nagios network and host monitoring system, OSSEC host-based intrusion monitoring system, ndi OpenVAS vulnerability scanner.
Kuwunika zida, AlienVault Agent imagwiritsidwa ntchito, yomwe imatumiza zipika kuchokera kwa wolandirayo mu mtundu wa syslog kupita ku nsanja ya GELF, kapena plugin ingagwiritsidwe ntchito kuphatikiza ndi mautumiki a chipani chachitatu, monga Cloudflare reverse proxy service kapena Okta multi -Factor authentication system.
Mtundu wa USM umasiyana ndi OSSIM yokhala ndi magwiridwe antchito owongolera a chipika, kuyang'anira magwiridwe antchito amtambo, makina odzipangira okha, komanso zidziwitso zowopseza zosinthidwa komanso zowonera.
ubwino
- Zomangidwa pama projekiti otsimikizika otseguka;
- Gulu lalikulu la ogwiritsa ntchito ndi opanga.
zolakwa
- Sichithandizira kuyang'anira nsanja zamtambo (mwachitsanzo, AWS kapena Azure);
- Palibe kasamalidwe ka chipika, zowonera, zodzichitira kapena kuphatikiza ndi ntchito za chipani chachitatu.
MozDef (Mozilla Defense Platform)
Dongosolo la MozDef SIEM lopangidwa ndi Mozilla limagwiritsidwa ntchito kuwongolera zochitika zachitetezo. Dongosololi limapangidwa kuchokera pansi kuti likwaniritse magwiridwe antchito, scalability ndi kulolerana zolakwika, ndi zomangamanga zazing'ono - ntchito iliyonse imayenda mumtsuko wa Docker.
Monga OSSIM, MozDef imamangidwa pamapulojekiti otseguka omwe adayesedwa nthawi, kuphatikiza gawo la Elasticsearch lolozera ndi kufufuza, nsanja ya Meteor yomanga mawonekedwe osinthika a intaneti, ndi pulogalamu yowonjezera ya Kibana yowonera ndikukonzekera.
Kulumikizana kwa zochitika ndi kuchenjeza kumachitika pogwiritsa ntchito mafunso a Elasticsearch, omwe amakupatsani mwayi woti mulembe zomwe mwakonza komanso malamulo ochenjeza pogwiritsa ntchito Python. Malinga ndi Mozilla, MozDef imatha kukonza zochitika zopitilira 300 miliyoni patsiku. MozDef imangovomereza zochitika mumtundu wa JSON, koma pali kuphatikiza ndi mautumiki a chipani chachitatu.
ubwino
- Sagwiritsa ntchito othandizira - amagwira ntchito ndi zipika za JSON;
- Mosavuta masikelo chifukwa cha zomangamanga za microservice;
- Imathandizira magwero a data pamtambo kuphatikiza AWS CloudTrail ndi GuardDuty.
zolakwa
- Dongosolo latsopano komanso lokhazikika.
Wazu
Wazuh adayamba chitukuko ngati foloko ya OSSEC, imodzi mwazinthu zodziwika bwino zotsegulira ma SIEM. Ndipo tsopano ndi yankho lapadera lomwe lili ndi magwiridwe antchito atsopano, kukonza zolakwika ndi zomangamanga zokongoletsedwa.
Dongosololi limamangidwa pa stack ya ElasticStack (Elasticsearch, Logstash, Kibana) ndipo imathandizira kusonkhanitsa deta pogwiritsa ntchito othandizira komanso kulowa kwa chipika chadongosolo. Izi zimapangitsa kuti ikhale yothandiza pazida zowunikira zomwe zimapanga zipika koma sizigwirizana ndi unsembe wa wothandizira - zida zama network, osindikiza ndi zotumphukira.
Wazuh imathandizira othandizira a OSSEC omwe alipo ndipo amaperekanso chitsogozo cha kusamuka kuchokera ku OSSEC kupita ku Wazuh. Ngakhale kuti OSSEC ikugwiritsidwabe ntchito mwakhama, Wazuh ikuwoneka ngati kupitiriza kwa OSSEC chifukwa chowonjezera mawonekedwe atsopano a intaneti, REST API, malamulo athunthu, ndi zina zambiri zowonjezera.
ubwino
- Kutengera ndi yogwirizana ndi SIEM OSSEC yotchuka;
- Imathandizira zosankha zingapo zoyika: Docker, Puppet, Chef, Ansible;
- Imathandizira kuyang'anira ntchito zamtambo, kuphatikiza AWS ndi Azure;
- Mulinso malamulo athunthu kuti muzindikire mitundu ingapo yakuukira ndikukulolani kuti muwayerekeze molingana ndi PCI DSS v3.1 ndi CIS.
- Imaphatikizana ndi Splunk log yosungirako ndi kusanthula dongosolo lowonera zochitika ndi chithandizo cha API.
zolakwa
- Zomangamanga zovuta - zimafuna kutumizidwa kwathunthu kwa Elastic Stack kuwonjezera pa Wazuh backend zigawo.
Kuyamba kwa OS
Prelude OSS ndi mtundu wabizinesi wa Prelude SIEM, wopangidwa ndi kampani yaku France CS. Yankho lake ndi njira yosinthika, yokhazikika ya SIEM yomwe imathandizira mawonekedwe a chipika angapo, kuphatikiza ndi zida zachitatu monga OSSEC, Snort ndi Suricata network yowunikira.
Chochitika chilichonse chimasinthidwa kukhala uthenga pogwiritsa ntchito mtundu wa IDMEF, womwe umathandizira kusinthana kwa data ndi machitidwe ena. Koma pali ntchentche m'mafuta odzola - Prelude OSS ndi yochepa kwambiri pakugwira ntchito ndi magwiridwe antchito poyerekeza ndi mtundu wamalonda wa Prelude SIEM, ndipo umapangidwira kwambiri mapulojekiti ang'onoang'ono kapena kuphunzira mayankho a SIEM ndikuwunika Prelude SIEM.
ubwino
- Njira yoyesedwa nthawi, yopangidwa kuyambira 1998;
- Imathandizira mitundu yosiyanasiyana ya chipika;
- Imasamutsa deta ku mtundu wa IMDEF, kupangitsa kuti ikhale yosavuta kusamutsa deta ku machitidwe ena achitetezo.
zolakwa
- Zochepa kwambiri pakugwira ntchito ndi magwiridwe antchito poyerekeza ndi machitidwe ena otseguka a SIEM.
sagan
Sagan ndi SIEM yochita bwino kwambiri yomwe imatsindika kugwirizana ndi Snort. Kuphatikiza pa malamulo othandizira olembedwa a Snort, Sagan amatha kulemba ku database ya Snort ndipo atha kugwiritsidwa ntchito ndi mawonekedwe a Shuil. Kwenikweni, ndi njira yopepuka yamitundu yambiri yomwe imapereka zatsopano pomwe ikukhalabe ochezeka kwa ogwiritsa ntchito a Snort.
ubwino
- Yogwirizana kwathunthu ndi nkhokwe ya Snort, malamulo, ndi mawonekedwe ogwiritsa ntchito;
- Zomangamanga zamitundu yambiri zimapereka magwiridwe antchito apamwamba.
zolakwa
- Ntchito yocheperako yokhala ndi anthu ochepa;
- Njira yovuta yoyika yomwe imaphatikizapo kupanga SIEM yonse kuchokera kugwero.
Pomaliza
Iliyonse mwa machitidwe omwe akufotokozedwa a SIEM ali ndi mawonekedwe ake ndi zolephera zake, kotero sangathe kutchedwa yankho lapadziko lonse la bungwe lililonse. Komabe, mayankhowa ndi otseguka, kuwalola kutumizidwa, kuyesedwa, ndikuwunikidwa popanda kuwononga ndalama zambiri.
Ndi chiyani chinanso chosangalatsa chomwe mungawerenge pabulogu?
β
β
β
β
β
Lembani ku wathu -channel kuti musaphonye nkhani yotsatira! Timalemba zosaposa kawiri pa sabata komanso pa bizinesi.
Source: www.habr.com