|
|
Návrh dílčí části systému pro monitoring bezpečnostních incidentů
Koch, Michael ; Neuwirth, Bernard (referee) ; Novák, Lukáš (advisor)
The thesis focuses on the implementation of a part of the information system for security incident analysis within PwC. The system serves to complement the current solution, which lags behind future and existing requirements. The first part describes the theoretical background to understand the concept of the thesis and the technologies used in the implementation of the system. The following section contains an analysis of the current state of the existing system. The principle on which it works and the shortcomings that caused the necessity to implement a new solution. The third chapter deals with the actual design and implementation of the new solution. In the last part of the thesis an economic evaluation of the costs and benefits of the solution is made.
|
|
|
Security log anonymization tool focusing on artificial intelligence techniques
Šťastná, Ariela ; Jurek, Michael (referee) ; Safonov, Yehor (advisor)
Systémy SIEM zohrávajú v rámci bezpečnostného monitoringu zásadnú úlohu. Zozbierané záznamy agregujú, normalizujú a filtrujú, čo predstavuje základ pre aplikovanie techník dolovania dát. Týmto spôsobom SIEMy prezentujú výborný zdroj veľkých objemov normalizovaných dát. Tieto dáta nesú potenciál pre dosiahnutie pokroku v bezpečnostnom výskume, dolovaní dát a umelej inteligencii, kde môžu viesť k zlepšeniu existujúcich metód prieskumu, sprehľadneniu skenovania siete a odhaleniu sofistikovanejších vektorov útoku. Avšak jedným z hlavných problémov pre využívanie týchto dát je skutočnosť, že dáta v logových záznamoch sú v mnohých prípadoch citlivé a môžu predstavovať riziko z hľadiska bezpečnosti. Z toho dôvodu bol vytvorený nástroj pre anonymizáciu citlivých údajov v logových záznamoch, ktorý zachováva korelácie medzi dátami. Hlavným cieľom bakalárskej práce je zamerať sa na technické a právne aspekty spracovania logov a anonymizáciu pre umelú inteligenciu. V rámci výskumu bola vykonaná analýza najčastejšie sa vyskytujúcich dát v logoch spolu s vyhodnotením ich rizikovosti, výsledkom čoho je vytvorenie kategórií dát vzhľadom na ich citlivosť. V práci je ďalej prezentovaná analýza súčasných SIEM systémov spolu s meta kľúčmi, ktoré využívajú.
|
|
|
Web application for generalizing SIEM correlation rules
Matušicová, Viktória ; Mikulec, Marek (referee) ; Safonov, Yehor (advisor)
The risk of attacks on companies by organized crime increases as technology advances. Attacks that focus on modifying data or gaining access to a company's network are constantly developed. The sophisticated nature of advanced threats distinguishes them from broad-based attacks that rely on automated scripts. However, organizations can mitigate this risk by utilizing a combination of appropriate tools. These include network flow monitoring, probes for detecting and preventing attacks, and Security Information and Event Management (SIEM) tools for correlating incidents and events. By leveraging these tools, suspicious behavior in the network can be identified, and measures can be taken to prevent and mitigate the impact of cyber attacks. The main contribution of this thesis is the development of a web application that serves as a general tool for managing correlation rules across various SIEM solutions. Through the use of this web application, publicly available Sigma rules can be managed and converted into target SIEM solutions. Users are given the ability to save these rules to their personal user section, alongside SIEM conversions and visual representations of technique coverage based on categorization by MITRE ATT@CK and LogSource of stored user rules. The theoretical part of the thesis comprises an analysis of security monitoring issues, an explanation of the benefits of the Sigma platform and an analysis of the web application. A use case model is defined, functional and non-functional requirements are specified to describe the resulting system. Additionally, the analysis of available tools for converting Sigma rules is performed. The practical portion of the thesis begins with a focus on the design of the web application, including the architecture of both the server-side and client-side components, as well as an explanation of the core functionalities. The resulting solution is then implemented, with detailed procedures for creating microservices, client-side development, and launching the web application. The final state of the project summarizes the result. The thesis concludes with a testing phase, the client side of the web application is evaluated through functional user interface screenshots. The thesis also includes a demonstration of the process for testing Sigma rules, which involves converting the rules using the web application and subsequently carrying out functional verification using the RSA NetWitness SIEM test solution.
|
|
|
Development of correlation rules for detecting cyber attacks
Dzadíková, Slavomíra ; Safonov, Yehor (referee) ; Martinásek, Zdeněk (advisor)
The diploma thesis deals with the problem of efficient processing of log records and their subsequent analysis using correlation rules. The goal of the thesis was to implement log processing in a structured form, extract individual log fields using a natural language processing model by solving a question answering problem, and develop correlation rules for detecting malicious behavior. Two datasets were produced during the task solution, one with records from Windows devices, and the other containing records from the Fortigate firewall. Pre-trained models based on the BERT and XLNet architecture were created and trained to solve the log parsing problem using the produced datasets, and the results were analyzed and compared. The second part of the thesis was devoted to the development of correlation rules, where the concept of a generic Sigma notation was investigated. It was developed, successfully tested and deployed six correlation rules into own experimental environment in Elastic Stack system. Each rule is also described by tactics, techniques and sub-techniques of the MITRE ATT&CK framework.
|
|
|
The Design of the Maturity Model for Measuring Effectivity of the SIEM System in the Organisation
Kosková, Zdeňka ; Lukáš,, KUBÍK (referee) ; Ondrák, Viktor (advisor)
The bachelor‘s thesis addresses the issue of evaluating the effectiveness of the SIEM system in an industrial environment. The goal was to propose a methodology that uses a MITRE ATT&CK matrix for ICS for evaluation. The thesis first analyses existing solutions and their potential applications, followed by a description of monitoring evaluation in an energy company, which together with the matrix form the basis of the proposed solution. The main output of the thesis is a proposal for quantitative evaluation of individual techniques of the matrix, such as graphical interpretation and the possibility to share results securely with other CERT teams.
|
|
| |
|
| |
|
|
Security inspection of network traffic
Kult, Viktor ; Havránek, Martin (advisor) ; Ladislav, Ladislav (referee)
Thesis topic concerns the issue of information security in corporate environments. Literature search includes information obtained by studying articles and literature in the field of information security. Resources were selected with a focus on the security risks, security technologies and legislative regulation. Attention is focused on technology that supports monitoring of communication flows in the data network. Overview of traffic operating a data network provides important information for the prevention or investigation of security incidents. Monitoring also serves as a source of information for the planning of the network infrastructure. It can detect faults or insufficient transmission capacity. The practical part is dedicated to implementation of the monitoring system in the real corporate networks. Part of the experience is the analysis of the network structure and choice of appropriate tools for actual implementation. When selecting tools, you can use the scoring method of multicriterial analysis options. The integration of the monitoring system is also the configuration of active network elements. Subsequent analysis of network traffic provides information about the most active users, most used applications or on the sources and targets of data transmitted. It provides a source of valuable information that can be used in case of failure on the network or security incident. The conclusion is a summary of the results and workflow.
|
|
|
Utilization of SIEM systems for network events monitoring
Kopřiva, Milan ; Čermák, Igor (advisor) ; Habáň, Přemysl (referee)
In the last years we can observe an increasing number of security incidents varying in their focus, motives and success rate. Attacks are often conducted by very skilled organized groups with high knowledge base and they are increasing in their sophistication and efficiency. Because of those reasons information security is now one of the main fields of interest of IT experts. This thesis deals with Security information and Event Management technology and its usage for the detection of potentially harmful activity in a company's internal network. In the first chapter the elementary concepts of security are placed into the context of this thesis. Next chapter deals with security information and event management technology itself, its clear definition and describing the main functionality. The end of the theoretical part is dedicated to the author's view of the future and also to the problems concerning the implementation of SIEM solutions including return on investment calculation which has certain specifics in security field. Main benefit coming from this thesis is a clear description and creation of use cases aimed at the detecting suspicious activity in internal computer networks combined with their deployment in SIEM solution in real environment. The practical part of this thesis is dedicated to the configuration of the chosen device and its connection to the SIEM solution, and the assessment of usability of security events generated by the threat detecting device. Based on this assessment the use cases will be modelled and then deployed in the test environment. This thesis aims to bring on overall view into the security information and event management technology, starting with its definition and base functions. The primary goal of this thesis is use case designing for real time threat detection in a practical environment.
|
|
|
Company network security monitoring
Kališ, Martin ; Pavlíček, Luboš (advisor) ; Matuška, Miroslav (referee)
Main focus of this work is on computer network security monitoring. In first part basic definitions for the area are formed and it also offers different ways to encompass monitoring into company security. Next part defines main functions of monitoring systems and provides guidelines for its implementation in organization. Practical part consists of defining key conditions for selection of monitoring solution and it also applies them when comparing several products available on the market. Then it presents author's view on future trends and development in this area based on facts from previous chapters. Whole work provides complete approach to security monitoring and offers definition of all key concepts and competencies for monitoring systems.
|
guest ::
