4,176 research outputs found

    Closing the loop of SIEM analysis to Secure Critical Infrastructures

    Get PDF
    Critical Infrastructure Protection is one of the main challenges of last years. Security Information and Event Management (SIEM) systems are widely used for coping with this challenge. However, they currently present several limitations that have to be overcome. In this paper we propose an enhanced SIEM system in which we have introduced novel components to i) enable multiple layer data analysis; ii) resolve conflicts among security policies, and discover unauthorized data paths in such a way to be able to reconfigure network devices. Furthermore, the system is enriched by a Resilient Event Storage that ensures integrity and unforgeability of events stored.Comment: EDCC-2014, BIG4CIP-2014, Security Information and Event Management, Decision Support System, Hydroelectric Da

    A Study on Capabilities and functionalities of Security Information and Event Management systems(SIEM)

    Get PDF
    Security Management is the important issue in the IT Industry. IT industries is in need of a tool which can help in managing the information and events and increase the grade of security. Security information and event management (SIEM) offers a new approach to security management by providing a holistic view of the business information technology security. SIEM tools can be reviewed on the basis its critical capabilities as for any product. This paper discusses about some of the important capabilities for any SIEM product, also few current vendors for SIEM tool are evaluated in terms of those critical capabilities of SIEM

    Advancing security information and event management frameworks in managed enterprises using geolocation

    Get PDF
    Includes bibliographical referencesSecurity Information and Event Management (SIEM) technology supports security threat detection and response through real-time and historical analysis of security events from a range of data sources. Through the retrieval of mass feedback from many components and security systems within a computing environment, SIEMs are able to correlate and analyse events with a view to incident detection. The hypothesis of this study is that existing Security Information and Event Management techniques and solutions can be complemented by location-based information provided by feeder systems. In addition, and associated with the introduction of location information, it is hypothesised that privacy-enforcing procedures on geolocation data in SIEMs and meta- systems alike are necessary and enforceable. The method for the study was to augment a SIEM, established for the collection of events in an enterprise service management environment, with geo-location data. Through introducing the location dimension, it was possible to expand the correlation rules of the SIEM with location attributes and to see how this improved security confidence. An important co-consideration is the effect on privacy, where location information of an individual or system is propagated to a SIEM. With a theoretical consideration of the current privacy directives and regulations (specifically as promulgated in the European Union), privacy supporting techniques are introduced to diminish the accuracy of the location information - while still enabling enhanced security analysis. In the context of a European Union FP7 project relating to next generation SIEMs, the results of this work have been implemented based on systems, data, techniques and resilient features of the MASSIF project. In particular, AlienVault has been used as a platform for augmentation of a SIEM and an event set of several million events, collected over a three month period, have formed the basis for the implementation and experimentation. A "brute-force attack" misuse case scenario was selected to highlight the benefits of geolocation information as an enhancement to SIEM detection (and false-positive prevention). With respect to privacy, a privacy model is introduced for SIEM frameworks. This model utilises existing privacy legislation, that is most stringent in terms of privacy, as a basis. An analysis of the implementation and testing is conducted, focusing equally on data security and privacy, that is, assessing location-based information in enhancing SIEM capability in advanced security detection, and, determining if privacy-enforcing procedures on geolocation in SIEMs and other meta-systems are achievable and enforceable. Opportunities for geolocation enhancing various security techniques are considered, specifically for solving misuse cases identified as existing problems in enterprise environments. In summary, the research shows that additional security confidence and insight can be achieved through the augmentation of SIEM event information with geo-location information. Through the use of spatial cloaking it is also possible to incorporate location information without com- promising individual privacy. Overall the research reveals that there are significant benefits for SIEMs to make use of geo-location in their analysis calculations, and that this can be effectively conducted in ways which are acceptable to privacy considerations when considered against prevailing privacy legislation and guidelines

    Security Information and Event Management -järjestelmät

    Get PDF
    Opinnäytetyö tehtiin Itä-Suomen yliopistolle, jolla on tarve keskitettyyn lokienhallintaan ja tietoturvan monitorointiin. Työn päätavoitteena on toimia apuvälineenä Security Information and Event Management -järjestelmiin perehtymiseen. Tästä aiheesta on tehty aiemmin vain vähän suomenkielisiä julkaisuja. Teoriaosuudessa esitellään liiketoiminnallista näkökulmaa ja projektin läpivientiä. Osuudessa käsitellään myös SIEMin keskeiset käsitteet ja teknologiat. Esitetyt laskukaavat auttavat järjestelmän mitoittamista IT-ympäristöön sopivaksi. Yhtenä opinnäytetyön tehtävänä oli esitellä eri valmistajien SIEM-ratkaisuja. Käsiteltäväksi valittiin tuotteita kahdeksalta eri valmistajalta, joista avoimen lähdekoodin AlienVault OSSIM kuvataan tarkemmin. Opinnäytetyötä varten tehty demoympäristö esittelee AlienVault OSSIMin käyttöönottoa pienessä ympäristössä. Teknisen dokumentaation tarkoituksena ei ole toimia asennusohjeena, vaan esitellä SIEMin toiminnallisuutta käytännön esimerkkien avulla. Tiedonkulku on kuvattu datan keräämisestä korreloidun tapahtuman analysointiin.This thesis was commissioned by the University of Eastern Finland. There is a demand for a centralized log management and information security monitoring. The main goal was to provide aid for familiarization with Security Information and Event Management systems. There are not many Finnish publications about this topic yet. The theory section describes the business perspective and the completion of the project. SIEM concept and its technologies are also explained. The introduced formulas help the scaling system to fit for an IT environment. One objective of the thesis was to demonstrate various SIEM solutions from different vendors. Products from eight different vendors are introduced. An open source SIEM system AlienVault OSSIM is described in more detail. The test environment was made to demonstrate AlienVault OSSIM’s deployment in a small network. The technical documentation is not a deployment guide for SIEM. It presents the functionality of SIEM with practical examples. The information flow is described from data collection to analysis of correlated events

    ANALISIS SYN FLOOD ATTACK MENGGUNAKAN METODE NIST 800-61 REV 2 PADA SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)

    Get PDF
    Meningkatnya ancaman siber dapat mengakibatkan kebocoran data pribadi, pencurian identitas, penyebaran virus atau malware, hingga serangan siber yang dapat merusak sistem dan infrastruktur yang krusial bagi organisasi. Salah satunya adalah serangan SYN Flood. SYN Flood adalah salah satu jenis metode serangan Denial of Service (DOS) yang mempengaruhi host yang menjalankan proses server TCP (Transmission Control Protocol). Karena bahayanya berbagai serangan siber dan meningkatnya kebutuhan keamanan informasi, dibutuhkan Security Information and Event Management (SIEM)  untuk memonitoring serangan-serangan tersebut. Penelitian ini memiliki tujuan untuk menganalisis syn flood attack pada Security Information and Event Management (SIEM). Penelitian ini menggunakan metode NIST 800-61. Didapatkan hasil bahwa  syn flood attack yang terdeteksi adalah critical berdasarkan flood event yang diinformasikan oleh SIEM. Berdasarkan data tersebut, Tim SOC Analyst memutuskan untuk mereport serangan tersebut kepada klien yang bersangkutan. Mitigasi yang dapat dilakukan dari serangan tersebut adalah menggunakan firewall, mengatur timeout yang lebih singkat untuk menutup koneksi yang tidak aktif, menggunakan layanan penyedia Content Delivery Network (CDN) atau penyedia yang berspesialisasi dalam pencegahan DoS untuk menyaring lalu lintas menuju ke layanan tertentu

    Augmenting security event information with contextual data to improve the detection capabilities of a SIEM

    Get PDF
    The increasing number of cyber security breaches have revealed a need for proper cyber security measures. The emergence of the internet and the increase in overall connectivity means that data is more easily accessible and available. Using the available data in a security context may provide a system with an external contextual insight such as environmental awareness or current affair awareness. A security information and event management (SIEM) system is a security system that correlates security event information from surrounding systems and decides whether the surrounding environment (possibly an enterprise's network) is vulnerable or even under attack by a malicious person whether they be internal (authorised) or external (unauthorised). In this thesis, the aim is to provide such a system with con- text by adding non-security related information from surrounding available sources known as context information feeds. Contextual information feeds are added to the SIEM and tested using randomised events. There are various context information types used in this thesis, namely: social media, meteorological, calendar information and terror threat level. The SIEM is tested with each contextual data feed active and the results are recorded. The testing shows that the addition of contextual data feeds actively affects the sensitivity of OSSIM and hence results in higher alarms raised during elevated context triggered states. The system showed a greater and deeper visibility of its surrounding environment and hence an improved detection capability

    Closing the loop of SIEM analysis to Secure Critical Infrastructures

    Get PDF
    Critical Infrastructure Protection is one of the main challenges of last years. Security Information and Event Management (SIEM) systems are widely used for coping with this challenge. However, they currently present several limitations that have to be overcome. In this paper we propose an enhanced SIEM system in which we have introduced novel components to i) enable multiple layer data analysis; ii) resolve conflicts among security policies, and discover unauthorized data paths in such a way to be able to reconfigure network devices. Furthermore, the system is enriched by a Resilient Event Storage that ensures integrity and unforgeability of events stored

    Penerapan Security Information and Event Management (SIEM) Pada Dinas Komunikasi dan Informatika Kota Salatiga

    Get PDF
    Perangkat yang dapat diakses melalui jaringan internet telah memberikan kenyamanan dan konektivitas yang luar biasa dalam kehidupan sehari-hari. Namun, kenyataannya adalah bahwa perangkat tersebut juga menjadi sasaran menarik bagi para aktor jahat. Ancaman keamanan seperti serangan malware, serangan virus komputer, dan serangan Siber lainnya dapat dengan mudah menyerang perangkat yang terhubung ke internet. Untuk mengatasi tantangan ini, diperlukan solusi yang efektif dan canggih. SIEM merupakan platform keamanan yang menggabungkan teknologi security information management (SIM) and security event management (SEM). SIEM Bekerja dengan cara mengumpulkan log dari berbagai sumber kemudian menormalisasi dan mengagregasi data peristiwa log yang kemudian diproses menggunakan parameter kontekstual yang terdapat di dalam SIEM, yang dikumpulkan dari berbagai sumber internal dan eksternal perangkat Endpoint seperti Sistem Operasi, kontainer, dan perangkat jaringan. Penelitian ini bertujuan untuk mengimplementasikan SIEM Wazuh dengan tujuan utama yaitu melakukan sentralisasi log untuk mendeteksi dengan cepat serangan pada VPS, terutama pada serangan aplikasi web dan serangan pada protokol SSH. Dengan hasil akhir implementasi SIEM, data log dari setiap aplikasi dapat disentralisasi dan divisualisasikan dalam sebuah dashboard, serta SIEM mampu mendeteksi serangan pada aplikasi web dan protokol SSH yang sebelumnya tidak terdeteksi.Devices accessible through the Internet have provided incredible convenience and connectivity in everyday life. However, the reality is that the device is also an attractiv e target for bad actors. Security threats such as malware attacks, computer virus attacks, and other cyberattacks can easily attack devices connected to the Internet. To overcome these challenges, effective and sophisticated solutions are needed. SIEM is a security platform that combines security information management (SIM) and security event management technology. (SEM). SIEM Works by collecting logs from various sources and then normalizing and aggregating log event data that is then processed using cont extual parameters contained in SIEM collected from various internal and external endpoint devices such as Operating systems and network devices. The research is aimed at implementing the Wazuh SIEM with the primary objective of centralizing logs to quickly detect attacks on VPS, especially web application attacks and SSH protocol attacks. With the final results of SIEM implementation, log data from each application can be decentralized and visualized in a dashboard, and SIEM is able to detect attacks on previously undetected web applications and SSH protocol

    A Security Information and Event Management Pattern

    Get PDF
    In order to achieve a high level of cyber security awareness most mid to large sized companies use Security Information and Event Management (SIEM) embedded into a Security Operations Center. These systems enable the centralized collection and analysis of security relevant information generated by a variety of different systems, to detect advanced threats and to improve reaction time in case of an incident. In this paper, we derive a generic SIEM pattern by analyzing already existing tools on the market, among additional information. Thereby, we adhere to a bottom-up process for pattern identification and authoring. This article can serve as a foundation to understand SIEM in general and support developers of existing or new SIEM systems to increase reusability by defining and identifying general software modules inherent in SIEM

    Modern SIEM Analysis and Critical Requirements Definition in the Context of Information Warfare

    Get PDF
    Today Security Information and Event Management (SIEM) systems are used to prevent information loss in computer systems and networks. There are many approaches to SIEM realization. This paper is devoted to the analysis of existing SIEM and their characteristics in accordance with international standards and specifications, as well as a comparative description of their capabilities and differences, advantages and disadvantages. These results will be used in research project realization devoted to open source SIEM development and implementation in critical infrastructure to improve the cybersecurity level in the context of information warfare and cyber threats realization
    corecore