Your search keyword '"Wazuh"' showing total 16 results

1. Monitoring, Management, and Analysis of Security Aspects of IaaS Environments.

Author

Mycek, Andrzej

Subjects

INFORMATION technology security, CLOUD computing, INDIVIDUAL needs, PUBLIC works, INTRUSION detection systems (Computer security), COMPUTER software

Abstract

Many companies or institutions either already have placed their resources in or plan to move them to the cloud. They do so for security reasons and are weary of the fact that by relying on cloud-based resources, they do not have to bear such extensive infrastructure-related costs. However, continuous technology advancement results not only in benefits, but also in disadvantages. The latter include the growing risk associated with IT security, forcing the individual actors to implement monitoring measures and to respond to numerous threats. This work focuses on creating a small infrastructure setup using the publicly available Google Cloud Platform which, thanks to the monitoring systems implemented thereon, allows to rapidly respond to hardware and software faults, including those caused by external factors, such as attacks on specific components. This project may also be customized to satisfy individual needs, depending on the cloud service provider selected. The work uses public cloud provider tools as well as open-source systems available for everyone, both in the cloud and in the onprem environment. The paper deals also with the concept of a proprietary intrusion detection system. [ABSTRACT FROM AUTHOR]

Published

2023

2. Monitoring, Management, and Analysis of Security Aspects of IaaS Environments

Author

Andrzej Mycek

Subjects

cybersecurity, IaaS, monitoring, Wazuh, Zabbix, Telecommunication, TK5101-6720, Information technology, T58.5-58.64

Abstract

Many companies or institutions either already have placed their resources in or plan to move them to the cloud. They do so for security reasons and are weary of the fact that by relying on cloud-based resources, they do not have to bear such extensive infrastructure-related costs. However, continuous technology advancement results not only in benefits, but also in disadvantages. The latter include the growing risk associated with IT security, forcing the individual actors to implement monitoring measures and to respond to numerous threats. This work focuses on creating a small infrastructure setup using the publicly available Google Cloud Platform which, thanks to the monitoring systems implemented thereon, allows to rapidly respond to hardware and software faults, including those caused by external factors, such as attacks on specific components. This project may also be customized to satisfy individual needs, depending on the cloud service provider selected. The work uses public cloud provider tools as well as open-source systems available for everyone, both in the cloud and in the on-prem environment. The paper deals also with the concept of a proprietary intrusion detection system.

Published

2023

3. COMPARATIVE ANALYSIS OF IBM QRADAR AND WAZUH FOR SECURITY INFORMATION AND EVENT MANAGEMENT.

Author

Šuškalo, Dario, Morić, Zlatan, Redžepagić, Jasmin, and Regvart, Damir

Subjects

*INFORMATION resources management, *INFORMATION technology, *COMPARATIVE studies

Abstract

The objective of this paper is to conduct a comparative analysis between two prominent SIEM tools: the commercial IBM QRadar SIEM and Wazuh, an open-source security solution. The chosen focal point was to assess the extent to which these tools can meet the security requirements within a typical IT infrastructure. The selection of this paper aimed to evaluate the efficacy of these tools in addressing the security needs prevalent in contemporary IT setups. The practical phase of the research was built around carefully curated scenarios that mirror the daily security incidents encountered by businesses. This deliberate choice was underpinned by the significance of understanding how QRadar and Wazuh interpret and respond to such events. [ABSTRACT FROM AUTHOR]

Published

2023

4. Secure Mechanism Applied to Big Data for IIoT by Using Security Event and Information Management System (SIEM).

Author

Hussein, Marwan Alaa and Hamza, Ekhlas Kadhum

Subjects

INFORMATION resources management, BIG data, SMART cities, BUSINESS networks, INTERNET of things

Abstract

It is estimated that the number of devices and sensors connected to the Internet of Things (Internet of Things) will grow to around 125 billion by the end of this decade, compared to 21 billion this year. The Internet of Things promises tremendous advantages in many applications such as industrial environment, smart homes, smart cities, smart environment, agriculture, control of critical infrastructure and smart health. However, as the number of IoT devices increases and more information is shared between IoT devices, massive amount of data is transmitted between these devices and providing security becomes a major concern for researchers, developers and users, since IoT devices have low power and limited computing and storage capabilities. Where the application of strong and complex encryption processes requires significant capabilities in terms of computing and storage, which makes these devices more vulnerable to attacks and security risks that threaten the integrity of corporate and institutional data and other information. This article proposes implementing a security solution based on the "all-in-one" architecture for Wazuh and Elastic Stack as a tester, in order to implement proof of concept to detect anomalies occurring in devices on a network, which constitute the Wazuh proxy. In this way, the security contribution proactively with the collection of logs in real time, allows this system in question to generate alerts in the event of attempted attacks and implement the active response, a measure that allows mitigation of the detected incident. This project promotes open-source software solutions, and proves to be a complete business security solution in the context of analysing log data to secure a host for the internal business network. He concluded that the solution is ideal for business environments of any type, and even more so for small environments such as our simulated environments. Considering that the method of automating responses to security incidents offers a great alternative in the field of information technology. [ABSTRACT FROM AUTHOR]

Published

2022

5. Desplegament i optimització d'una plataforma de monitoratge de ciberseguretat

Author

Universitat Politècnica de Catalunya. Departament d'Arquitectura de Computadors, Catrisse I Pérez, Marc, Serral Gracià, René, Deiros Tort, Oriol, Universitat Politècnica de Catalunya. Departament d'Arquitectura de Computadors, Catrisse I Pérez, Marc, Serral Gracià, René, and Deiros Tort, Oriol

Abstract

El projecte consisteix a desplegar una solució completa de ciberseguretat basada en el núvol per a empreses, centrant-se en el monitoratge de dispositius informàtics. S'utilitzarà la plataforma Kubernetes per a gestionar la infraestructura i s'implementaran diverses eines de codi obert, com Wazuh, Velero i Terraform, per a proporcionar funcionalitats com XDR, SIEM, còpies de seguretat i automatització de desplegaments. L'objectiu principal és enfortir la seguretat de l'empresa client, permetent la detecció precoç d'amenaces, la gestió eficient d'incidents i la recuperació ràpida davant desastres. A més, es milloraran els processos interns, establint polítiques de còpies de seguretat, cicles de vida de les dades i protocols de recuperació. Aquest projecte es destaca pel seu enfocament en l'adopció de tecnologies basades en el núvol i la seva integració d'eines open source, brindant una solució escalable, flexible i econòmica per a les necessitats de ciberseguretat de les empreses., The project consists of deploying a complete cloud-based cybersecurity solution for companies, focusing on computer device monitoring. Kubernetes will be used to manage infrastructure and several open source tools, such as Wazuh, Velero and Terraform, will be implemented to provide functionality such as XDR, SIEM, backups and automation of deployments. The main objective is to strengthen the safety of the client's company, allowing early detection of threats, efficient incident management and rapid disaster recovery. In addition, internal processes will be improved by establishing backup policies, data life cycles and recovery protocols. This project is noted for its focus on adopting cloud-based technologies and integrating open source tools, providing a scalable, flexible and cost-effective solution to the cybersecurity needs of companies.

Published

2023

6. D3.6 Tools and techniques for collecting evidence of technical and organisational measures – v3

Author

Ratkajec, Hrvoje

Subjects

Cloud Property Graph, Evidence gathering, Clouditor, Codyze, Assessment and Management of Organisational Evidence, Organisational measures, LLVM Extensions of the Code Property Graph, Security assessment, Components implementation, Wazuh, Technical measures, Vulnerability Assessment Tools

Abstract

This deliverable presents tools and techniques for the evidence collection of technical measures, such as security assessment of virtual machines, containers and server less functions or based on the analysis of information and data flows as well as organisational measures through the use of machine-learning and NLP. This is the third and final iteration of the tool integration, based on a refinement of the technical architecture and reflects the feedback from the validation at use cases. This deliverable is the result of Task 3.2, Task 3.3 and Task 3.4.

Published

2023

7. D3.5 Tools and techniques for collecting evidence of technical and organisational measures – v2

Author

Anže Žitnik

Subjects

Cloud Property Graph, Evidence gathering, Clouditor, Codyze, Assessment and Management of Organisational Evidence, Organisational measures, Security assessment, Components implementation, Wazuh, Technical measures, Vulnerability Assessment Tools

Abstract

This deliverable presents tools and techniques for the evidence collection of technical measures, such as security assessment of virtual machines, containers and server less functions or based on the analysis of information and data flows as well as organisational measures through the use of machine-learning and NLP. This is the second iteration of the tool integration, based on a refinement of the technical architecture after the first initial prototype was presented (D3.4). The third iteration will reflect the implementation of the use cases (D3.6). This deliverable is the result of Task 3.2, Task 3.3 and Task 3.4.

Published

2022

8. Endpoint Intrusion Detection and Response Agents in Embedded RAN Products : A suitability and performance evaluation

Author

Hashem, Yousef, Zildzic, Elmedin, Hashem, Yousef, and Zildzic, Elmedin

Abstract

Endpoint detection and response is an integral part of the security of large-scale networks. Embedded hardware, such as those found at Ericsson Radio Access Network endpoints, have strict performance requirements that need to be met. This fact makes implementing intrusion detection non-trivial, as intrusion detection software often generate a lot of processing overhead. Wazuh, an established open-source distributed and centralized intrusion detection and response system, shows a lot of promise as a large-scale intrusion detection system. It is very modular and has various capabilities that can be utilized in different ways to minimize processing overhead. One of these capabilities is native support for the native Linux syscall monitoring tool AuditD. While AuditD is very capable, it can introduce severe performance penalties in certain scenarios. Falco is another syscall monitoring tool that shows promise with regards to performance, and also has more features than AuditD; which is why Falco is included as a direct comparison to AuditD. This study evaluates Wazuh, AuditD, and Falco based on a set of requirements set by Ericsson, including flexibility, scalability and reliability, by enacting performance benchmarks with normal background operations active. The results of this study show that, with the correct configuration, Wazuh can be used as an intrusion detection system in embedded systems with limited hardware, where AuditD and Falco can serve as a great addition to detecting indicators of compromise. The solution is to use a minimal intrusion detection ruleset, and in the event of suspicious activity, activate more modules to increase threat detection at the cost of CPU overhead and execution time for normal system operation.

Published

2022

9. Intrångsdetektering och respons inom ändpunkter i inbyggda RAN produkter : En studie kring lämplighet och prestanda

Author

Hashem, Yousef and Zildzic, Elmedin

Subjects

wazuh, intrusion detection, security, Computer Engineering, intrusion response, edr, Datorteknik

Abstract

Endpoint detection and response is an integral part of the security of large-scale networks. Embedded hardware, such as those found at Ericsson Radio Access Network endpoints, have strict performance requirements that need to be met. This fact makes implementing intrusion detection non-trivial, as intrusion detection software often generate a lot of processing overhead. Wazuh, an established open-source distributed and centralized intrusion detection and response system, shows a lot of promise as a large-scale intrusion detection system. It is very modular and has various capabilities that can be utilized in different ways to minimize processing overhead. One of these capabilities is native support for the native Linux syscall monitoring tool AuditD. While AuditD is very capable, it can introduce severe performance penalties in certain scenarios. Falco is another syscall monitoring tool that shows promise with regards to performance, and also has more features than AuditD; which is why Falco is included as a direct comparison to AuditD. This study evaluates Wazuh, AuditD, and Falco based on a set of requirements set by Ericsson, including flexibility, scalability and reliability, by enacting performance benchmarks with normal background operations active. The results of this study show that, with the correct configuration, Wazuh can be used as an intrusion detection system in embedded systems with limited hardware, where AuditD and Falco can serve as a great addition to detecting indicators of compromise. The solution is to use a minimal intrusion detection ruleset, and in the event of suspicious activity, activate more modules to increase threat detection at the cost of CPU overhead and execution time for normal system operation.

Published

2022

10. Implementación de SIRP Open Source

Author

Romero Cabello, Raúl, García Font, Víctor, and Flores Terrón, Miguel Ángel

Subjects

TheHive, Cortex y MISP, Seguridad informática -- TFM, TheHive, Cortex i MISP, Seguretat informàtica -- TFM, Computer security -- TFM, Wazuh, ELK, TheHive, Cortex and MISP

Abstract

La finalidad de este trabajo es disponer de una plataforma SIRP con software de código abierto que pueda ser escalable y altamente disponible con fines pedagógicos en un entorno de simulación pero que dotado de los recursos necesarios hardware necesarios pueda ser implementable para la gestión de incidentes de cualquier empresa u organización que necesite implementar este tipo de soluciones como parte de su SGSI. A nivel metodológico, en este trabajo se ha seguido los siguientes pasos: 1- Analizar las funcionalidades necesarias y ver que opciones hay disponibles. 2- Escoger los componentes y diseñar una solución en base al estudio realizado y al alcance propuesto. 3- Implementar e integrar los diferentes componentes/productos que forman la solución. 4- Realización de pruebas, conclusiones y documentar posibles mejoras. 5- Completar la documentación y presentación sobre el trabajo realizado. Como resultado tenemos una plataforma SIRP operativa que permite la gestión de los incidentes desde su detección a la respuesta, con su correspondiente documentación de posibles incidentes y cierre, que permite compartir información (IoCs) con terceros si se precisa y que utiliza fuentes externas de inteligencia para ayudar a los analistas de seguridad en los que puede ser el día a día de cualquier empresa u organización, todo ello utilizando tecnologías actuales de cloud para su implementación y gestión. La finalitat d'aquest treball és disposar d'una plataforma SIRP amb programari de codi obert que pugui ser escalable i altament disponible amb finalitats pedagògics en un entorn de simulació però que dotat dels recursos necessaris maquinari necessari pugui ser implementable per a la gestió d'incidents de qualsevol empresa o organització que necessiti implementar aquest tipus de solucions com a part de la seva SGSI. A nivell metodològic, en aquest treball s'ha seguit els següents passos: 1- Analitzar les funcionalitats necessàries i veure que opcions hi ha disponibles. 2- Triar els components i dissenyar una solució sobre la base de l'estudi realitzat i a l'abast proposat. 3- Implementar i integrar els diferents components/productes que formen la solució. 4- Realització de proves, conclusions i documentar possibles millores. 5- Completar la documentació i presentació sobre el treball realitzat. Com a resultat tenim una plataforma SIRP operativa que permet la gestió dels incidents des de la seva detecció a la resposta, amb la seva corresponent documentació de possibles incidents i tancament, que permet compartir informació (IoCs) amb tercers si es precisa i que utilitza fonts externes d'intel·ligència per a ajudar als analistes de seguretat en els quals pot ser el dia a dia de qualsevol empresa o organització, tot això utilitzant tecnologies actuals de cloud per a la seva implementació i gestió. The purpose of this work is to have a SIRP platform with open source software that can be scalable and highly available for pedagogical purposes in a simulation environment but that equipped with the necessary hardware resources can be implementable for incident management of any company or organization that needs to implement this type of solutions as part of its ISMS. At the methodological level, this work the following steps have been followed: 1- Analyze the required functionalities and see what options are available. 2- Choose the components and design a solution based on the study carried out and the proposed scope. 3- Implement and integrate the different components/products that make up the solution. 4- Testing, findings and documenting possible improvements. 5- Complete the documentation and presentation on the work done. As a result we have an operational SIRP platform that allows the management of incidents from their detection to the response, with its corresponding documentation of possible incidents and closure, which allows to share information (IoCs) with third parties if necessary and that uses external sources of intelligence to help security analysts in what can be the day to day of any company or organization, all using current cloud technologies for its implementation and management.

Published

2021

11. Χρήση του SIEM (ELK Wazuh use case)

Author

Sarikioses, Konstantinos, Λαμπρινουδάκης, Κωνσταντίνος, Lambrinoudakis, Konstantinos, Σχολή Τεχνολογιών Πληροφορικής και Επικοινωνιών. Τμήμα Ψηφιακών Συστημάτων, and Ασφάλεια Ψηφιακών Συστημάτων

Subjects

Elastic, Security, Threat hunting, Wazuh, SIEM

Abstract

Το cyber threat hunting είναι η διαδικασία της προληπτικής και επαναληπτικής αναζήτησης μέσω δικτύων για τον εντοπισμό και την απομόνωση προωθούμενων απειλών που αποφεύγουν τις υπάρχουσες ρυθμίσεις ασφαλείας. Για την ανάλυση των logs χρησιμοποιείται το Elasticsearch, το οποίο είναι μια κατανεμημένη και ανοιχτού κώδικα μηχανή ανάλυσης για όλους τους τύπους δεδομένων. Επιπροσθέτως γίνεται χρήση του Wazuh plugin, μια δωρεάν, ανοιχτού κώδικα και έτοιμη για επιχειρήσεις λύση παρακολούθησης ασφάλειας για ανίχνευση απειλών, παρακολούθηση ακεραιότητας, απόκριση συμβάντων και συμμόρφωση. Υλοποιήθηκαν οι ενέργειες εγκατάσταση Wazuh server και agents, τα σενάρια ελέγχου ύποπτων αρχείων μέσω VirusTotal, επίβλεψη USB συσκευών αποθήκευσης και επίβλεψη Docker.

Published

2021

12. Anàlisis i implementació d'un SIEM en l'àmbit empresarial

Author

Malla Esqué, Jordi, García Font, Víctor, and Flores Terrón, Miguel Ángel

Subjects

Seguridad informática -- TFM, Elastic, empresarial, Seguretat informàtica -- TFM, Computer security -- TFM, Wazuh, SIEM

Abstract

Aquest TFM te com a objectiu explorar una eina molt concreta, com és el SIEM Wazuh, juntament amb la pila Elastic, per tal d'analitzar els logs generats en un sistema i evaluar-los mitjançant eines de Machine Learning per determinar si s'està produint un incident de seguretat concret com és un atac de Ransomware amb Cryptolocker. La configuració de la solució s'ha realitzat en un entorn empresarial amb una configuració on premise, mitjançant Docker i utilitzant les solucions: Elastic Stack per emmagatzemar i gestionar els logs de manera centralitzada, Wazuh per recollir els logs i generar alertes de seguretat, la solució Machine Learning d'Elasticsearch per detectar i notificar incidents de seguretat, i, finalment, MS Teams per centralitzar la recepció de les alertes. Les conclusions de la POC han estat satisfactòries en quant a la detecció de l'incident de seguretat, utilitzant la configuració de Machine Learning de Elasticsearch. Tot i això, s'insta a extendre la solució de seguretat amb més opcions per ampliar la protecció, ja què, aquest TFM està molt centrat en un tipus d'incident de seguretat molt concret, i, la seguretat empresarial és més complexa. This TFM explores the SIEM Wazuh with Elastic stack, so that to analyse the logs generated in a system and evaluate them with Machine Learning to detect a Ransomware attack with Cryptolocker. The solution has been done in a business environment with an on premise Docker configuration and it use the platforms: Elastic stack to centralize storage and manage the logs, Wazuh to collect logs and generate security alerts, the Elasticsearch's machine learning to detect and inform security incidents, and finally MS Teams to centralize the alert's collections. The findings of this POC have been satisfactory in terms of detecting this security incident with Elasticsearch's machine learning configuration, although it is recommended to extend the security solution with more options to increase protection, as this TFM is highly focused on a very specific security incident, and business security is more complex. Este TFM tiene como objetivo explorar una herramienta, como es el SIEM Wazuh, y la pila Elastic, para analizar los logs generados en un sistema y evaluarlos con herramientas de Machine Learning para determinar si se está produciendo un incidente de seguridad concreto como es un ataque de Ransomware con Cryptolocker. La configuración de la solución se ha realizado en un entorno empresarial con una configuración on premise, con Docker y utilizando las soluciones: Elastic Stack para almazenar y gestionar los logs de forma centralizada, Wazuh para recoger los logs y generar alertas de seguridad, la solución Machine Learning de Elasticsearch para detectar y notificar incidentes de seguridad, y, finalmente, MS Teams para centralizar la recepción de las alertas. Las conclusiones de la POC han sido satisfactorias en lo referente a la detección del incidente de seguridad, utilizando la configuración de Machine Learning de Elasticsearch. Sin embargo, se insta a extender la solución de seguridad con más opciones para ampliar la protección, ya que, este TFM está centrado en un tipo de incidente de seguridad muy concreto, y, la seguridad empresarial es más compleja.

Published

2020

13. Detección de anomalías con Elastic Stack

Author

Farinango Endara, Henry Patricio, García Font, Víctor, and Flores Terrón, Miguel Ángel

Subjects

business security, Seguridad informática -- TFM, wazuh, elastic stack, seguretat empresarial, Seguretat informàtica -- TFM, Computer security -- TFM, seguridad empresarial

Abstract

The dependence on technology makes companies nowday implement security through multiple levels in order to prevent the company from having problems of threats against information security and affecting its internal resources in a critical way. In this Master's thesis, the security solution based on the 'all-in-one' architecture of Wazuh and Elastic Stack is implemented as a laboratory, in order to carry out proofs of concept for the detection of anomalies that occur in the devices on a LAN network, in this case specifically for servers that are in a DMZ, which makes up the Wazuh agent. In this way, the security contribution proactively with the collection of logs in real time, allows this system in question to generate alerts in case of attempted attacks and execute Active Response, an action that allows mitigating the detected incident. This project promotes the opensource software solutions, validating that it is a complete business security solution in the context of log data analysis to secure host of the internal business network. It is concluded that the solution is ideal for business environments of any kind, even more for small environments such as ours simulated. Considering that the way to automate responses against security incidents proposes a great alternative in the field of information technology. La dependencia de la tecnología hace que las empresas en la actualidad implementen seguridad a varios niveles con la finalidad de evitar que la empresa tenga problemas de amenazas contra la seguridad de la información y afecte a sus recursos internos de forma crítica. En este trabajo de fin de Máster se implementa la solución de seguridad basada en la arquitectura 'todo en uno' de Wazuh y Elastic Stack a manera de laboratorio, con la finalidad de realizar pruebas de concepto para la detección de anomalías que se presentan en los dispositivos de una red LAN, en este caso en concreto del proyecto, para servidores que están en una DMZ, que compone al agente de Wazuh. De esta manera, el aporte de seguridad de forma proactiva con la recolección de logs en tiempo real, permite que este sistema en cuestión genere alertas en caso de intentos de ataques y ejecute Active Response, acción que permita mitigar el incidente detectado. Este proyecto promueve las soluciones basadas en software libre, validando que es una solución completa de seguridad empresarial en el contexto de analisis de datos de registro para securizar host de la red interna empresarial. Se llega a concluir que la solución es idónea para entornos empresariales de cualquier índole, más aún para entorno pequeños como lo simulado. Considerando que la forma de automatizar las respuestas contra incidentes de seguridad propone una gran alternativa en el campo de las tecnologías de la información. La dependència de la tecnologia fa que les empreses en l'actualitat implementin seguretat a diversos nivells amb la finalitat d'evitar que l'empresa tingui problemes d'amenaces contra la seguretat de la informació i afecti els seus recursos interns de manera crítica. En aquest treball de fi de màster s'implementa la solució de seguretat basada en l'arquitectura "tot en un" de Wazuh i Elastic Stack a manera de laboratori, amb la finalitat de realitzar proves de concepte per a la detecció d'anomalies que es presenten en els dispositius d'una xarxa LAN, en aquest cas en concret de el projecte, per a servidors que estan en una DMZ, que compon a l'agent de Wazuh. D'aquesta manera, l'aportació de seguretat de forma proactiva amb la recol·lecció de logs en temps real, permet que aquest sistema en qüestió generi alertes en cas d'intents d'atacs i executi Active Response, acció que permeti mitigar l'incident detectat. Aquest projecte promou les solucions basades en programari lliure, validant que és una solució completa de seguretat empresarial en el context d'anàlisi de dades de registre per securitzar host de la xarxa interna empresarial. S'arriba a concloure que la solució és idònia per a entorns empresarials de qualsevol índole, més encara per a entorn petits com el simulat. Atès que la forma d'automatitzar les respostes contra incidents de seguretat proposa una gran alternativa en el camp de les tecnologies d ela informació.

Published

2020

14. Implementación de Wazuh en una organización pública

Author

Polo Cózar, Javier, García Font, Víctor, and Canto Rodrigo, Pau del

Subjects

monitoratge, vulnerabilities, vulnerabilidades, monitorization, threats detections, detección de amenazas, vulnerabilitats, Computer security -- TFM, monitorización, Seguridad informática -- TFM, Seguretat informàtica -- TFM, Wazuh, detecció d'amenaces, SIEM

Abstract

La información se ha convertido en el recurso más valioso en el mundo y debemos esforzarnos en protegerla mejorando nuestras capacidades de detección de ciberataques. Los SIEM pueden ayudarnos a ello y pueden ser piezas muy importantes para asegurar y proteger los activos de las organizaciones y de todo el tráfico de red. En este trabajo fin de Máster hemos implementado la arquitectura de Wazuh y ELK Stack en nuestra organización, permitiéndonos protegerla de una forma multidisciplinar: correctiva (mediante la detección de vulnerabilidades), preventiva (mediante el bastionado de servidores), proactiva (mediante la recolección de logs, integridad de ficheros o análisis de malware en tiempo real), informativa (mediante diferentes tipos de notificaciones), reactiva (mediante mecanismos de respuesta activa (active response) ante las diferentes alertas generadas) y personalizada (permitiéndonos monitorizar dispositivos sin agente y creando nuestras propias reglas y decodificadores). Hemos descubierto una solución de software libre muy completa. Además, al tratarse nuestra organización de una administración pública, nos ayudará a cumplir con el Esquema Nacional de Seguridad (ENS), de obligado cumplimiento desde el año 2010. Data have turned into the most valuable resource in the world and we must make an effort to protect them, improving our cyber attack detection capabilities. SIEMs can help us to achieve it so they can become very important tools to secure and protect enterprise assets and network traffic. In this Master's thesis we have deployed the Wazuh and ELK Stack architecture in our organization, allowing us to protect it in a multidisciplinary way: corrective (through vulnerability detection), preventive (through server hardening), reactive (through active response mechanisms which are triggered when alerts are generated) and customized (being able of monitoring agentless devices and creating our own rules and decoders). We have discovered a very complete open source solution. Due to the fact that our organization is a public administration, it will help us to accomplish with the National Security Framework (ENS), which is mandatory since the year 2010. La informació s'ha convertit en el recurs més valuós en el món i hem d'esforçar-nos a protegir-la millorant les nostres capacitats de detecció de ciberatacs. Els SIEM poden ajudar-nos a això i poden ser peces molt importants per a assegurar i protegir els actius de les organitzacions i de tot el trànsit de xarxa. En aquest treball fi de Màster hem implementat l'arquitectura de Wazuh i ELK Stack en la nostra organització, permetent-nos protegir-la d'una forma multidisciplinària: correctiva (mitjançant la detecció de vulnerabilitats), preventiva (mitjançant el bastionado de servidors), proactiva (mitjançant la recol·lecció de logs, integritat de fitxers o anàlisis de malware en temps real), informativa (mitjançant diferents tipus de notificacions), reactiva (mitjançant mecanismes de resposta activa (activi response) davant les diferents alertes generades) i personalitzada (permetent-nos monitorar dispositius sense agent i creant les nostres pròpies regles i descodificadors). Hem descobert una solució de programari lliure molt completa. A més, en tractar-se la nostra organització d'una administració pública, ens ajudarà a complir amb l'Esquema Nacional de Seguretat (ENS), d'obligat compliment des de l'any 2010.

Published

2020

15. Real-time monitoring and analysis of events collected from networked nodes

Author

Sambolec, Karlo and Ježić, Gordan

Subjects

analiza događaja, networked nodes, TECHNICAL SCIENCES. Electrical Engineering, TECHNICAL SCIENCES. Computing, TEHNIČKE ZNANOSTI. Računarstvo, TEHNIČKE ZNANOSTI. Elektrotehnika, Wazuh, Graylog, real-time monitoring, event analysis, stvarnovremeno praćenje, umreženi čvorovi

Abstract

U velikim mrežama s velikim brojem umreženih čvorova, stvaraju se velike količine podataka. Te podatke moguće je pratiti sustavima za stvarnovremeno praćenje i analizu podataka i događaja. Takvi sustavi također omogućuju prepoznavanje anomalija u radu sustava, sigurnosnih anomalija i ostalih problema koji se mogu pojaviti u sustavu. U ovom radu obrađena su dva sustava za stvarnovremeno praćenje i analizu događaja s umreženih čvorova – Wazuh i Graylog. Opisane su njihove komponente, arhitektura, komunikacija, instalacija i na kraju način rada i korištenja. Zatim je predstavljena mreža nad kojom sustavi provode praćenje te scenariji pomoću kojih se generiraju događaji za analizu. Scenariji prikazuju događaje nedozvoljenog ponašanja korisnika sustava s različitim razinama prava pristupa. Na kraju rada dana je analiza rezultata i usporedba sustava. Large networks with large number of network nodes generate a large amount of data. That data can be tracked by real-time monitoring and event analysis tools. Such tools also allow us to detect anomalies in system operation, security anomalies and other problems which can occur in the system. This thesis describes two of these real-time monitoring and event analysis tools – Wazuh and Graylog. It explains their components, architecture, communication and installation work and how to use them on actual network. After that, Wazuh and Graylog monitoring network is described. Also, it’s described how network is working under normal conditions and under certain scenarios. These scenarios contain description of unauthorized user behavior in cases when users have different levels of access rights. Results of scenarios are analyzed in final chapter and real-time monitoring and event analysis tools are compared.

Published

2019

16. Sustav za upravljanje sigurnosnim informacijama i događajima u lokalnoj mreži

Author

Hartl, Zvonimir and Ilić, Željko

Subjects

Windows, System, lokalna mreža, TEHNIČKE ZNANOSTI. Računarstvo, Rules, Cyber-attack, Security System, korisnik, sigurnosni sustav, User, Secured Network, Computer, Server, Security Information and Event Management, TECHNICAL SCIENCES. Computing, kontrolna ploča, Wazuh, upravljanje sigurnosnim informacijama i događajima, SIEM, sustav, sigurnost, dnevnik, dnevnički zapis, pravila, napad, poslužitelj, Graylog, računalo, osigurana mreža, Log, Local network, TEHNIČKE ZNANOSTI. Elektrotehnika, TECHNICAL SCIENCES. Electrical Engineering, Security Maintenance, Security, Dashboard

Abstract

U ovome radu analizirana su svojstva sustava za upravljanje sigurnosnim informacijama i događajima u lokalnoj mreži (sustava SIEM). Navedene su ključne funkcionalnosti toga sustava te su analizirane njegove dvije implementacije: sustav Graylog i sustav Wazuh. U praktičnome djelu rada postavljena je lokalna mreža zamišljene trgovine „Mala trgovina“. Unutar te mreže koja se sastoji od 12 osobnih i dva poslužiteljska računala postavljeni su i sustavi Graylog i Wazuh. Četirima jednostavnim scenarijima testirane su reakcije sustava Graylog i Wazuh na određene događaje koji upućuju na zlonamjerno korištenje sustava. In this thesis the properties of Security Information and Event Management System in a local network are presented and described. The key functionalities of the SIEM system are listed and discussed, and two SIEM system implementations, the Graylog system and the Wazuh system, are analysed. In the practical part of the thesis, a local network for imaginary store "Mala Trgovina" was set up. Within this network, which consists of 12 personal and two server computers, both Graylog and Wazuh systems have been set up. Through four simple scenarios, the reactions of the Graylog and Wazuh systems to specific events that point to the malicious use of the system have been tested.

Published

2019