SIEM

Log içerisinden arama tarama yaparak önemli güvenlik zafiyetleri tespit edilemez.  Bu tur zafiyetleri tespit için Log yönetiminden SIEM çözümlerine geçmelisiniz. Bu noktada ise 2. Bir yol ayrımı ile karşılaşırsınız.  SIEM tanımının kapsamı. Bu kapsam global ürünlerde oturmuş olsa bile lokal ürünlerin pek çoğunda bu tanım oturmuş değildir.
Gerçek bir SIEM çözümü, görünürde birbiri ile ilişikli olmayan olayları ilişkilendirir ve ortaya asıl veriyi çıkarır. İyi bir korelasyon ile milyonlarca olay içerisinden filtreleme yapar ve önemli olana odaklanmanızı sağlar. Fazla sayıdaki “ false positive” ler ve fazla sayıdaki “false negative alert” ler dikkatinizi dağıtır. İyi bir SIEM time windows, context analysis,data mining vb.. teknik kullanarak veriyi süzer. Böylece siz, her gün üretilen milyonlarca olay arasından önemli olana odaklanabilirsiniz. Bu süzme işinin temel bileşeni Taxonomy modülüdür.

SIEM ürünleri ve bu ürünlerin performans analizleri ürünleri değerlendirme açısından çok önemlidir.
SIEM ürünlerinin çalışma performansları, gerek duydukları kaynaklar (CPU, RAM, DISK)  ve ihtiyaç duyulan EPS değerlerinde nasıl bir performans göstereceği önemlidir.
Bu çalışmada bu parametrelere göre performas kıyaslaması yapılmıştır

The Internet of Things (IoT) is becoming an integral part of our daily life including health, environment, homes, military, etc. The enormous growth of IoT in recent years has attracted hackers to take advantage of their computation and communication capabilities to perform different types of attacks. The major concern is that IoT devices have several vulnerabilities that can be easily exploited to form IoT botnets consisting of millions of IoT devices and posing significant threats to Internet security. In this context, DDoS attacks originating from IoT botnets is a major problem in today's Internet that requires immediate attention. In this paper, we propose Security Information and Event Management-based IoT botnet DDoS attack detection and mitigation system. This system detects and blocks DDoS attack traffic from compromised IoT devices by monitoring specific packet types including TCP SYN, ICMP and DNS packets originating from these devices. We discuss a prototype implement...

Growing quantities of the processed information fosters growing needs to involve SIEM systems and solutions for qualified identification, sorting and filtering of the data. A particular challenge to that task is posed by the growing amount of malicious data and activities driven against the information systems. SIEM systems are increasingly overloaded with the amount of information to analyze. Signature analysis method is potentially beneficial for improving efficiency of the SIEM systems. Comparison is made between the signature-based and signature-less SIEM systems. Demonstration of efficiency of the signature analysis is based on its evaluation for the case of DDoS attack on an information infrastructure.

Information security has become a necessity in securing an information asset in a company or organization. The government, which acts as a regulator, publishes an Information Security Management System (SMKI) and an Information Security Index (KAMI) as a measure of information security in a company or organization. The technology used to secure information assets is Security information and Event Management (SIEM). SIEM is expected to provide information related to attacks that occur on the router network and increase a value of the US Index. The research here simulates attacks that occur on routers with 8 attacks, namely Mac Flooding, ARP-Poisoning, CDP Flooding, DHCP Starvation, SYN Flooding, SSH Bruteforce, DHCP Rogue, and FTP Bruterforce. After 8 types of attacks, followed by digital forensic analysis using the OSCAR method to see the impact on the router or SIEM. Do not forget to also measure the US index before and after the SIEM, in order to measure the effect of the SIEM installation on the value of the US index. It was found that the use of SIEM in conducting security monitoring proved successful regarding attacks, but not all were recognized by SIEM. SIEM does not recognize Mac Floading, ARP-Poisoning, CDP Flooding and SYN Flooding attacks, because routers do not produce logs. It was also found that the use of SIEM was proven to increase the US index in terms of technology.

Security Information and Event Management (SIEM) have become a crucial component in an enterprise network in terms of monitoring and detection of anomalies by correlating logs from various sources. Despite of correlation capabilities, SIEM do fall a short coming in terms of the data being fed to the SIEM. This paper focuses on how to enhance the detection capabilities of SIEM by integrating the SYSMON and powershell logs.

In this paper, we describe research into the use of baselining for enhancing SIEM Correlation rules. Enterprise grade software has been updated with a capability that identifies anomalous events based on baselines as well as rule based correlation engine, and alerts administrators when such events are identified. To reduce the number of false positive alerts we have investigated the use of different baseline training techniques and introduce the use of 3 different training approaches for baseline detection and updating lifecycle

Bilgisayar ağlarında kullanılan ağ cihazları olaylar hakkında kayıt yapma özelliğine sahiptirler. Bu kayıtlar sayesinde ağ üzerinde güvenlik olaylarının belirlenmesi ve önlem alınması sağlanmaktadır. Buna Log Analizi denilmektedir.
Log analizi sayesinde sisteme girmeye çalışan kişilerin adres bilgilerine ulaşılmaktadır. Ayrıca sistem içinde bulunan kullanıcıların yaptıkları (dosya kaydetme, yazıcıdan çıktı alama gibi) işler kontrol edilmesi mümkün olmaktadır.
Büyük firmalarda ise internet ortamında kullanıcıların hangi siteye girdikleri, hangi aşamada terk ettikleri, hangi sayfada daha çok / az zaman harcadıkları gibi bilgilere kolaylıkla ulaşmaları sağlanır[1].

Maalesef Log Yönetimi ve SIEM aynı şeymiş gibi algılanmaktadır. Hatta SIEM i log yönetiminin bir alt kümesi veya biraz özelleşmiş hali olarak görenler de çoktur. Bu iki görüş de hatalıdır.  Hatta maalesef bu iki görüş sahipleri bu görüşleriyle kurumsal güvenlik politikalarına negatif etki yaparlar ve güvenlik politikalarında indirgeyici bir yönetim sergilemiş olurlar

Korelasyon yeteneği bir SIEM ürününün en önemli özelliklerinden biridir.  Ürünlerin korelasyon yetenekleri farklılık göstermektedir.
Bu çalışmada ortalama bir korelasyon yeteneğine sahip bir SIEM ürünü ile geliştirilebilecek kurallara örnekleri listelemeye çalıştık.

We must advance old think SOC operations and strategies.  The global threat and new technologies implore us to engage in a Cyber warfare evolution and replace the Security Operations Center with a big data focused analytics Cyber Intelligence Operations Center or CIOC.

A Security Information Event Management (SIEM) System
accepts packet logs from different network devices, analyzes
the logs, groups and summarizes events according to its patterns and gives reports and recommendations afterwards
that can be warnings, notices or alarms. [3] The process
involves log collection, log normalization, log consolidation,
event action and documentation. In a typical Local Area
Network (LAN), the logs collected from different network
devices (i.e. device type and identification) come with different
formats, thus, making it difficult to be consolidated.
However, Request for Comments (RFC) 3164 has mandated
that all devices should have a logging system which is popularly
known as a Syslog with fields date/time, IP address,
facility, severity and message. Syslog could have answered
the conflicts regarding the commonalities of different logs
yet companies of these proprietary network devices modified
the message field of the Syslog and created their own
proprietary features in their logging system. A Log Normalizer
is responsible for transforming logs into a standardized
format that the software can easily understand and put in
the Normalized Log Database afterwards. The Log Normalizer
uses dynamic loading as an answer to compatibility
issues with other and future network devices. The concept
inherits existing necessary attributes from a super class (i.e.
Syslog) and creates new subclasses for a particular device
with attributes to comply in standardizing its own logs without
recompiling the whole system. With the emergence of
the Log Normalizer, a standardized log format is created by
the SIEM that helps in log consolidation, event action and
documentation. The normalization of a proprietary router,
firewall, personal computer, laptop and an IDS of different
Syslog formats became uniform and more organized after
the log normalization process seen in the experiment.

"In today’s information-driven business environment, enterprise systems and processes capture an ever-increasing amount of data. To derive meaningful and actionable information from this data, businesses are compelled to commit significant resources to perform the necessary analysis. While all business areas are impacted to varying degrees, few face a greater challenge than the information security department. To support its mission to protect critical information assets, the information security department must maintain an ongoing process to capture, analyze and subsequently act on log and alert information collected from a wide array of systems across the enterprise.
Typically, these data must be analyzed and actionable.... Joey Hernandez worked as a SME Reviewer for this ISACA effort"

The challenge of securing critical data increases year after year. Evolving technology developments, involving the growth in cloud and the Internet of Things adoption make businesses' confidential data more vulnerable to sophisticated attackers. Protect the Whole Organization by using the Industry's First Extended Detection and Response (XDR) Platform Security teams have been inundated with inaccurate, inadequate alerts. As a result of today's siloed security tools, specialists should pivot from the console to the console to piece together investigative clues, which will result in horribly slow investigations. Although they've implemented countless tools, teams still lack enterprisewide visibility as well as the deep analytics necessary to locate threats. Confronted with a lack of security professionals, teams need to streamline operations. Extended Detection and Response is the world's very first extended detection and response platform which integrates endpoint, network, as well as cloud data to halt advanced attacks. It combines prevention, investigation, detection, and response in a single platform for unparalleled security and operational effectiveness. In combination with a Managed Threat Hunting assistance, XDR offers continuous protection and industry-leading coverage. A new and more comprehensive approach to detection and response is clearly needed, one which not just includes traditional endpoints but then also includes the enhanced attack surface like the network and cloud. Luckily, these are only a few of the difficulties XDR was intended to solve. XDR unites and extends detection and response capacity through multiple security layers, offering security teams along with centralized end-to-end enterprise visibility, strong analytics, automatic response across the entire technology stack. XDR, clients can get integrated and proactive security measures designed to protect the whole technology stack, which makes it easier for security analysts to detect and stop attacks in progress prior to the impact to the business. Companies of all sizes and types, irrespective of their levels of cybersecurity expertise, is necessary to be considered sophisticated detection, improved visibility, and immediate response to sophisticated threats. The goal here is to explain what XDR is and how it empowers Information Technology, security teams, to stop threats and put them on the defensive. And also show how it provides superior extensibility and analytics which will fit the needs of the future. In the present article, we'll describe the fundamentals of XDR, and demonstrate how it help out for organizations as well as how it facilitates new security challenges. Moreover, this research paper will be useful for organizations to understand XDR in-depth, as well as how XDR can assist organizations in preventing cyberattacks as well as simplifying and improving security processes. In addition, this paper explains XDR, the capability of current and emerging technologies to offer greater visibility, collect and correlate threat information, and utilize analytics and automation to detect today and future attacks.

Around 2017, INFOSECFORCE developed the CSAMS solution to solve a Cybersecurity Architecture Management Gap.  INFOSECFORCE entered negotiations with a major network monitoring company to build and deploy the Cyber Security Architecture Management System or CSAMS,  The negotiations did not work out.  As such, CSAMS has sat on the shelf for several years.  We realized given we have no formal sponsors we should offer CSAMS to the global IT Community.  Please call Bill with any questions.  804-855-4988.  CSAMS now found at https://cua.academia.edu/BillRoss

The Internet of Things (IoT) is becoming an integral part of our daily life including health, environment, homes, military, etc. The enormous growth of IoT in recent years has attracted hackers to take advantage of their computation and communication capabilities to perform different types of attacks. The major concern is that IoT devices have several vulnerabilities that can be easily exploited to form IoT botnets consisting of millions of IoT devices and posing significant threats to Internet security. In this context, DDoS attacks originating from IoT botnets is a major problem in today's Internet that requires immediate attention. In this paper, we propose Security Information and Event Management-based IoT botnet DDoS attack detection and mitigation system. This system detects and blocks DDoS attack traffic from compromised IoT devices by monitoring specific packet types including TCP SYN, ICMP and DNS packets originating from these devices. We discuss a prototype implementation of the proposed system and we demonstrate that SIEM based solutions can be configured to accurately identify and block malicious traffic originating from compromised IoT devices. 1. INTRODUCTION Internet of things (IoT) have witnessed enormous growth in recent years. This growth is due to the significant development in semiconductor industry, wireless communication technologies and the emergence of IoT applications in different fields in our daily life including: smart homes [1], health care sector [2], industrial control systems [3] and military applications [4]. According to Statista [5], the number of IoT connected devices is estimated to be about 23.4 billion and is expected to increase to 31 billion in 2020. Motivated by the significant growth of IoT, hackers are eager to take advantage of their computation and communication capabilities to perform different types of attacks. Botnets represent the primary source of many attacks targeting the Internet. A botnet is a network of compromised machines (e.g. computers, smart-phones, IoT devices, etc.) which are controlled by an attacker (botmaster) and used to perform a variety of activities such as distributed denial of service (DDoS) attacks, spamming, click fraud, and phishing attack. IoT devices are creating a huge risk to security compared to the ordinary Internet connected devices because of their large number, resource limitation and protocol diversity, which makes IoT a valuable target for attackers to create IoT botnet. For example, an attacker can compromise victim's IoT smart home devices [1] to obtain sensitive information, or to use IoT devices as IoT Botnets [6] in order to execute a distributed denial

Gerenciar os eventos e informações de segurança na Pontifícia Universidade Católica de Goiás
(PUC-GO). Será possível, mediante o auxílio de um software proporcionar um ambiente unificado para coleta e gestão das informações, além de aplicar compliance das normas de segurança e facilitar a auditoria de sistemas? Para melhorar a gestão da segurança da informação é necessário possuir um ambiente centralizado. Será abordado um estudo de caso, cujo objetivo será apontar algumas soluções para o ambiente, as quais incluirão a apresentação das políticas e software a serem implantados. Uma pesquisa exploratória baseada no estudo de caso e implementação de um software classificado como Security Information and Event Management (SIEM), cuja coleta dos dados se deu dentro dos laboratórios de Computação pertencentes à PUC-GO, sendo que os eventos e alertas da coleta foram armazenados na ferramenta e o período da coleta se deu entre 05 de janeiro à 18 de março de 2015, a análise dos dados foram baseadas no referencial teórico da NBR/ISO 27001. Os resultados encontrados indicaram diversas falhas de segurança no ambiente, sendo que os níveis médio e alto foram reduzidos em aproximadamente 72%. Conclui-se que a falta de um ambiente centralizado para coletar e armazenar as informações podem ser prejudiciais para a instituição.

Güvenlik Olay Yönetimi ve Korelasyon Sistemi (Log Yönetimi, SIEM ) sistemlerinde amaç kullanıcının en yalın ve kolay bir şekilde sistemin güvenli bir şekilde yönetilmesini sağlamaktır.
Bunun için SIEM sistemleri hazır bir kütüphane ile gelir.
Bu özelliğin yanında ve daha önemli bir özellik ise ihtiyaçlar kapsamında kendi kurallarınızı geliştirebiliyor olmaktır. Kural geliştirme yeteneğini ise 4 farklı seviye olarak ele alabiliriz:
Basit periyodik kurallar
Basit gerçek zamanlı kurallar
Senaryo kuralları
Sınıflandırma temelli korelasyon yaklaşımına sahip kurallar.

Tehdit zekası (Threat Intelligence) spesifik tehditleri ve riskleri öngören ve izleyen bilginin proaktif, bütüncül ve sürekli bir biçimde derlenmesi, incelenmesi ve aktarılmasını ifade eder
Tehdit zekası (Threat Intelligence) nın ilk adımı daha fazla zeka ve doğru güvenlik uygulaması edinmenize yardımcı olmak için mevcut SIEM [1]  çözümlerinin analitik yeteneklerine dinamik İnternet tehdidi verileri eklemekle başlar.
En son çıkan bütün phishing,  Proxy, diğer kötü niyetli tehditleri tespit etmek,  Bot, phishing, DOS, scanners, spam kaynakları ve Windows exploitlerini tespit etmek için aşağıdaki gibi ve benzeri kaynaklardan canlı olarak veriler derlenir.

Korelasyon, Korelasyon Motorları, Bilgi Çıkarımı, Bilgi Güvenliği, Log Yönetimi, Log Analizi, Kurumlarda Log Yönetiminin Gerekliliği, 5651 Sayılı Yasa,  Log Yönetimi,  Log Normalleştirme, SIEM, SYSLOG, SNMP,  5651 Sayılı Kanun, Karmaşık Olay İnceleme, Complex Event Processing, CEP, Olaylar Akımı İnceleme, Event Stream Processing, ESP, RETE Algorithm, CEP, Event, ECA, Rules, İleri Analitik ve Korelasyon Yetenekleri

Güvenlik Olay Yönetimi ve Korelasyon Sistemi (Log Yönetimi, SIEM ) sistemlerinde amaç kullanıcının en yalın ve kolay bir şekilde sistemin güvenli bir şekilde yönetilmesini sağlamaktır. Bu amaçla veri ambarı ve yapay zeka kullanılarak geliştirilen korelasyon katmanı SINIFLANDIRMA TEMELLİ KORELASYON YAKLAŞIMI olarak adlandırılmıştır.

Modern Log Yönetim sistemlerinin sadece log arama ve log sayma (log search - log count) işlemlerinden çok daha gelişkin özelliklere sahip olması gerekir.
Açık kaynak kodlu Kibana  (http://www.elasticsearch.org/overview/kibana/ ) veya
Elasticsearch temelli uygulamalar  (http://www.elasticsearch.org/overview/elasticsearch/ ) ticari pek çok uygulamadan çok daha hızlı log arama ve sayma yapabilmekteler zaten.
Modern log yönetimi sistemlerinde olması gereken pek çok özellikten biri de trafik analizi yeteneğidir. Bu yetenek hem trafik, protokol ve güvenlik unsurlarını trafiğe etkisi hem de bu korelasyon kurallarına etkisi açısında çok önemlidir.

SureLog Distributed architecture is good for the big organizations where the log sources are located in multiple data centers and/or regions. This architecture is recommended for global and/or distributed environments where there is a need for high throughputs or customer data are located throughout the world or country.

Cyber-attacks have grown exponentially more frequent and sophisticated, demanding near real-time, highly available, and automated responses to threats. The global cost of cybercrime has already grown to $100 billion annually [1], not counting the intangible damage to enterprise and government security. In addition to the data loss, security breaches can cause immeasurable—and sometimes irrevocable damage to brand.

Analyzing machine data from firewalls and perimeter devices in real time is vital to thwarting and predicting threats. Every router, switch, firewall, intrusion prevention system (IPS), web proxy, or other security element has a story to tell about the confidentiality, integrity, and availability of the IT environment. Relevant data from across these systems is critical to investigations as well as for continuous monitoring for situational awareness. However, the real return on investment for security solutions lies in making them work together to provide a comprehensive view of the enterprise security posture. This combined and chronological view of all relevant data allows the security team to prioritize events and responses, and to effectively engage with IT operations and other areas of the business.

Güvenlik Olay Yönetimi ve Korelasyon Sistemi (Log Yönetimi, SIEM ) sistemlerinde amaç kullanıcının en yalın ve kolay bir şekilde sistemin güvenli bir şekilde yönetilmesini sağlamaktır.  Korelasyonun bunun olmazsa olmazıdır. Özellikle Türkiye'de korelasyon konusu üzerinde çalışmaya ihtiyaç vardır. Pek çok veri analiz yöntemi yanlış yönlendirme sonucu korelasyon olarak algılanabilmektedir.

Korelasyon, Korelasyon Motorları, Bilgi Çıkarımı, Bilgi Güvenliği, Log Yönetimi, Log Analizi, Kurumlarda Log Yönetiminin Gerekliliği, 5651 Sayılı Yasa,  Log Yönetimi,  Log Normalleştirme, SIEM, SYSLOG, SNMP,  5651 Sayılı Kanun, Karmaşık Olay İnceleme, Complex Event Processing, CEP, Olaylar Akımı İnceleme, Event Stream Processing, ESP, RETE Algorithm, CEP, Event, ECA, Rules, İleri Analitik ve Korelasyon Yetenekleri

The challenge of securing critical data increases year after year. Evolving technology developments, involving the growth in cloud and the Internet of Things adoption make businesses' confidential data more vulnerable to sophisticated attackers. Protect the Whole Organization by using the Industry’s First Extended Detection and Response (XDR) Platform Security teams have been inundated with inaccurate, inadequate alerts. As a result of today's siloed security tools, specialists should pivot from the console to the console to piece together investigative clues, which will result in horribly slow investigations. Although they’ve implemented countless tools, teams still lack enterprise-wide visibility as well as the deep analytics necessary to locate threats. Confronted with a lack of security professionals, teams need to streamline operations. Extended Detection and Response is the world's very first extended detection and response platform which integrates endpoint, netwo...