Munguva pfupi yapfuura, Splunk akawedzera imwe rezinesi modhi - marezenisi-akavakirwa marezenisi () Ivo vanoverenga nhamba yeCPU cores pasi peSplunk maseva. Zvakanyanya kufanana neElastic Stack rezinesi, vanoverenga nhamba yeElasticsearch node. SIEM masisitimu agara achidhura uye kazhinji pane sarudzo pakati pekubhadhara yakawanda uye kubhadhara yakawanda. Asi, kana ukashandisa humwe huchenjeri, unogona kuunganidza chimiro chakafanana.
Inotaridzika inotyisa, asi dzimwe nguva chivakwa ichi chinoshanda mukugadzira. Kuoma kunzwisisa kunouraya kuchengeteka, uye, kazhinji, kunouraya zvose. Kutaura zvazviri, nokuda kwezviitiko zvakadaro (ndiri kutaura pamusoro pekuderedza mari yevaridzi) kune kirasi yose yezvirongwa - Central Log Management (CLM). Pamusoro pazvo , vachizviona sevasingakosheswi. Heano mazano avo:
- Shandisa kugona kweCLM uye maturusi kana paine bhajeti uye zvimhingamipinyi zvevashandi, kuchengetedzwa kwekutarisa zvinodiwa, uye chaiyo yekushandisa kesi zvinodiwa.
- Shandisa CLM kuti uwedzere kuunganidza kwerogi uye ongororo kugona kana SIEM mhinduro ichiratidza kudhura zvakanyanya kana kuoma.
- Chengetedza mari mumidziyo yeCLM nekuchengetedza kwakanaka, kutsvaga nekukurumidza uye kuchinjika kuona kuti uvandudze chiitiko chekuchengetedza chiitiko chekuongorora / kuongorora uye kutsigira kwekuvhima kwekutyisidzira.
- Ita shuwa kuti zvinhu zvinoshanda uye kufunga zvinotariswa usati waita mhinduro yeCLM.
Muchinyorwa chino tichataura nezvekusiyana kwemaitiro ekupihwa rezenisi, isu tichanzwisisa CLM uye totaura nezve chaiyo system yekirasi iyi - . Tsanangudzo pasi pekucheka.
Pakutanga kwechinyorwa chino, ndakataura nezve nzira nyowani yekupa marezenisi eSplunk. Mhando dzemarezinesi dzinogona kuenzaniswa nemitengo yekurojesa mota. Ngatimbofungidzirai kuti modhi, maererano nehuwandu hweCPUs, imotokari ine hupfumi ine unlimited mileage uye peturu. Iwe unogona kuenda chero kupi pasina zvirambidzo zvedaro, asi haugone kuenda nekukurumidza uye, nekudaro, vhara makiromita mazhinji pazuva. Data rezinesi yakafanana nemotokari yemitambo ine mileage yemazuva ese. Iwe unogona kutyaira zvisina hanya pamusoro pemadaro marefu, asi iwe uchafanirwa kubhadhara yakawanda yekupfuura iyo yemazuva ese mileage muganho.
Kuti ubatsirwe kubva pakuremerwa-based rezinesi, unofanirwa kuve neiyo yakaderera inogoneka chiyero cheCPU cores kune GB yedata yakarodha. Mukuita izvi zvinoreva chimwe chinhu chakadai:
- Iyo diki inogoneka nhamba yemibvunzo kune data rakaremerwa.
- Nhamba diki yevashandisi vanogona kushandisa mhinduro.
- Senge data rakareruka uye rakajairwa sezvinobvira (kuitira kuti pasave nechikonzero chekutambisa maCPU kutenderera pane inotevera data kugadzirisa uye kuongorora).
Chinhu chakanyanya kunetsa apa ndeye yakajairwa data. Kana iwe uchida kuti SIEM ive aggregator yezvose matanda musangano, zvinoda huwandu hukuru hwekuedza mukuparura uye post-kugadzirisa. Usakanganwa kuti iwe unofanirwawo kufunga nezvechivakwa chisingazopunzike pasi pemutoro, i.e. mamwe maseva uye saka mamwe ma processor achadikanwa.
Dhata vhoriyamu rezenisi yakavakirwa pahuwandu hwe data inotumirwa mune maw yeSIEM. Zvimwe zvinyorwa zve data zvinorangwa ne ruble (kana imwe mari) uye izvi zvinokuita kuti ufunge pamusoro pezvausina kunyatsoda kuunganidza. Kukunda iyi modhi yerezinesi, unogona kuruma data risati rapinzwa muSIEM system. Mumwe muenzaniso wekujairika kwakadaro usati wabaya jekiseni iElastic Stack uye mamwe maSIEM ekutengesa.
Nekuda kweizvozvo, isu tine iyo marezenisi nezvivakwa zvinoshanda kana iwe uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchinge uchi dhiza data, uye rezinesi nevhoriyamu haizokubvumiri kuunganidza zvese zvachose. Kutsvaga mhinduro yepakati kunotungamira kune zvinotevera maitiro:
- Rerutsa kuunganidzwa kwedata uye kujaira.
- Kusefa data ine ruzha uye isingakoshi.
- Kupa maitiro ekuongorora.
- Tumira data yakasefa uye yakajairwa kuSIEM
Nekuda kweizvozvo, zvinonangwa SIEM masisitimu haazodi kutambisa yakawedzera CPU simba pakugadzirisa uye anogona kubatsirwa nekuona chete zvakakosha zviitiko pasina kudzikisa kuoneka mune zviri kuitika.
Sezvineiwo, mhinduro yakadai yepakati inofanirawo kupa chaiyo-nguva yekuona uye yekupindura masimba ayo anogona kushandiswa kudzikisa kukanganisa kwezvingangoita zviitiko zvine njodzi uye kuunganidza rwizi rwese rwezviitiko muhuwandu hunobatsira uye huri nyore hwe data yakananga kuSIEM. Zvakanaka, ipapo SIEM inogona kushandiswa kugadzira mamwe aggregations, correlations uye chenjedzo maitiro.
Iyo imwechete isinganzwisisike yepakati mhinduro haisi imwe kunze kweCLM, yandakataura pakutanga kwechinyorwa. Aya ndiwo maonero aGartner:
Iye zvino unogona kuedza kufunga kuti InTrust inoenderana sei neGartner kurudziro:
- Kuchengetedza kwakanaka kwemavhoriyamu nemhando dzedata dzinoda kuchengetwa.
- High search speed.
- Kugona kuona hazvisi izvo zvinodikanwa neCLM, asi kuvhima kwekutyisidzira kwakafanana neBI system yekuchengetedza uye data analytics.
- Kuvandudza dhata kupfumisa data rakasvibira rine ruzivo rwemamiriro ezvinhu (senge geolocation uye mamwe).
Quest InTrust inoshandisa yayo yekuchengetera sisitimu inosvika makumi mana: 40 data compression uye yakakwirira-kumhanya kudhiraivha, izvo zvinoderedza kuchengetedza pamusoro peCLM neSIEM masisitimu.
IT Chengetedzo yekutsvaga koni ine google-sekutsvaga
Iyo yakasarudzika yewebhu-yakavakirwa IT Kuchengetedza Kutsvaga (ITSS) module inogona kubatana kune chiitiko data muInTrust repository uye inopa yakapusa interface yekutsvaga kutyisidzira. Iyo interface inorerutswa kusvika pakuita seGoogle yedata regi yechiitiko. ITSS inoshandisa nguva yemhedzisiro yemubvunzo, inogona kusanganisa uye kuita boka minda yezviitiko, uye zvinobudirira kubatsira mukuvhima kwekutyisidzira.
InTrust inopfumisa zviitiko zveWindows zvine zviziviso zvekuchengetedza, mazita emafaira, uye zviziviso zvekuchengetedza. InTrust zvakare inojairisa zviitiko kune yakapusa W6 schema (Ndiani, Chii, Kupi, Rini, Ndiani uye Kupi Kubva) kuitira kuti data kubva kwakasiyana masosi (Windows zviitiko zvekuzvarwa, Linux matanda kana syslog) ionekwe mune imwechete fomati uye pane imwechete. search console.
InTrust inotsigira chaiyo-nguva yekuzivisa, yekuona uye yekupindura masimba ayo anogona kushandiswa senge EDR-yakafanana sisitimu kudzikisa kukuvadzwa kunokonzerwa nekufungira chiitiko. Yakavakirwa-mukati mitemo yekuchengetedza inoona, asi haina kugumira kune, kunotevera kutyisidzira:
- Password-spraying.
- Kerberoasting.
- Inofungidzira PowerShell chiitiko, sekuurayiwa kweMimikatz.
- Kufungidzira maitiro, semuenzaniso, LokerGoga ransomware.
- Encryption uchishandisa CA4FS matanda.
- Logins ine yakasarudzika account pane workstations.
- Password guessing kurwisa.
- Kunyumwa kushandiswa kwemapoka evashandisi vemunharaunda.
Ikozvino ini ndichakuratidza mashoma skrini eInTrust pachayo kuti iwe ugone kuwana fungidziro yezvaanogona.
Predefined mafirita kutsvaga zvingango kanganisa
Muenzaniso weseti yemasefa ekunhonga data yakabikwa
Muenzaniso wekushandisa zvirevo zvenguva dzose kugadzira mhinduro kuchiitiko
Muenzaniso une PowerShell vulnerability search mutemo
Yakavakirwa-mukati ruzivo hwaro ine tsananguro dzekusagadzikana
InTrust chishandiso chine simba chinogona kushandiswa seyakamira mhinduro kana sechikamu cheSIEM system, sezvandatsanangura pamusoro. Zvichida mukana mukuru weiyi mhinduro ndeyekuti iwe unogona kutanga kuishandisa nekukurumidza mushure mekuiswa, nekuti InTrust ine raibhurari hombe yemitemo yekuona kutyisidzira uye kupindura kwavari (semuenzaniso, kuvharira mushandisi).
Muchinyorwa ini handina kutaura nezve mabhokisi ekubatanidza. Asi pakarepo mushure mekuiswa, unogona kugadzirisa kutumira zviitiko kuSplunk, IBM QRadar, Microfocus Arcsight, kana kuburikidza newebhook kune chero imwe system. Pazasi pane muenzaniso weKibana interface ine zviitiko kubva kuInTrust. Iko kwatove nekubatanidzwa neElastic Stack uye, kana iwe ukashandisa iyo yemahara vhezheni yeElastic, InTrust inogona kushandiswa sechishandiso chekuzivisa kutyisidzira, kuita ziviso yekuzivisa uye kutumira zviziviso.
Ndinovimba kuti chinyorwa chakapa pfungwa shoma pamusoro pechigadzirwa ichi. Isu takagadzirira kupa InTrust kwauri kuti uedze kana kuitisa chirongwa chekutyaira. Iyo application inogona kusiiwa pa pane yedu webhusaiti.
Verenga zvimwe zvinyorwa zvedu nezvekuchengetedza ruzivo:
(chinyorwa chakakurumbira)
Source: www.habr.com