Security Information and Event Management -järjestelmät

Opinnäytetyö tehtiin Itä-Suomen yliopistolle, jolla on tarve keskitettyyn lokienhallintaan ja tietoturvan monitorointiin. Työn päätavoitteena on toimia apuvälineenä Security Information and Event Management -järjestelmiin perehtymiseen. Tästä aiheesta on tehty aiemmin vain vähän suomenkielisiä julkaisuja. Teoriaosuudessa esitellään liiketoiminnallista näkökulmaa ja projektin läpivientiä. Osuudessa käsitellään myös SIEMin keskeiset käsitteet ja teknologiat. Esitetyt laskukaavat auttavat järjestelmän mitoittamista IT-ympäristöön sopivaksi. Yhtenä opinnäytetyön tehtävänä oli esitellä eri valmistajien SIEM-ratkaisuja. Käsiteltäväksi valittiin tuotteita kahdeksalta eri valmistajalta, joista avoimen lähdekoodin AlienVault OSSIM kuvataan tarkemmin. Opinnäytetyötä varten tehty demoympäristö esittelee AlienVault OSSIMin käyttöönottoa pienessä ympäristössä. Teknisen dokumentaation tarkoituksena ei ole toimia asennusohjeena, vaan esitellä SIEMin toiminnallisuutta käytännön esimerkkien avulla. Tiedonkulku on kuvattu datan keräämisestä korreloidun tapahtuman analysointiin.This thesis was commissioned by the University of Eastern Finland. There is a demand for a centralized log management and information security monitoring. The main goal was to provide aid for familiarization with Security Information and Event Management systems. There are not many Finnish publications about this topic yet. The theory section describes the business perspective and the completion of the project. SIEM concept and its technologies are also explained. The introduced formulas help the scaling system to fit for an IT environment. One objective of the thesis was to demonstrate various SIEM solutions from different vendors. Products from eight different vendors are introduced. An open source SIEM system AlienVault OSSIM is described in more detail. The test environment was made to demonstrate AlienVault OSSIM’s deployment in a small network. The technical documentation is not a deployment guide for SIEM. It presents the functionality of SIEM with practical examples. The information flow is described from data collection to analysis of correlated events

Closing the loop of SIEM analysis to Secure Critical Infrastructures

Critical Infrastructure Protection is one of the main challenges of last years. Security Information and Event Management (SIEM) systems are widely used for coping with this challenge. However, they currently present several limitations that have to be overcome. In this paper we propose an enhanced SIEM system in which we have introduced novel components to i) enable multiple layer data analysis; ii) resolve conflicts among security policies, and discover unauthorized data paths in such a way to be able to reconfigure network devices. Furthermore, the system is enriched by a Resilient Event Storage that ensures integrity and unforgeability of events stored.Comment: EDCC-2014, BIG4CIP-2014, Security Information and Event Management, Decision Support System, Hydroelectric Da

A Security Information and Event Management Pattern

In order to achieve a high level of cyber security awareness most mid to large sized companies use Security Information and Event Management (SIEM) embedded into a Security Operations Center. These systems enable the centralized collection and analysis of security relevant information generated by a variety of different systems, to detect advanced threats and to improve reaction time in case of an incident. In this paper, we derive a generic SIEM pattern by analyzing already existing tools on the market, among additional information. Thereby, we adhere to a bottom-up process for pattern identification and authoring. This article can serve as a foundation to understand SIEM in general and support developers of existing or new SIEM systems to increase reusability by defining and identifying general software modules inherent in SIEM

Scalable attack modelling in support of security information and event management

Includes bibliographical referencesWhile assessing security on single devices can be performed using vulnerability assessment tools, modelling of more intricate attacks, which incorporate multiple steps on different machines, requires more advanced techniques. Attack graphs are a promising technique, however they face a number of challenges. An attack graph is an abstract description of what attacks are possible against a specific network. Nodes in an attack graph represent the state of a network at a point in time while arcs between nodes indicate the transformation of a network from one state to another, via the exploit of a vulnerability. Using attack graphs allows system and network configuration information to be correlated and analysed to indicate imminent threats. This approach is limited by several serious issues including the state-space explosion, due to the exponential nature of the problem, and the difficulty in visualising an exhaustive graph of all potential attacks. Furthermore, the lack of availability of information regarding exploits, in a standardised format, makes it difficult to model atomic attacks in terms of exploit requirements and effects. This thesis has as its objective to address these issues and to present a proof of concept solution. It describes a proof of concept implementation of an automated attack graph based tool, to assist in evaluation of network security, assessing whether a sequence of actions could lead to an attacker gaining access to critical network resources. Key objectives are the investigation of attacks that can be modelled, discovery of attack paths, development of techniques to strengthen networks based on attack paths, and testing scalability for larger networks. The proof of concept framework, Network Vulnerability Analyser (NVA), sources vulnerability information from National Vulnerability Database (NVD), a comprehensive, publicly available vulnerability database, transforming it into atomic exploit actions. NVA combines these with a topological network model, using an automated planner to identify potential attacks on network devices. Automated planning is an area of Artificial Intelligence (AI) which focuses on the computational deliberation process of action sequences, by measuring their expected outcomes and this technique is applied to support discovery of a best possible solution to an attack graph that is created. Through the use of heuristics developed for this study, unpromising regions of an attack graph are avoided. Effectively, this prevents the state-space explosion problem associated with modelling large scale networks, only enumerating critical paths rather than an exhaustive graph. SGPlan5 was selected as the most suitable automated planner for this study and was integrated into the system, employing network and exploit models to construct critical attack paths. A critical attack path indicates the most likely attack vector to be used in compromising a targeted device. Critical attack paths are identifed by SGPlan5 by using a heuristic to search through the state-space the attack which yields the highest aggregated severity score. CVSS severity scores were selected as a means of guiding state-space exploration since they are currently the only publicly available metric which can measure the impact of an exploited vulnerability. Two analysis techniques have been implemented to further support the user in making an informed decision as to how to prevent identified attacks. Evaluation of NVA was broken down into a demonstration of its effectiveness in two case studies, and analysis of its scalability potential. Results demonstrate that NVA can successfully enumerate the expected critical attack paths and also this information to establish a solution to identified attacks. Additionally, performance and scalability testing illustrate NVA's success in application to realistically sized larger networks

XML Schema-based Minification for Communication of Security Information and Event Management (SIEM) Systems in Cloud Environments

XML-based communication governs most of today's systems communication, due to its capability of representing complex structural and hierarchical data. However, XML document structure is considered a huge and bulky data that can be reduced to minimize bandwidth usage, transmission time, and maximize performance. This contributes to a more efficient and utilized resource usage. In cloud environments, this affects the amount of money the consumer pays. Several techniques are used to achieve this goal. This paper discusses these techniques and proposes a new XML Schema-based Minification technique. The proposed technique works on XML Structure reduction using minification. The proposed technique provides a separation between the meaningful names and the underlying minified names, which enhances software/code readability. This technique is applied to Intrusion Detection Message Exchange Format (IDMEF) messages, as part of Security Information and Event Management (SIEM) system communication hosted on Microsoft Azure Cloud. Test results show message size reduction ranging from 8.15% to 50.34% in the raw message, without using time-consuming compression techniques. Adding GZip compression to the proposed technique produces 66.1% shorter message size compared to original XML messages.Comment: XML, JSON, Minification, XML Schema, Cloud, Log, Communication, Compression, XMill, GZip, Code Generation, Code Readability, 9 pages, 12 figures, 5 tables, Journal Articl

Advancing security information and event management frameworks in managed enterprises using geolocation

Includes bibliographical referencesSecurity Information and Event Management (SIEM) technology supports security threat detection and response through real-time and historical analysis of security events from a range of data sources. Through the retrieval of mass feedback from many components and security systems within a computing environment, SIEMs are able to correlate and analyse events with a view to incident detection. The hypothesis of this study is that existing Security Information and Event Management techniques and solutions can be complemented by location-based information provided by feeder systems. In addition, and associated with the introduction of location information, it is hypothesised that privacy-enforcing procedures on geolocation data in SIEMs and meta- systems alike are necessary and enforceable. The method for the study was to augment a SIEM, established for the collection of events in an enterprise service management environment, with geo-location data. Through introducing the location dimension, it was possible to expand the correlation rules of the SIEM with location attributes and to see how this improved security confidence. An important co-consideration is the effect on privacy, where location information of an individual or system is propagated to a SIEM. With a theoretical consideration of the current privacy directives and regulations (specifically as promulgated in the European Union), privacy supporting techniques are introduced to diminish the accuracy of the location information - while still enabling enhanced security analysis. In the context of a European Union FP7 project relating to next generation SIEMs, the results of this work have been implemented based on systems, data, techniques and resilient features of the MASSIF project. In particular, AlienVault has been used as a platform for augmentation of a SIEM and an event set of several million events, collected over a three month period, have formed the basis for the implementation and experimentation. A "brute-force attack" misuse case scenario was selected to highlight the benefits of geolocation information as an enhancement to SIEM detection (and false-positive prevention). With respect to privacy, a privacy model is introduced for SIEM frameworks. This model utilises existing privacy legislation, that is most stringent in terms of privacy, as a basis. An analysis of the implementation and testing is conducted, focusing equally on data security and privacy, that is, assessing location-based information in enhancing SIEM capability in advanced security detection, and, determining if privacy-enforcing procedures on geolocation in SIEMs and other meta-systems are achievable and enforceable. Opportunities for geolocation enhancing various security techniques are considered, specifically for solving misuse cases identified as existing problems in enterprise environments. In summary, the research shows that additional security confidence and insight can be achieved through the augmentation of SIEM event information with geo-location information. Through the use of spatial cloaking it is also possible to incorporate location information without com- promising individual privacy. Overall the research reveals that there are significant benefits for SIEMs to make use of geo-location in their analysis calculations, and that this can be effectively conducted in ways which are acceptable to privacy considerations when considered against prevailing privacy legislation and guidelines

Cyber indicators of compromise: a domain ontology for security information and event management

It has been said that cyber attackers are attacking at wire speed (very fast), while cyber defenders are defending at human speed (very slow). Researchers have been working to improve this asymmetry by automating a greater portion of what has traditionally been very labor-intensive work. This work is involved in both the monitoring of live system events (to detect attacks), and the review of historical system events (to investigate attacks). One technology that is helping to automate this work is Security Information and Event Management (SIEM). In short, SIEM technology works by aggregating log information, and then sifting through this information looking for event correlations that are highly indicative of attack activity. For example: Administrator successful local logon and (concurrently) Administrator successful remote logon. Such correlations are sometimes referred to as indicators of compromise (IOCs). Though IOCs for network-based data (i.e., packet headers and payload) are fairly mature (e.g., Snort's large rule-base), the field of end-device IOCs is still evolving and lacks any well-defined go-to standard accepted by all. This report addresses ontological issues pertaining to end-device IOCs development, including what they are, how they are defined, and what dominant early standards already exist.http://archive.org/details/cyberindicatorso1094553041Lieutenant, United States NavyApproved for public release; distribution is unlimited

Security Information and Event Management Using Open Source Tools

Information communication systems are an important component in most of today's enterprises. Due to the increasing number of devices that are connected in information communication systems, maintenance and security are becoming increasingly difficult. In my graduation thesis, I introduced systems for managing security information and events (SIEM), how they work and how they differ from log managers and IDS/IPS systems. I've checked existing commercial, free and open-source SIEM systems on the market. Then I implemented the SIEM system using only open-source components and evaluated it through use cases

Security Information and Event Management Systems Monitoring Automation Systems

This thesis studies how suitable Security Information and Event Management systems (SIEM systems) are for monitoring automation system log data. Motivation for this study has been the growing number of cybersecurity threats faced by industrial automation systems and the disruptive effects cyber-attacks can have on industries, vital infrastructure and the everyday life of people. The research material for this study was gathered from various literary sources as well as automation engineering lectures, studies and personal work experience in the field of cybersecurity. This thesis provides information for adding resilience for cybersecurity threats faced by industrial automation systems. Growing cybersecurity threats and legislations such as the EU NIS Directive emphasise the need for better situational awareness and management for cybersecurity related events. The findings of this thesis help improve the design of automation system log management and SIEM systems, both of which improve the systems capabilities for counteracting cybersecurity threats. The major finding of this study is that by default automation systems and SIEM systems are not highly compatible. Automation systems are complicated and highly tuned environments with special requirements for which SIEM systems are not originally designed. Integrating SIEM systems in a meaningful way with automation system would require major changes in both. The biggest issue is the log data itself. In automation systems, device logs stay in the devices, whereas SIEM needs that log data to be brought to a centralised location. Furthermore, the log data will most likely not be adequate for analysis as is, and it would require enriching. Implementing modifications to correct these issues would be major transformational process to an automation system. From the automation engineer perspective the process and its reliability and availability are the most important aspects in relation to the functionality of the system. Therefore, their focus is on operational technology security. On the other hand, SIEM system focuses on information technology security and it will be an additional service that comes in use in rare special circumstances. For this reason, selling SIEM for automation systems is difficult. Furthermore, in automation systems, device logs are only inspected after an error situation, whereas SIEM aims to detect issues before they have a disruptive impact on the system. This mitigates damages and makes any countermeasures faster. However, systems such as SIEM would require monitoring which adds workload and the people monitoring SIEM would require expertise in both automation engineering and cybersecurity. Furthermore, monitoring the events in themselves is not enough, as the SIEM system has to be monitored as well in order to make sure it is working in the desired way. Automation systems are unique environments and adding SIEM requires extensive customisation. Smart event detection systems use machine learning and AI to detect anomalies in a system’s activity rather than identifying markers of known malicious activity. This way they require less hands-on customisation and are more compatible with industrial control systems of various types and sizes. The future of cybersecurity management in automation systems is in implementing smart detection systems and automated responses for better compatibility with operational technology environments and faster countermeasures.Tässä diplomityössä tutkitaan, kuinka turvallisuusinformaation ja –tapahtumien hallintajärjestelmät (SIEM, Security Information and Event Management) soveltuvat valvomaan automaatiojärjestelmien lokidataa. Teollisuusautomaatiojärjestelmiin kohdistuvien kyberturvallisuusuhkien kasvu sekä näiden aiheuttamat seuraukset teollisuudelle, infrastruktuurille ja ihmisten joka-päiväiseen elämään ovat olleet tämän työn keskeisinä motivaattoreina. Tutkielman aineisto on koottu kirjallisista lähteistä, automaatiotekniikan luennoilta, opinnoista ja työkokemuksesta kyberturvallisuusalalla. Tutkimus tarjoaa tietoa kyberturvallisuusuhkien ennaltaehkäisemiseen teollisuusautomaatiojärjestelmissä. Kasvavat kyberturvauhat ja EU:n NIS direktiivi lisäävät tarvetta tarkan tilannekuvan luomiselle ja kybertapahtumien valvonnalle yhteiskunnan tärkeiden palvelujen tuottajille. Tutkimustulokset tarjoavat apua automaatiojärjestelmien lokienhallinnan ja SIEM-järjestelmien suunnittelussa, joilla molemmilla tarjotaan suojaa kyberturvauhkia vastaan. Keskeisin tutkimushavainto on automaatiojärjestelmien ja SIEM-järjestelmien yhteensopimattomuus. Automaatiojärjestelmät ovat monimutkaisia, pitkäikäisiä ja tarkoin säädettyjä toimintaympäristöjä, joiden erityisvaatimuksille SIEM-järjestelmiä ei ole alun perin suunniteltu. SIEM-järjestelmän integroiminen mielekkäästi automaatiojärjestelmään vaatisi suuria muutoksia molempiin järjestelmiin. Yksi suurimmista ongelmista on lokidatan siirtäminen laitteelta toiselle. Automaatiojärjestelmissä laitteiden lokit jäävät laitteiden muisteihin, kun SIEM-järjestelmä tarvitsisi niiden tuontia keskitettyyn sijaintiin. Laitteiden tuottama lokidata ei myöskään todennäköisesti sovellu sellaisenaan, jotta SIEM-järjestelmillä pystyisi tekemään tilannekuvatarkoituksiin riittävää analyysia. Lokidata pitäisi rikastaa esimerkiksi vähintään laitteen sijaintitiedolla. Tällaisten muutosten tekeminen vaatii suuria muutoksia automaatiojärjestelmiin. Automaatioinsinöörille automaatiojärjestelmässä tärkeintä on itse prosessi sekä tämän luotettavuus ja saatavuus. Tästä näkökulmasta SIEM-järjestelmä olisi lisäpalvelu, josta on hyötyä vain harvinaisissa erikoistilanteissa. Tästä syystä SIEM-järjestelmien myynti automaatiojärjestelmiin on vaikeaa. Automaatiojärjestelmissä lokeja tarkastellaan vain, kun jokin laite vaikuttaa toimivan väärin, mutta SIEM-järjestelmillä on tarkoitus havaita ongelmat ennen suuria vaikutuksia kohdejärjestelmälle. Etukäteistoimenpiteillä voidaan vähentää seurauksien vaikutuksia ja lyhentää vastatoimien vasteaikaa. SIEM-järjestelmät kuitenkin tarvitsevat valvontaa, mikä lisää työtaakka, ja valvontaa suorittavilta henkilöiltä vaaditaan asiantuntijuutta sekä automaatiotekniikasta että kyberturvallisuudesta. Lisäksi pelkkä tapahtumien valvonta ei riitä vaan koko SIEM-järjestelmää täytyy valvoa ja kehittää jatkuvasti, jotta se toimisi halutulla tavalla. Automaatiojärjestelmät ovat ainutlaatuisia ympäristöjä ja SIEM järjestelmän lisääminen vaatii laajaa räätälöintiä. Älykkäät tapahtumien havaitsemisjärjestelmät käyttävät koneoppimista ja tekoälyä tunnistamaan poikkeavia toimintoja järjestelmässä sen sijaan, että ne yrittäisivät tunnistaa tunnettuja haitallisia ohjelmia tai hyökkäyksiä. Tällä tavalla ne vaativat vähemmän käytännön mukauttamista ja ovat paremmin yhteensopivia erityyppisten ja erikokoisten automaatiojärjestelmien kanssa. Automaatiojärjestelmien kyberturvallisuuden hallinnan tulevaisuus onkin älykkäiden havainnointijärjestelmien ja automatisoitujen vastatoimien teknologioissa. Niillä saadaan aikaan parempi yhteensopivuus teollisten automaatiojärjestelmien kanssa ja niiden avulla voidaan toteutettua nopeampia vastatoimenpiteitä

Security Information and Event Management Using Open Source Tools

Information communication systems are an important component in most of today's enterprises. Due to the increasing number of devices that are connected in information communication systems, maintenance and security are becoming increasingly difficult. In my graduation thesis, I introduced systems for managing security information and events (SIEM), how they work and how they differ from log managers and IDS/IPS systems. I've checked existing commercial, free and open-source SIEM systems on the market. Then I implemented the SIEM system using only open-source components and evaluated it through use cases