🥇Ungazinciphisa kanjani izindleko zokuba umnikazi wesistimu ye-SIEM nokuthi kungani udinga i-Central Log Management (CLM)

Esikhathini esingeside esidlule, u-Splunk wengeze enye imodeli yelayisense - amalayisense asekelwe nengqalasizinda (manje sebebathathu). Babala inani lama-CPU cores ngaphansi kwamaseva e-Splunk. Ifana kakhulu nelayisense ye-Elastic Stack, babala inani lamanodi e-Elasticsearch. Amasistimu e-SIEM ayabiza ngokwesiko futhi ngokuvamile kuba khona ukukhetha phakathi kokukhokha okuningi nokukhokha kakhulu. Kodwa, uma usebenzisa ubuhlakani obuthile, ungahlanganisa isakhiwo esifanayo.

Kubukeka kusabisa, kepha kwesinye isikhathi lesi sakhiwo sisebenza ekukhiqizeni. Inkimbinkimbi ibulala ukuphepha, futhi, ngokuvamile, ibulala yonke into. Eqinisweni, ezimweni ezinjalo (ngikhuluma ngokunciphisa izindleko zobunikazi) kunesigaba sonke sezinhlelo - Central Log Management (CLM). Mayelana nakho kubhala uGartner, ezibheka njengezingabalulekile. Nazi izincomo zabo:

Sebenzisa amakhono namathuluzi e-CLM uma kunezingqinamba zesabelomali kanye nabasebenzi, izimfuneko zokuqapha ukuphepha, kanye nezidingo zecala elithile lokusetshenziswa.
Sebenzisa i-CLM ukuze uthuthukise amakhono okuqoqwa kwelogi nokuhlaziya lapho isixazululo se-SIEM sibonisa ukuthi sibiza kakhulu noma siyinkimbinkimbi.
Tshala kumathuluzi e-CLM anesitoreji esisebenza kahle, usesho olusheshayo kanye nokubonakala okuvumelana nezimo ukuze uthuthukise uphenyo/ukuhlaziywa kwesigameko sokuvikeleka kanye nokweseka ukuzingela okusongelayo.
Qinisekisa ukuthi izici ezisebenzayo nokucatshangelwa kuyacatshangelwa ngaphambi kokusebenzisa isisombululo se-CLM.

Kulesi sihloko sizokhuluma ngomehluko wezindlela zokuthola amalayisense, sizoqonda i-CLM futhi sikhulume ngohlelo oluthile lwaleli klasi - I-Quest InTrust. Imininingwane ngaphansi kokusikwa.

Ekuqaleni kwalesi sihloko, ngikhulume ngendlela entsha yokulayisensa kwe-Splunk. Izinhlobo zamalayisense zingafaniswa namanani okuqasha izimoto. Ake sicabange ukuthi imodeli, ngokwenani lama-CPU, iyimoto yokonga enamamayela angenamkhawulo nophethiloli. Ungaya noma yikuphi ngaphandle kwemikhawulo yebanga, kepha awukwazi ukuhamba ngokushesha okukhulu futhi, ngokufanelekile, umboze amakhilomitha amaningi ngosuku. Ukunikezwa kwelayisense yedatha kufana nemoto yezemidlalo enemodeli yansuku zonke yamakhilomitha. Ungakwazi ukushayela ngokunganaki amabanga amade, kodwa kuzodingeka ukhokhe ngaphezulu ngokweqa umkhawulo wamakhilomitha wansuku zonke.

Ukuze uzuze ekunikezweni kwelayisense okusekelwe ekulayisheni, udinga ukuba nesilinganiso esiphansi kakhulu esingaba khona se-CPU cores kuya ku-GB yedatha elayishiwe. Ngokwenza lokhu kusho okuthile okufana nalokhu:

Inombolo encane engenzeka yemibuzo kudatha elayishiwe.
Inombolo encane yabasebenzisi abangaba khona besixazululo.
Njengedatha elula nejwayelekile ngangokunokwenzeka (ukuze kungabikho isidingo sokumosha imijikelezo ye-CPU ekucubunguleni nasekuhlaziyeni idatha elandelayo).

Into eyinkinga kakhulu lapha idatha ejwayelekile. Uma ufuna i-SIEM ukuthi ibe isihlanganisi sawo wonke amalogi enhlanganweni, idinga inani elikhulu lomzamo ekuwahlukaniseni nasekuwacubunguleni. Ungakhohlwa ukuthi udinga futhi ukucabanga ngezakhiwo ezingeke ziwele ngaphansi komthwalo, i.e. amaseva engeziwe ngakho-ke amaphrosesa engeziwe azodingeka.

Ukunikezwa kwelayisense yevolumu yedatha kususelwe enanini ledatha elithunyelwa ku-maw ye-SIEM. Imithombo eyengeziwe yedatha ijeziswa nge-ruble (noma enye imali) futhi lokhu kukwenza ucabange ngalokho obungafuni ukukuqoqa ngempela. Ukuze weqe le modeli yelayisensi, ungaluma idatha ngaphambi kokuthi ifakwe ohlelweni lwe-SIEM. Isibonelo esisodwa sokujwayela okunjalo ngaphambi komjovo i-Elastic Stack kanye namanye ama-SIEM okuhweba.

Njengomphumela, sinakho ukuthi ukulayisensa ngengqalasizinda kusebenza kahle uma udinga ukuqoqa idatha ethile kuphela ngokucubungula kusengaphambili okuncane, futhi ukulayisensa ngevolumu ngeke kukuvumele ukuthi uqoqe yonke into. Ukusesha isixazululo esimaphakathi kuholela kulezi zindlela ezilandelayo:

Yenza kube lula ukuhlanganisa idatha nokwenza kube lula.
Ukuhlunga kwedatha enomsindo nebaluleke kakhulu.
Ukuhlinzeka ngamakhono okuhlaziya.
Thumela idatha ehlungiwe neyajwayelekile ku-SIEM

Ngenxa yalokho, amasistimu e-SIEM aqondiwe ngeke adinge ukuchitha amandla e-CPU engeziwe ekucubunguleni futhi angazuza ngokuhlonza izehlakalo ezibaluleke kakhulu ngaphandle kokunciphisa ukubonakala kulokho okwenzekayo.

Ngokufanelekile, isixazululo esinjalo se-middleware kufanele futhi sinikeze amandla okuthola ngesikhathi sangempela kanye nokuphendula angasetshenziswa ukunciphisa umthelela wemisebenzi engaba yingozi futhi ahlanganise lonke uchungechunge lwemicimbi ibe yinani elisebenzisekayo nelilula ledatha eliya ku-SIEM. Hhayi-ke, i-SIEM ingasetshenziswa ukudala ukuhlanganisa okwengeziwe, ukuhlobana kanye nezinqubo zokuxwayisa.

Leso sixazululo esiphakathi esingaqondakali asisona esinye ngaphandle kwe-CLM, engikhulume ngayo ekuqaleni kwalesi sihloko. Nansi indlela uGartner ayibona ngayo:

Manje ungazama ukuthola ukuthi i-InTrust ithobela kanjani izincomo zikaGartner:

Isitoreji esisebenzayo samavolumu nezinhlobo zedatha edinga ukugcinwa.
Isivinini sokusesha esiphezulu.
Amandla okubona ngeso lengqondo akukhona lokho okudingwa yi-CLM eyisisekelo, kodwa ukuzingela izinsongo kufana nesistimu ye-BI yokuphepha nokuhlaziya idatha.
Ukucebisa idatha ukuze kucebise idatha eluhlaza ngedatha yomongo ewusizo (njenge-geolocation nokunye).

I-Quest InTrust isebenzisa isistimu yayo yokugcina enokuminyanisa idatha efika ku-40:1 kanye nokuphindaphinda ngesivinini esikhulu, okunciphisa phezulu kwesitoreji sezinhlelo ze-CLM ne-SIEM.

Ikhonsoli ye-IT Security Search enosesho olufana ne-google

Imojula ekhethekile ye-IT Security Search (ITSS) esekelwe kuwebhu ingaxhuma kudatha yomcimbi endaweni ye-InTrust futhi inikeza isixhumi esibonakalayo esilula sokusesha izinsongo. Isixhumi esibonakalayo senziwa lula kangangokuthi sisebenza njenge-Google yedatha yerekhodi lomcimbi. I-ITSS isebenzisa izikhathi ezimisiwe zemiphumela yemibuzo, ingahlanganisa futhi iqoqe izinkambu zomcimbi, futhi isize ngempumelelo ekuzingeleni izinsongo.

I-InTrust inothisa imicimbi ye-Windows ngezihlonzi zokuphepha, amagama wamafayela, nezihlonzi zokungena ngokuvikeleka. I-InTrust iphinde yenza izehlakalo zibe ngokwejwayelekile zibe ku-schema se-W6 esilula (Ubani, Yini, Kuphi, Nini, Ubani futhi Uvelaphi) ukuze idatha evela emithonjeni ehlukene (imicimbi yomdabu ye-Windows, amalogi e-Linux noma i-syslog) ibonakale ngefomethi eyodwa nakuyodwa. search console.

I-InTrust isekela izexwayiso zesikhathi sangempela, ukutholwa kanye namandla okuphendula angasetshenziswa njengesistimu efana ne-EDR ukuze kuncishiswe umonakalo odalwe umsebenzi osolisayo. Imithetho yokuvikela eyakhelwe ngaphakathi ithola, kodwa ayigcini nje, kulezi zinsongo ezilandelayo:

Ukufafaza ngephasiwedi.
I-Kerberoasting.
Umsebenzi osolisayo we-PowerShell, njengokwenziwa kwe-Mimikatz.
Izinqubo ezisolisayo, isibonelo, i-LokerGoga ransomware.
Ukubethela usebenzisa izingodo ze-CA4FS.
Ukungena ngemvume nge-akhawunti evikelekile ezindaweni zokusebenza.
Ukuhlaselwa kokuqagela iphasiwedi.
Ukusetshenziswa okusolisayo kwamaqembu abasebenzisi basendaweni.

Manje ngizokukhombisa izithombe-skrini ezimbalwa ze-InTrust ngokwayo ukuze uthole umbono wamakhono ayo.

Izihlungi ezichazwe ngaphambilini zokusesha ubungozi obungaba khona

Isibonelo sesethi yezihlungi zokuqoqa idatha eluhlaza

Isibonelo sokusebenzisa izinkulumo ezijwayelekile ukuze udale impendulo kumcimbi

Isibonelo esinomthetho wokusesha wokuba sengozini kwe-PowerShell

Isisekelo solwazi esakhelwe ngaphakathi esinezincazelo zobungozi

I-InTrust iyithuluzi elinamandla elingasetshenziswa njengesixazululo esizimele noma njengengxenye yesistimu ye-SIEM, njengoba ngichazile ngenhla. Mhlawumbe inzuzo eyinhloko yalesi sixazululo ukuthi ungaqala ukuyisebenzisa ngokushesha ngemva kokufakwa, ngoba I-InTrust inomtapo wezincwadi omkhulu wemithetho yokuthola izinsongo nokuziphendulela (ngokwesibonelo, ukuvimbela umsebenzisi).

Esihlokweni angizange ngikhulume ngokuhlanganiswa kwamabhokisi. Kodwa ngokushesha ngemva kokufaka, ungalungiselela ukuthumela imicimbi ku-Splunk, IBM QRadar, Microfocus Arcsight, noma nge-webhook kunoma iyiphi enye isistimu. Ngezansi kunesibonelo se-interface ye-Kibana enemicimbi evela ku-InTrust. Sekuvele kukhona ukuhlanganiswa ne-Elastic Stack futhi, uma usebenzisa inguqulo yamahhala ye-Elastic, i-InTrust ingasetshenziswa njengethuluzi lokuhlonza izinsongo, ukwenza izexwayiso ezisebenzayo kanye nokuthumela izaziso.

Ngithemba ukuthi isihloko sinikeze umbono omncane ngalo mkhiqizo. Sikulungele ukukunikeza i-InTrust ukuze uyihlole noma uqhube iphrojekthi yokuhlola. Isicelo singashiywa kokuthi ifomu lempendulo kuwebhusayithi yethu.

Funda ezinye izindatshana zethu mayelana nokuphepha kolwazi:

Sibona ukuhlaselwa kwe-ransomware, sithola ukufinyelela kusilawuli sesizinda futhi sizame ukumelana nalokhu kuhlaselwa

Yiziphi izinto eziwusizo ezingakhishwa ezingodweni ze-Windows-based workstation? (isihloko esidumile)

Ukulandelela umjikelezo wempilo wabasebenzisi ngaphandle kwamapulangwe noma itheyiphu yokudonsa

Ubani okwenzile? Senza ngokuzenzakalelayo ukuhlolwa kokuphepha kolwazi

Source: www.habr.com

Ungazinciphisa kanjani izindleko zobunikazi besistimu ye-SIEM nokuthi kungani udinga i-Central Log Management (CLM)

Engeza amazwana Отменить ответ