Implementing open-source security information and event management system (SIEM) for private cloud infrastructure of DLSU CCS-TSG
Cybersecurity is an essential part of IT operations in the 21st century, there has been an increase in attacks on businesses by malicious individuals for monetary gain to access sensitive information, and manually investigating each host for suspicious activity is ineffective and reactive, and most...
Saved in:
| Main Author: | |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Animo Repository
2022
|
| Subjects: | |
| Online Access: | https://animorepository.dlsu.edu.ph/etdm_comtech/13 https://animorepository.dlsu.edu.ph/cgi/viewcontent.cgi?article=1010&context=etdm_comtech |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | De La Salle University |
| Language: | English |
| Summary: | Cybersecurity is an essential part of IT operations in the 21st century, there has been an increase in attacks on businesses by malicious individuals for monetary gain to access sensitive information, and manually investigating each host for suspicious activity is ineffective and reactive, and most of the time early warning signs of an attack are hard to identify. Security Information and Event Management (SIEM) is a set of tools and services that can provide a holistic overview of the organization's information security posture. However, SIEM can be expensive because of its license cost, maintenance, and resource requirements. This project evaluates known open-source SIEM solutions using Strength and Weakness, and Opportunity and Threats analysis that fit with the needs of DLSU CCS-TSG with minimal cost implementation design in mind. The chosen SIEM was deployed, configured, and optimized to improve the detection capabilities for adversarial tactics based on the MITRE ATT&CK framework on Unix-based Operating Systems. To validate the efficacy of the SIEM deployed and rule optimization in system auditing, an attack simulation was conducted based on commands from tactics for Discovery, Credential Access, and Persistence from MITRE ATT&CK. In conclusion, the SIEM helped the organization to centrally collect data across the network environment to gain real-time visibility into activities that may potentially induce risk and help the organization address the issues before becoming a significant financial risk. Lastly, it was proven that optimizing both SIEM and host system auditing to correlate and work with each other improved the detection capabilities of the SIEM. However, a proper set of training to manage, maintain, and improve the skillset and gain experience in cybersecurity to discern potential threats vs. false positives is an essential part of the SIEM to be effective.
Keywords: Cyber Security Operations, SIEM, AuditD, Intrusion Detection, Open-Source |
|---|