Iyo yakanaka IT yekuchengetedza nyanzvi inosiyana sei kubva kune yakajairwa? Kwete, kwete nekuti chero nguva anogona kudoma kubva mundangariro nhamba yemeseji iyo maneja Igor akatumira nezuro kune waanoshanda naye Maria. Nyanzvi yakanaka yekuchengetedza inoedza kuona kutyorwa kungangoita uye nekuibata munguva chaiyo, ichiita zvese kuedza kuona kuti chiitiko hachienderere mberi. Chengetedzo chiitiko manejimendi masisitimu (SIEM, kubva kuChengetedzo ruzivo uye manejimendi ezviitiko) inorerutsa zvakanyanya basa rekukurumidza kurekodha uye kuvharira chero kuedza kutyorwa.
Sechinyakare, SIEM masisitimu anosanganisa ruzivo rwekuchengetedza manejimendi system uye yekuchengetedza chiitiko manejimendi system. Chinhu chakakosha chezvirongwa ndechekuongororwa kwezviitiko zvekuchengetedza munguva chaiyo, izvo zvinokubvumira kuti uvapindure kwavari kusati kwaitika kukanganisa.
Mabasa makuru eSIEM masisitimu:
- Kuunganidza data uye normalization
- Data Correlation
- Alert
- Visualization panels
- Sangano rekuchengetedza data
- Kutsvaga uye Kuongorora
- Reporting
Zvikonzero zvekudiwa kukuru kweSIEM masisitimu
Munguva pfupi yapfuura, kuoma uye kubatana kwekurwiswa kwehurongwa hwemashoko kwakawedzera zvikuru. Panguva imwecheteyo, iyo yakaoma yeruzivo rwekuchengetedza maturusi anoshandiswa ari kuwedzerawo kuomarara-network uye host-based intrusion yekuona masisitimu, DLP masisitimu, anti-virus masisitimu uye firewall, vulnerability scanners, nezvimwe. Chese chekuchengetedza chishandiso chinoburitsa kutevedzana kwezviitiko zvine huwandu hwakasiyana, uye kazhinji kurwiswa kunogona kungoonekwa nekupindana kwezviitiko kubva kune akasiyana masisitimu.
Pane zvakawanda nezve marudzi ese ekutengesa SIEM masisitimu , asi isu tinopa pfupiso pfupi yemahara, yakazara-yakazara yakavhurika sosi SIEM masisitimu ayo asina zvirambidzo zvekugadzira pahuwandu hwevashandisi kana vhoriyamu yedata rakachengetwa rakagamuchirwa, uye zvakare ari nyore scalable uye anotsigirwa. Tinovimba kuti izvi zvichabatsira kuongorora kugona kwemasisitimu akadaro uye kusarudza kana mhinduro dzakadaro dzakakodzera kubatanidza mumabhizinesi ekambani.
AlienVault OSSIM
AlienVault OSSIM ndeye yakavhurika-sosi vhezheni yeAlienVault USM, imwe yeanotungamira yekutengesa SIEM masisitimu. OSSIM chimiro chine akati wandei akavhurika sosi mapurojekiti, anosanganisira iyo Snort network intrusion yekuona sisitimu, iyo Nagios network uye host monitoring system, iyo OSSEC host-based intrusion yekuongorora system, uye OpenVAS vulnerability scanner.
Kuti utarise zvishandiso, iyo AlienVault Agent inoshandiswa, iyo inotumira matanda kubva kumubati mune syslog fomati kune GELF papuratifomu, kana plugin inogona kushandiswa kubatanidzwa neyechitatu-bato masevhisi, akadai seCloudflare webhusaiti reverse proxy service kana iyo Okta yakawanda. -factor authentication system.
Iyo USM vhezheni inosiyana neOSSIM ine yakakwidziridzwa mashandiro erogi manejimendi, gore rekutarisa zvivakwa, otomatiki, uye yakagadziridzwa ruzivo rwekutyisidzira uye kuona.
zvakwakanakira
- Yakavakirwa pamapurojekiti akavhurika-sosi;
- Nharaunda yakakura yevashandisi nevagadziri.
kutadza
- Haitsigire kutarisa kwemapuratifomu emakore (semuenzaniso, AWS kana Azure);
- Iko hakuna log management, kuona, otomatiki kana kusanganisa neyechitatu-bato masevhisi.
MozDef (Mozilla Defense Platform)
Iyo MozDef SIEM sisitimu yakagadziridzwa neMozilla inoshandiswa kuita otomatiki kuchengetedza chiitiko kugadzirisa maitiro. Iyo sisitimu yakagadzirirwa kubva pasi kuti iwane yakanyanya kuita, scalability uye kukanganisa kushivirira, ine microservice architecture - sevhisi yega yega inomhanya mumudziyo weDocker.
Kufanana neOSSIM, MozDef yakavakirwa pamapurojekiti akavhurwa sosi yakaedzwa nenguva, kusanganisira iyo Elasticsearch log indexing uye module yekutsvaga, iyo Meteor chikuva chekuvaka inochinjika webhu interface, uye Kibana plugin yekuona uye kuronga.
Chiitiko kuwirirana uye kunyevera kunoitwa uchishandisa Elasticsearch mibvunzo, iyo inokutendera kuti unyore yako wega chiitiko kugadzirisa uye kunyevera mitemo uchishandisa Python. Sekureva kweMozilla, MozDef inogona kugadzirisa zvinopfuura 300 miriyoni zviitiko pazuva. MozDef inongogamuchira zviitiko muJSON fomati, asi pane kubatanidzwa nevechitatu-bato masevhisi.
zvakwakanakira
- Haishandise vamiririri - inoshanda neyakajairwa JSON matanda;
- Zviyero zviri nyore kutenda kune microservice architecture;
- Inotsigira Cloud sevhisi data masosi anosanganisira AWS CloudTrail uye GuardDuty.
kutadza
- Itsva uye shoma yakasimbiswa system.
Wazuh
Wazuh akatanga kusimudzira seforogo yeOSSEC, imwe yeanonyanya kufarirwa yakavhurika sosi SIEMs. Uye ikozvino ndiyo yayo yakasarudzika mhinduro ine nyowani mashandiro, bug gadziriso uye optimized architecture.
Iyo sisitimu yakavakirwa paElasticStack stack (Elasticsearch, Logstash, Kibana) uye inotsigira ese ari maviri agent-based data collection uye system log ingestion. Izvi zvinoita kuti ibudirire pakuongorora michina inogadzira matanda asi isingatsigire agent kuisirwa - network zvishandiso, maprinta uye peripherals.
Wazuh inotsigira iripo OSSEC vamiririri uye inotopa nhungamiro yekutama kubva kuOSSEC kuenda kuWazuh. Kunyange zvazvo OSSEC ichiri kutsigirwa zvakasimba, Wazuh inoonekwa sekuenderera mberi kweOSSEC nekuda kwekuwedzerwa kwewebhu itsva interface, REST API, imwe yakakwana yemitemo, uye mamwe akawanda anovandudza.
zvakwakanakira
- Kubva pane uye inoenderana neyakakurumbira SIEM OSSEC;
- Inotsigira akasiyana-siyana ekuisa sarudzo: Docker, Puppet, Chef, Ansible;
- Inotsigira kutariswa kwemasevhisi emakore, kusanganisira AWS neAzure;
- Inosanganisira yakazara seti yemitemo yekuona akawanda marudzi ekurwiswa uye inokutendera kuti uzvienzanise zvinoenderana nePCI DSS v3.1 uye CIS.
- Inobatanidza neSplunk log kuchengetedza uye yekuongorora system yekuona chiitiko uye API rutsigiro.
kutadza
- Yakaomarara dhizaini - inoda yakazara Elastic Stack kutumirwa kuwedzera kune Wazuh backend zvikamu.
Prelude OS
Prelude OSS ndeye yakavhurika-sosi vhezheni yekutengeserana Prelude SIEM, yakagadziridzwa nekambani yeFrance CS. Mhinduro ndeye inochinjika, modular SIEM system inotsigira akawanda matanda mafomati, kubatanidzwa nevechitatu-bato maturusi akadai OSSEC, Snort uye Suricata network yekuona system.
Chiitiko chega chega chinojairirwa kuita meseji uchishandisa iyo IDMEF fomati, iyo inorerutsa kuchinjanisa data nemamwe masisitimu. Asi pane nhunzi muchizoro - Prelude OSS ishoma mukuita nekushanda kana ichienzaniswa neshanduro yekutengeserana yePrelude SIEM, uye inoitirwa zvakanyanya kumapurojekiti madiki kana kudzidza mhinduro dzeSIEM uye kuongorora Prelude SIEM.
zvakwakanakira
- Nguva-yakaedzwa system, yakagadzirwa kubvira 1998;
- Inotsigira akawanda akasiyana mafomu mafomu;
- Inogadzirisa data kuIMDEF fomati, zvichiita kuti zvive nyore kuendesa data kune mamwe masisitimu ekuchengetedza.
kutadza
- Yakaganhurirwa zvakanyanya mukushanda uye kuita zvichienzaniswa nemamwe akavhurika-sosi SIEM masisitimu.
sagan
Sagan ndeyepamusoro-inoshanda SIEM inosimbisa kuenderana neSnort. Pamusoro pemitemo inotsigira yakanyorerwa Snort, Sagan anogona kunyora kuSnort dhatabhesi uye inogona kushandiswa neiyo Shuil interface. Chaizvoizvo, iyo isingaremi-yakawanda-yakarukwa mhinduro inopa zvinhu zvitsva uchiramba uine hushamwari kune vashandisi veSnort.
zvakwakanakira
- Inonyatsoenderana neSnort database, mitemo, uye mushandisi interface;
- Multi-threaded architecture inopa kushanda kwepamusoro.
kutadza
- Chirongwa chechidiki chine nharaunda diki;
- Iyo yakaoma yekuisa maitiro inosanganisira kuvaka iyo SIEM yese kubva kunobva.
mhedziso
Imwe neimwe yeakatsanangurwa SIEM masisitimu ane maitiro ayo uye zvaasingakwanisi, saka hazvigone kunzi mhinduro yepasirese kune chero sangano. Nekudaro, zvigadziriso izvi zvakavhurika sosi, zvichivabvumira kuendeswa, kuyedzwa, uye kuongororwa pasina kuunza mari yakawandisa.
Ndezvipi zvimwe zvinonakidza zvaungaverenga pane blog?
β
β
β
β
β
Nyorera kune yedu -chiteshi kuti usapotsa chinyorwa chinotevera! Isu tinonyora kwete kanopfuura kaviri pavhiki uye chete pabhizinesi.
Source: www.habr.com