Posachedwapa, Splunk adawonjezeranso mtundu wina wopereka zilolezo - chilolezo chokhazikitsidwa ndi zomangamanga (). Amawerengera kuchuluka kwa ma cores a CPU pansi pa ma seva a Splunk. Zofanana kwambiri ndi chilolezo cha Elastic Stack, amawerengera kuchuluka kwa ma Elasticsearch node. Makina a SIEM ndi okwera mtengo ndipo nthawi zambiri pamakhala kusankha pakati pa kulipira zambiri ndi kulipira zambiri. Koma, ngati mugwiritsa ntchito mwanzeru, mutha kusonkhanitsa dongosolo lofanana.
Zikuwoneka zodabwitsa, koma nthawi zina zomangamangazi zimagwira ntchito popanga. Kusokonezeka kumapha chitetezo, ndipo, kawirikawiri, kumapha chirichonse. Ndipotu, pazochitika zoterezi (ndikulankhula za kuchepetsa mtengo wa umwini) pali gulu lonse la machitidwe - Central Log Management (CLM). Za izi , powaona kukhala osafunika. Nawa malingaliro awo:
- Gwiritsani ntchito luso ndi zida za CLM pakakhala zovuta za bajeti ndi ogwira ntchito, zowunikira chitetezo, ndi zofunikira pakugwiritsa ntchito.
- Gwiritsani ntchito CLM kuti muwonjezere luso la kusonkhanitsa ndi kusanthula pamene yankho la SIEM likukhala lokwera mtengo kapena lovuta.
- Ikani ndalama mu zida za CLM zosungirako bwino, kusaka mwachangu komanso mawonekedwe osinthika kuti mupititse patsogolo kufufuza / kusanthula kwachitetezo ndikuthandizira kusaka ziwopsezo.
- Onetsetsani kuti zinthu zomwe zikugwira ntchito ndi malingaliro akuganiziridwa musanagwiritse ntchito yankho la CLM.
M'nkhaniyi tikambirana za kusiyana kwa njira zopezera chilolezo, timvetsetsa CLM ndikulankhula za dongosolo linalake la kalasiyi - . Tsatanetsatane pansi pa odulidwa.
Kumayambiriro kwa nkhaniyi, ndinalankhula za njira yatsopano yopezera chilolezo cha Splunk. Mitundu ya zilolezo ingayerekezedwe ndi mitengo yobwereketsa magalimoto. Tiyerekeze kuti chitsanzo, malinga ndi chiwerengero cha CPUs, ndi galimoto ndalama ndi malire mtunda ndi mafuta. Mutha kupita kulikonse popanda malire a mtunda, koma simungapite mwachangu kwambiri ndipo, motero, kuyenda makilomita ambiri patsiku. Chilolezo cha data ndi chofanana ndi galimoto yamasewera yokhala ndi ma mileage model tsiku lililonse. Mutha kuyendetsa mtunda wautali mosasamala, koma muyenera kulipira zambiri kuti mudutse malire a tsiku ndi tsiku.
Kuti mupindule ndi layisensi yotengera katundu, muyenera kukhala ndi chiΕ΅erengero chotsika kwambiri cha ma CPU cores mpaka GB ya data yodzaza. M'machitidwe izi zikutanthauza zinthu monga:
- Nambala yaying'ono yotheka ya mafunso ku data yodzaza.
- Chiwerengero chochepa kwambiri cha ogwiritsa ntchito yankho.
- Zambiri zosavuta komanso zokhazikika momwe zingathere (kuti pasakhale chifukwa chowononga ma CPU pokonza ndi kusanthula deta).
Chovuta kwambiri apa ndi data yokhazikika. Ngati mukufuna kuti SIEM ikhale yophatikiza zipika zonse m'bungwe, pamafunika khama lalikulu pakugawa ndi kukonzanso pambuyo pake. Musaiwale kuti muyenera kuganiziranso za zomangamanga zomwe sizingawonongeke pansi pa katundu, i.e. ma seva owonjezera motero mapurosesa owonjezera adzafunika.
Kupereka chilolezo cha voliyumu ya data kumatengera kuchuluka kwa data yomwe imatumizidwa ku maw a SIEM. Magwero owonjezera a deta amalangidwa ndi ruble (kapena ndalama zina) ndipo izi zimakupangitsani kuganizira zomwe simunafune kuzisonkhanitsa. Kuti mupambane ndi chiphaso ichi, mutha kuluma deta isanabayidwe mu SIEM system. Chitsanzo chimodzi cha kukhazikika kotere musanabayidwe ndi Elastic Stack ndi ma SIEM ena ogulitsa.
Zotsatira zake, tili ndi zilolezo zokhazikitsidwa ndi zomangamanga zimakhala zogwira mtima mukangofunika kusonkhanitsa zidziwitso zokhazokha ndikusintha pang'ono, ndipo kupatsidwa chilolezo ndi voliyumu sikukulolani kuti mutolere chilichonse. Kusaka njira yapakatikati kumabweretsa zotsatirazi:
- Sang'anitsani kusonkhanitsa deta ndikukhazikika.
- Kusefa kwa data yaphokoso komanso yocheperako.
- Kupereka luso losanthula.
- Tumizani zosefedwa ndi zokhazikika ku SIEM
Zotsatira zake, machitidwe a SIEM omwe akutsata sangafunikire kuwononga mphamvu zowonjezera za CPU pokonza ndipo angapindule pozindikira zochitika zofunika kwambiri popanda kuchepetsa kuwonekera pazomwe zikuchitika.
Momwemo, njira yapakati yotereyi iyeneranso kupereka mphamvu zenizeni zodziwira ndi kuyankha zomwe zingagwiritsidwe ntchito kuchepetsa zotsatira za zochitika zomwe zingakhale zoopsa ndikuphatikiza zochitika zonse kuti zikhale zothandiza komanso zosavuta za deta ku SIEM. Chabwino, ndiye SIEM itha kugwiritsidwa ntchito kupanga ma aggregations owonjezera, kulumikizana ndi njira zochenjeza.
Njira yodabwitsayi yapakatikati siili ina koma CLM, yomwe ndidatchula koyambirira kwa nkhaniyi. Umu ndi momwe Gartner amawonera:
Tsopano mutha kuyesa kudziwa momwe InTrust imayendera ndi malingaliro a Gartner:
- Kusungidwa koyenera kwa ma voliyumu ndi mitundu ya data yomwe imayenera kusungidwa.
- Kuthamanga kwakukulu.
- Kuthekera kowonera sizomwe CLM imafunikira, koma kusaka ziwopsezo kuli ngati dongosolo la BI lachitetezo ndi kusanthula deta.
- Kupititsa patsogolo deta kuti mulemeretse data yosasinthika yokhala ndi data yothandiza (monga geolocation ndi zina).
Quest InTrust imagwiritsa ntchito njira yake yosungiramo mpaka 40:1 kuphatikizika kwa data ndi kutsitsa kothamanga kwambiri, komwe kumachepetsa kusungirako kwa makina a CLM ndi SIEM.
IT Security Search console yokhala ndi kusaka ngati google
Module yapadera ya IT Security Search (ITSS) yochokera pa intaneti imatha kulumikizana ndi zomwe zachitika munkhokwe ya InTrust ndikupereka mawonekedwe osavuta posaka zowopseza. Mawonekedwewa amakhala osavuta mpaka amafanana ndi Google pazidziwitso za chipika cha zochitika. ITSS imagwiritsa ntchito nthawi yake pazotsatira zamafunso, imatha kuphatikiza ndikugawa magawo a zochitika, ndikuthandizira bwino kusaka kowopseza.
InTrust imalemeretsa zochitika za Windows ndi zozindikiritsa chitetezo, mayina amafayilo, ndi zozindikiritsa zolowera chitetezo. InTrust imapangitsanso zochitika kukhala schema yosavuta ya W6 (Ndani, Chiyani, Kuti, Liti, Ndani ndi Kochokera kuti) kuti deta yochokera kumalo osiyanasiyana (zochitika za Windows, zolemba za Linux kapena syslog) ziwonekere mumtundu umodzi komanso pamtundu umodzi. search console.
InTrust imathandizira kuchenjeza, kuzindikira ndi kuyankha zenizeni zenizeni zomwe zitha kugwiritsidwa ntchito ngati dongosolo la EDR kuti muchepetse kuwonongeka komwe kumachitika chifukwa chokayikira. Malamulo omangidwira achitetezo amazindikira, koma samangokhala, zowopseza zotsatirazi:
- Kupopera mawu achinsinsi.
- Kerberoasting.
- ΠΠΎΠ΄ΠΎΠ·ΡΠΈΡΠ΅Π»ΡΠ½Π°Ρ PowerShell-Π°ΠΊΡΠΈΠ²Π½ΠΎΡΡΡ, Π½Π°ΠΏΡΠΈΠΌΠ΅Ρ, ΠΈΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΠ΅ Mimikatz.
- Njira zokayikitsa, mwachitsanzo, LokerGoga ransomware.
- Kubisa pogwiritsa ntchito zipika za CA4FS.
- Lowani ndi akaunti yamwayi pamagawo ogwirira ntchito.
- Kuwukira kwa mawu achinsinsi.
- Kugwiritsa ntchito mokayikitsa kwamagulu a ogwiritsa ntchito am'deralo.
Tsopano ndikuwonetsani zithunzi zingapo za InTrust palokha kuti mutha kuwona zomwe zili.
Zosefera zofotokozedweratu kuti mufufuze zomwe zingathe kukhala pachiwopsezo
Chitsanzo cha zosefera zosonkhanitsira data yaiwisi
Chitsanzo chogwiritsa ntchito mawu okhazikika kuti ayankhe ku chochitika
Chitsanzo ndi lamulo lakusaka kwachiwopsezo cha PowerShell
Chidziwitso chokhazikitsidwa ndi mafotokozedwe azovuta
InTrust ndi chida champhamvu chomwe chitha kugwiritsidwa ntchito ngati yankho loyima kapena ngati gawo la SIEM system, monga ndafotokozera pamwambapa. Mwinamwake phindu lalikulu la yankho ili ndiloti mukhoza kuyamba kugwiritsa ntchito mwamsanga mutatha kukhazikitsa, chifukwa InTrust ili ndi laibulale yayikulu yamalamulo ozindikira zowopseza ndikuyankha (mwachitsanzo, kuletsa wogwiritsa ntchito).
M'nkhani ine sindinalankhule za kuphatikiza mabokosi. Koma mutangokhazikitsa, mutha kukonza zotumiza ku Splunk, IBM QRadar, Microfocus Arcsight, kapena kudzera pa webhook kudongosolo lina lililonse. Pansipa pali chitsanzo cha mawonekedwe a Kibana ndi zochitika kuchokera ku InTrust. Pali kuphatikiza kale ndi Elastic Stack ndipo, ngati mugwiritsa ntchito mtundu waulere wa Elastic, InTrust ingagwiritsidwe ntchito ngati chida chozindikiritsa zowopseza, kuchita zidziwitso mwachangu komanso kutumiza zidziwitso.
Ndikukhulupirira kuti nkhaniyi inapereka lingaliro lochepa ponena za mankhwalawa. Ndife okonzeka kukupatsani InTrust kuti muyese kapena muyendetse ntchito yoyendetsa. Ntchito ikhoza kusiyidwa pa patsamba lathu.
Werengani zolemba zathu zina zokhudzana ndi chitetezo chazidziwitso:
(nkhani yotchuka)
Source: www.habr.com