TS Total Sight. Kuunganidza Chiitiko, Chiitiko Ongororo, uye Kutyisidzira Response Automation Turusi

Masikati akanaka, mune zvinyorwa zvakapfuura takajairana nebasa reELK Stack. Zvino ngatikurukurei mikana inogona kuitwa nenyanzvi yekuchengetedza ruzivo mukushandisa masisitimu aya. Ndeapi matanda anogona uye anofanirwa kuiswa mu elasticsearch. Ngationei kuti ndedzipi nhamba dzinogona kuwanikwa nekumisikidza dashboards uye kana paine purofiti mune izvi. Iwe unogona sei kuita otomatiki yemaitiro ekuchengetedza ruzivo uchishandisa ELK stack. Ngatitorei mavakirwo ehurongwa. Pakazara, kushandiswa kwese kushanda ibasa rakakura uye rakaoma, saka mhinduro yakapihwa zita rakasiyana - TS Total Sight.

Parizvino, mhinduro dzinobatanidza uye dzinoongorora zviitiko zvekuchengetedza ruzivo mune imwe nzvimbo inonzwisisika dziri kukurumidza kufarirwa, semhedzisiro, nyanzvi inogamuchira nhamba uye muganhu wechiito chekuvandudza mamiriro ekuchengetedza ruzivo musangano. Isu takazvimisira basa iri mukushandisa iyo ELK stack, uye semhedzisiro takapatsanura basa guru muzvikamu zvina:

1. Nhamba uye kuona;
2. Kuonekwa kwezviitiko zvekuchengetedza ruzivo;
3. Chiitiko chekutanga;
4. Automation yeruzivo rwekuchengetedza maitiro.

Zvadaro, tichanyatsotarisa kune mumwe nomumwe.

Kuonekwa kwezviitiko zvekuchengetedza ruzivo

Basa guru rekushandisa elasticsearch munyaya yedu ndeyekuunganidza chete zviitiko zvekuchengetedza ruzivo. Iwe unogona kuunganidza zviitiko zvekuchengetedza ruzivo kubva kune chero nzira dzekuchengetedza kana dzichitsigira dzimwe nzira dzekutumira matanda, chiyero ndeye syslog kana scp kuchengetedza kune faira.

Iwe unogona kupa yakajairwa mienzaniso yezvishandiso zvekuchengetedza uye nezvimwe, kubva kwaunofanirwa kugadzirisa kutumira kwematanda:

1. Chero zvishandiso zveNGFW (Check Point, Fortinet);
2. Chero njodzi yekusagadzikana scanner (PT Scanner, OpenVas);
3. Web Application Firewall (PT AF);
4. netflow analyzers (Flowmon, Cisco StealthWatch);
5. AD server.

Kana uchinge wagadzirisa kutumira kwematanda uye mafaira ekugadzirisa muLogstash, unogona kuwirirana uye kuenzanisa nezviitiko zvinouya kubva kune zvakasiyana-siyana zvekuchengetedza. Kuti uite izvi, zviri nyore kushandisa indexes umo isu tichachengeta zvese zviitiko zvine chekuita nechero mudziyo. Mune mamwe mazwi, imwe index ndeye zvese zviitiko kune chimwe chinhu. Kugovera uku kunogona kuitwa nenzira mbiri.

Chokutanga chokutanga Izvi ndezvekugadzirisa iyo Logstash config. Kuti uite izvi, iwe unofanirwa kudzokorora irogi kune mamwe minda mune yakaparadzana unit ine imwe mhando. Uye zvino shandisa rudzi urwu mune ramangwana. Mumuenzaniso, matanda akaumbwa kubva kuIPS blade yeCheck Point firewall.

filter {
    if [product] == "SmartDefense" {
        clone {
	    clones => ["CloneSmartDefense"]
	    add_field => {"system" => "checkpoint"}
	}
    }
}

Kuti uchengetedze zviitiko zvakadaro mune imwe indekisi zvinoenderana neminda yelogi, semuenzaniso, senge Destination IP kurwisa siginecha. Iwe unogona kushandisa chigadzirwa chakafanana:

output {
    if [type] == "CloneSmartDefense"{
    {
         elasticsearch {
    	 hosts => [",<IP_address_elasticsearch>:9200"]
    	 index => "smartdefense-%{dst}"
    	 user => "admin"
    	 password => "password"
  	 }
    }
}

Uye nenzira iyi, unogona kuchengetedza zviitiko zvese mu index, semuenzaniso, ne IP kero, kana nezita remushini yemuchina. Muchiitiko ichi, tinoichengetedza kune index "smartdefense-%{dst}", neIP kero yenzvimbo yekusaina.

Nekudaro, zvigadzirwa zvakasiyana zvichave neakasiyana matanda minda, izvo zvinozotungamira kune mhirizhonga uye zvisina kufanira ndangariro kushandiswa. Uye pano iwe uchafanirwa kunyatsotsiva minda muLogstash config marongero neyakagadzirirwa-yakagadzirirwa, iyo ichave yakafanana kune ese marudzi ezviitiko, iro zvakare basa rakaoma.

Chechipiri chekuita sarudzo - Uku kunyora script kana maitiro anozowana iyo elastic dhatabhesi munguva chaiyo, buritsa zviitiko zvinodikanwa, uye uzvichengetedze mune nyowani index, iri ibasa rakaoma, asi rinokutendera kuti ushande nematanda sezvaunoda, uye batanidza zvakananga nezviitiko kubva kune vamwe kuchengetedza michina. Iyi sarudzo inokubvumira kuti ugadzirise basa nematanda kuti rive rinonyanya kubatsira kune yako nyaya nekunyanya kushanduka, asi pano dambudziko rinomuka mukutsvaga nyanzvi inogona kuita izvi.

Uye zvechokwadi, mubvunzo unonyanya kukosha, uye chii chinogona kubatanidzwa uye kuonekwa??

Panogona kunge paine akati wandei sarudzo pano, uye zvinoenderana nekuti ndeapi maturusi ekuchengetedza anoshandiswa muzvivakwa zvako, akati wandei mienzaniso:

1. Iyo inonyanya kujeka uye, kubva pakuona kwangu, iyo inonyanya kunakidza sarudzo kune avo vane NGFW mhinduro uye vulnerability scanner. Uku kufananidzwa kweIPS matanda uye vulnerability scan results. Kana kurwiswa kwaonekwa (kusina kuvharwa) neiyo IPS system, uye kusagadzikana uku hakuna kuvharwa pamushini wekupedzisira zvichienderana nemhedzisiro yekuongorora, zvinofanirwa kuridza muridzo, sezvo paine mukana wakakura wekuti kusazvibata kwave kushandiswa. .
2. Kuedza kwakawanda kwekupinda kubva muchina mumwe kuenda kunzvimbo dzakasiyana kunogona kufananidzira kuita kwakashata.
3. Mushandisi kurodha mafaera ehutachiona nekuda kwekushanyira huwandu hukuru hwesaiti dzine njodzi.

Nhamba uye kuona

Chinhu chiri pachena uye chinonzwisisika chinodiwa ELK Stack ndiko kuchengetedza uye kuona kwematanda, munyaya dzakapfuura yakaratidzwa maitiro aungaita matanda kubva kune akasiyana midziyo uchishandisa Logstash. Mushure mekunge matanda aenda kuElasticsearch, unogona kuseta madhibhodhi, ayo akataurwa zvakare munyaya dzakapfuura, neruzivo uye manhamba aunoda kuburikidza nekuona.

mienzaniso:

1. Dashboard for Threat Prevention zviitiko zvine zviitiko zvakanyanya kukosha. Pano unogona kuratidza kuti ndeapi masiginecha eIPS akaonekwa uye kwaanobva kunzvimbo.

   

2. Dashboard pakushandiswa kweakanyanya kukosha maapplication ayo ruzivo runogona kuburitswa.

   

3. Tarisa mhinduro kubva kune chero chekuchengetedza scanner.

   

4. Active Directory logs nemushandisi.

   

5. VPN yekubatanidza dashboard.

Muchiitiko ichi, kana iwe ukagadzirisa madhibhodhi kuti agadzirise masekondi mashoma ega ega, unogona kuwana yakaringana sisitimu yekutarisa zviitiko munguva chaiyo, iyo inogona kushandiswa kupindura kune ruzivo rwekuchengetedza zviitiko nekukurumidza sezvinobvira kana iwe ukaisa madhibhodhi pa. imwe skrini yakaparadzana.

Chiitiko chekutanga

Mumamiriro ezvinhu ezvivakwa zvakakura, huwandu hwezviitiko hunogona kuenda kure, uye nyanzvi hadzizove nenguva yekutarisana nezviitiko zvese nenguva. Muchiitiko ichi, zvinodikanwa, kutanga kune zvese, kuratidza chete izvo zviitiko zvinopa kutyisidzira kukuru. Naizvozvo, iyo sisitimu inofanirwa kukoshesa zviitiko zvichienderana nekuoma kwavo zvine chekuita nehupfumi hwako. Zvinokurudzirwa kuseta email kana teregiramu yambiro yezviitiko izvi. Kuisa pamberi kunogona kuitwa uchishandisa yakajairwa maturusi eKibana nekugadzirisa kuona. Asi nezviziviso zvakanyanya kuoma; nekukasira, kuita uku hakuna kubatanidzwa mune yekutanga vhezheni yeElasticsearch, chete mune yakabhadharwa vhezheni. Naizvozvo, tenga vhezheni yakabhadharwa, kana, zvakare, nyora maitiro iwe pachako anozozivisa nyanzvi munguva chaiyo neemail kana teregiramu.

Automation yeruzivo rwekuchengetedza maitiro

Uye chimwe chezvinonyanya kufadza zvikamu ndeye automation yezviito zvezviitiko zvekuchengetedza ruzivo. Pakutanga, takaita basa iri reSplunk, unogona kuverenga zvishoma mune izvi chinyorwa. Pfungwa huru ndeyekuti iyo IPS mutemo haina kumboyedzwa kana kugadziridzwa, kunyangwe mune dzimwe nguva chiri chikamu chakakosha chekuchengetedza ruzivo. Semuenzaniso, gore mushure mekushandiswa kwe NGFW uye kusavapo kwezviito zvekugadzirisa IPS, iwe uchaunganidza nhamba huru yemasaini neDetect action, iyo isingazovharwi, iyo inoderedza zvikuru mamiriro ekuchengetedzwa kwemashoko musangano. Pazasi pane mimwe mienzaniso yezvinogona kuve otomatiki:

1. Kutamiswa kweIPS siginecha kubva kuDetect kuenda Kudzivirira. Kana Dziviriro isingashande kune akakosha masiginecha, saka izvi hazvina kurongeka uye gaka rakakomba muhurongwa hwekudzivirira. Isu tinoshandura chiito mupolicy kune masiginicha akadaro. Kushanda uku kunogona kuitwa kana mudziyo weNGFW uine REST API mashandiro. Izvi zvinogoneka chete kana uine hunyanzvi hwekuronga; iwe unofanirwa kutora ruzivo rwunodiwa kubva kuElastcisearch uye kuita zvikumbiro zveAPI kune NGFW control server.
2. Kana akawanda masiginicha akaonekwa kana kuvharwa mu network traffic kubva kune imwe IP kero, saka zvine musoro kuvharira iyi IP kero kwechinguva muFirewall policy. Iko kuita zvakare kunosanganisira kushandisa iyo REST API.
3. Mhanyai scanner ine vulnerability scanner, kana muenzi uyu aine nhamba huru yemasiginecha eIPS kana mamwe maturusi ekuchengetedza; kana iri OpenVas, saka unogona kunyora script inobatana ne ssh kune yekuchengetedza scanner uye womhanya scan.

TS Total Sight

Pakazara, kuita kwese kushanda ibasa rakakura uye rakaoma. Pasina kuve nehunyanzvi hwekuronga, unogona kugadzirisa hushoma mashandiro, angave akakwana kushandiswa mukugadzira. Asi kana iwe uchifarira mune zvese zvinoshanda, unogona kuterera kune TS Total Sight. Unogona kuwana rumwe ruzivo pane yedu site. Nekuda kweizvozvo, iyo yese chirongwa chekushanda uye dhizaini ichaita seizvi:

mhedziso

Takatarisa izvo zvinogona kuitwa uchishandisa ELK Stack. Muzvinyorwa zvinotevera, isu tichaona zvakasiyana mashandiro eTS Total Sight mune zvakadzama!

Saka gara wakatarisa (teregiramu, Facebook, VK, TS Solution Blog), Yandex Zen.

Source: www.habr.com