Kungekudala, u-Splunk wongeze enye imodeli yelayisenisi-ilayisensi esekwe kwiziseko zophuhliso (). Babala inani le-CPU cores phantsi kweeseva ze-Splunk. Ifana kakhulu nelayisenisi ye-Elastic Stack, babala inani le-Elasticsearch nodes. Iinkqubo ze-SIEM ngokwesiko ziyabiza kwaye ngokuqhelekileyo kukho ukhetho phakathi kokuhlawula kakhulu kunye nokuhlawula kakhulu. Kodwa, ukuba usebenzisa ubuchule obuthile, unokudibanisa isakhiwo esifanayo.

Ijongeka iyoyikeka, kodwa ngamanye amaxesha olu lwakhiwo lusebenza kwimveliso. Ubunzima bubulala ukhuseleko, kwaye, ngokubanzi, lubulala yonke into. Enyanisweni, kwiimeko ezinjalo (ndithetha ngokunciphisa iindleko zobunini) kukho iklasi yonke yeenkqubo - i-Central Log Management (CLM). Ngayo , kubacingela ukuba abaxabisekanga. Nazi iingcebiso zabo:
- Sebenzisa izakhono zeCLM kunye nezixhobo xa kukho uhlahlo lwabiwo-mali kunye nezithintelo zabasebenzi, iimfuno zokubeka iliso lokhuseleko, kunye neemfuno zemeko yokusetyenziswa.
- Sebenzisa i-CLM ukomeleza ukuqokelelwa kwelogi kunye nohlalutyo lwesakhono xa isisombululo se-SIEM sibonakala sibiza kakhulu okanye sintsokothile.
- Tyala kwizixhobo ze-CLM ezinokugcinwa ngokufanelekileyo, ukukhangela ngokukhawuleza kunye nokubonakala okuguquguqukayo ukuphucula uphando lwesiganeko sokhuseleko / uhlalutyo kunye nokuxhasa ukuzingela kwesongelo.
- Qinisekisa ukuba izinto ezisebenzayo kunye neengqwalasela zithathelwa ingqalelo phambi kokuphumeza isisombululo se-CLM.
Kweli nqaku siza kuthetha ngokungafaniyo kwiindlela zokufumana ilayisenisi, siya kuqonda i-CLM kwaye sithethe ngenkqubo ethile yale klasi - . Iinkcukacha phantsi kokusikwa.
Ekuqaleni kweli nqaku, ndithethe ngendlela entsha yokufumana ilayisenisi yeSplunk. Iindidi zelayisenisi zinokuthelekiswa namaxabiso okurenta imoto. Makhe sicinge ukuba imodeli, ngokwenani le-CPUs, yimoto enoqoqosho ene-mileage engenamkhawulo kunye nepetroli. Ungaya naphi na ngaphandle kwezithintelo zomgama, kodwa awukwazi ukuhamba ngokukhawuleza kwaye, ngokufanelekileyo, ukugubungela iikhilomitha ezininzi ngosuku. Ilayisensi yedatha ifana nemoto yezemidlalo kunye nemodeli ye-mileage yemihla ngemihla. Ungaqhuba ngokungakhathali kumgama omde, kodwa kuya kufuneka uhlawule ngaphezulu komda wemiyile wemihla ngemihla.

Ukuze uzuze kwilayisenisi esekelwe kumthwalo, kufuneka ube nomlinganiselo ophantsi kakhulu we-CPU cores ukuya kwi-GB yedatha elayishiwe. Ngokwenza oku kuthetha into efana nale:
- Elona nani lincinci linokubakhona lemibuzo kwidatha elayishiweyo.
- Elona nani lincinci labasebenzisi besisombululo.
- Njengedatha elula kunye neqhelekileyo kangangoko kunokwenzeka (ukuze kungabikho mfuneko yokuchitha imijikelo ye-CPU ekuqhubeni idatha kunye nohlalutyo olulandelayo).
Eyona nto iyingxaki apha yidatha eqhelekileyo. Ukuba ufuna i-SIEM ibe yi-aggregator yazo zonke iilog kumbutho, ifuna isixa esikhulu somzamo wokwahlulahlula kunye nasemva kokulungiswa. Musa ukulibala ukuba kufuneka kwakhona ucinge malunga noyilo lwezakhiwo olungayi kuwela phantsi komthwalo, okt. iiseva ezongezelelekileyo kwaye ngenxa yoko iiprosesa ezongezelelweyo ziya kufuneka.
Ilayisenisi yevolumu yedatha isekelwe kwisixa sedatha esithunyelwe kwi-maw ye-SIEM. Imithombo eyongezelelweyo yedatha ihlawuliswa yi-ruble (okanye enye imali) kwaye oku kukwenza ucinge malunga nento ongayifuni ngokwenene ukuyiqokelela. Ukoyisa le modeli yelayisenisi, ungaluma idatha phambi kokuba ifakwe kwisixokelelwano se-SIEM. Omnye umzekelo wesiqhelo esinjalo phambi kokutofa yi-Elastic Stack kunye nezinye ii-SIEM zorhwebo.
Ngenxa yoko, sinakho ukuba ilayisenisi ngeziseko zophuhliso iyasebenza xa ufuna ukuqokelela idatha ethile kuphela ngokucokiselwa kwangaphambili okuncinci, kwaye ukunikwa ilayisenisi ngomthamo akuyi kukuvumela ukuba uqokelele yonke into. Ukukhangelwa kwesisombululo esiphakathi kukhokelela kwezi ndlela zilandelayo:
- Yenza lula ukudityaniswa kwedatha kunye nokulungelelanisa.
- Ukuhluzwa kwedatha enengxolo kunye neyona ibalulekileyo.
- Ukubonelela ngezakhono zokuhlalutya.
- Thumela idatha ehluziweyo neyesiqhelo kwi-SIEM
Ngenxa yoko, iinkqubo ze-SIEM ekujoliswe kuzo aziyi kufuna ukuchitha amandla e-CPU eyongezelelweyo ekuqhubeni kwaye zinokuzuza ekuchongeni kuphela ezona ziganeko zibalulekileyo ngaphandle kokunciphisa ukubonakala kwinto eyenzekayo.
Ngokufanelekileyo, isisombululo esinjalo se-middleware kufuneka sinikezele kwakhona ukubonwa kwexesha langempela kunye namandla okuphendula anokuthi asetyenziswe ukunciphisa impembelelo yemisebenzi enokuba yingozi kunye nokudibanisa yonke imijelo yeziganeko kwi-quantum eluncedo kunye nelula yedatha ngokubhekiselele kwi-SIEM. Ewe, ke i-SIEM inokusetyenziselwa ukwenza udibaniso olongezelelweyo, ulungelelwaniso kunye neenkqubo zokulumkisa.
Eso sisombululo sinye esimangalisayo esiphakathi asikho enye ngaphandle kwe-CLM, endiyikhankanyileyo ekuqaleni kwenqaku. Nantsi indlela uGartner ayibona ngayo:

Ngoku ungazama ukufumanisa ukuba i-InTrust ihambelana njani neengcebiso zikaGartner:
- Ukugcinwa ngokufanelekileyo kwimithamo kunye neentlobo zedatha ekufuneka igcinwe.
- Isantya esiphezulu sokukhangela.
- Izakhono zokujonga ayisiyiyo into efunekayo i-CLM, kodwa ukuzingela isoyikiso kufana nenkqubo ye-BI yokhuseleko kunye nohlalutyo lwedatha.
- Ukutyebisa idatha ukutyebisa idatha ekrwada ngedatha eluncedo yemeko (efana ne-geolocation kunye nezinye).
I-Quest InTrust isebenzisa inkqubo yokugcinwa kwayo ukuya kuthi ga kwi-40: 1 ukunyanzeliswa kwedatha kunye nokuchithwa kwesantya esiphezulu, okunciphisa ukugcinwa kwezinto eziphezulu kwi-CLM kunye ne-SIEM iinkqubo.

Ikhonsoli yoPhando loKhuseleko lwe-IT ngophendlo olufana nokagoogle
Imodyuli ekhethekileyo ye-IT esekelwe kwi-IT yoKhuseleko lwe-IT (ITSS) inokuxhuma kwidatha yesiganeko kwindawo yokugcina i-InTrust kwaye inikezela nge-interface elula yokukhangela izisongelo. I-interface yenziwe lula ukuya kwinqanaba lokuba isebenze njengeGoogle yedatha yelog yesiganeko. I-ITSS isebenzisa amaxesha amisiweyo kwiziphumo zemibuzo, inokudibanisa kunye neendawo zeminyhadala yeqela, kwaye incede ngokufanelekileyo ekuzingeleni izisongelo.
I-InTrust ityebisa imicimbi Windows izikhombisi zokhuseleko, amagama eefayile, kunye nezikhombisi zokungena zokhuseleko. I-InTrust ikwalungisa iziganeko zibe yi-schema elula ye-W6 (Ngubani, Yintoni, Phi, Nini, Ngubani, kwaye Uvela Phi) ukuze idatha evela kwimithombo eyahlukeneyo (iziganeko zemveli) Windows, iilog Linux okanye i-syslog) inokubonwa kwifomathi enye nakwikhonsoli yokukhangela enye.
I-InTrust ixhasa isilumkiso sexesha langempela, ukufumanisa kunye nokuphendula okunokuthi kusetyenziswe njengenkqubo efana ne-EDR yokunciphisa umonakalo obangelwa ngumsebenzi okrokrelwayo. Imithetho yokhuseleko eyakhelwe-ngaphakathi ibona, kodwa ayiphelelanga apho, ezi zoyikiso zilandelayo:
- Ukutshiza ngegama lokugqithisa.
- I-Kerberoasting.
- Umsebenzi okrokrelayo we-PowerShell, njengokwenziwa kwe-Mimikatz.
- Iinkqubo ezikrokrisayo, umzekelo, i-LokerGoga ransomware.
- Uguqulelo oluntsonkothileyo usebenzisa CA4FS logs.
- Ukungena nge-akhawunti enelungelo kwiindawo zokusebenza.
- Uhlaselo lokuqikelela igama lokugqithisa.
- Ukusetyenziswa okukrokrisayo kwamaqela abasebenzisi basekuhlaleni.
Ngoku ndiza kukubonisa izikrini ezimbalwa ze-InTrust ngokwayo ukuze ufumane umbono wobuchule bayo.

Izihluzi ezichazwe kwangaphambili ukukhangela ubuthathaka obunokwenzeka

Umzekelo wesethi yezihluzi zokuqokelela idatha ekrwada

Umzekelo wokusebenzisa amabinzana aqhelekileyo ukwenza impendulo kwisiganeko

Umzekelo ngomgaqo wokukhangela ukuba sesichengeni kwePowerShell

Isiseko solwazi olwakhelwe-ngaphakathi kunye neenkcazo zobuthathaka
I-InTrust sisixhobo esinamandla esinokusetyenziswa njengesisombululo esizimeleyo okanye njengenxalenye yenkqubo ye-SIEM, njengoko ndichaze ngasentla. Mhlawumbi inzuzo ephambili yesi sisombululo kukuba ungaqala ukuyisebenzisa ngokukhawuleza emva kokufakwa, kuba I-InTrust inelayibrari enkulu yemithetho yokufumanisa izisongelo kunye nokuphendula kuzo (umzekelo, ukuvimba umsebenzisi).
Kwinqaku andizange ndithethe malunga nokuhlanganiswa kwebhokisi. Kodwa ngokukhawuleza emva kofakelo, unokuqwalasela ukuthumela iminyhadala kwi-Splunk, IBM QRadar, iMicrofocus Arcsight, okanye nge-webhook kuyo nayiphi na enye inkqubo. Ngezantsi ngumzekelo we-Kibana interface eneziganeko ezivela kwi-InTrust. Sele kukho ukudibanisa kunye ne-Elastic Stack kwaye, ukuba usebenzisa inguqulo yamahhala ye-Elastic, i-InTrust ingasetyenziswa njengesixhobo sokuchonga izisongelo, ukwenza izilumkiso ezisebenzayo kunye nokuthumela izaziso.

Ndiyathemba ukuba inqaku linike ingcamango encinci malunga nale mveliso. Sikulungele ukunika i-InTrust kuwe ukuze uvavanye okanye uqhube iprojekthi yokulinga. Isicelo sinokushiywa apha kwiwebhusayithi yethu.
Funda amanye amanqaku ethu ngokhuseleko lolwazi:
(inqaku elidumileyo)
umthombo: www.habr.com
