|
|
The Design of the Maturity Model for Measuring Effectivity of the SIEM System in the Organisation
Kosková, Zdeňka ; Lukáš,, KUBÍK (referee) ; Ondrák, Viktor (advisor)
The bachelor‘s thesis addresses the issue of evaluating the effectiveness of the SIEM system in an industrial environment. The goal was to propose a methodology that uses a MITRE ATT&CK matrix for ICS for evaluation. The thesis first analyses existing solutions and their potential applications, followed by a description of monitoring evaluation in an energy company, which together with the matrix form the basis of the proposed solution. The main output of the thesis is a proposal for quantitative evaluation of individual techniques of the matrix, such as graphical interpretation and the possibility to share results securely with other CERT teams.
|
|
|
Development of correlation rules for detecting cyber attacks
Dzadíková, Slavomíra ; Safonov, Yehor (referee) ; Martinásek, Zdeněk (advisor)
The diploma thesis deals with the problem of efficient processing of log records and their subsequent analysis using correlation rules. The goal of the thesis was to implement log processing in a structured form, extract individual log fields using a natural language processing model by solving a question answering problem, and develop correlation rules for detecting malicious behavior. Two datasets were produced during the task solution, one with records from Windows devices, and the other containing records from the Fortigate firewall. Pre-trained models based on the BERT and XLNet architecture were created and trained to solve the log parsing problem using the produced datasets, and the results were analyzed and compared. The second part of the thesis was devoted to the development of correlation rules, where the concept of a generic Sigma notation was investigated. It was developed, successfully tested and deployed six correlation rules into own experimental environment in Elastic Stack system. Each rule is also described by tactics, techniques and sub-techniques of the MITRE ATT&CK framework.
|
|
| |
|
| |
|
|
Enhancing Security Monitoring with AI-Enabled Log Collection and NLP Modules on a Unified Open Source Platform
Safonov, Yehor ; Zernovic, Michal
The number of computer attacks continues to increasedaily, posing significant challenges to modern securityadministrators to provide security in their organizations. Withthe rise of sophisticated cyber threats, it is becoming increasinglydifficult to detect and prevent attacks using traditional securitymeasures. As a result, security monitoring solutions such asSecurity Information and Event Management (SIEM) have becomea critical component of modern security infrastructures. However,these solutions still face limitations, and administrators areconstantly seeking ways to enhance their capabilities to effectivelyprotect their cyber units. This paper explores how advanced deeplearning techniques can help boost security monitoring capabilitiesby utilizing them throughout all stages of log processing. Thepresented platform has the potential to fundamentally transformand bring about a significant change in the field of securitymonitoring with advanced AI capabilities. The study includes adetailed comparison of modern log collection platforms, with thegoal of determining the most effective approach. The key benefitsof the proposed solution are its scalability and multipurposenature. The platform integrates an open source solution andallows the organization to connect any event log sources or theentire SIEM solution, normalize and filter data, and use thisdata to train and deploy different AI models to perform differentsecurity monitoring tasks more efficiently.
|
|
|
Application for collecting security event logs from computer infrastructure
Žernovič, Michal ; Dobiáš, Patrik (referee) ; Safonov, Yehor (advisor)
Computer infrastructure runs the world today, so it is necessary to ensure its security, and to prevent or detect cyber attacks. One of the key security activities is the collection and analysis of logs generated across the network. The goal of this bachelor thesis was to create an interface that can connect a neural network to itself to apply deep learning techniques. Embedding artificial intelligence into the logging process brings many benefits, such as log correlation, anonymization of logs to protect sensitive data, or log filtering for optimization a SIEM solution license. The main contribution is the creation of a platform that allows the neural network to enrich the logging process and thus increase the overall security of the network. The interface acts as an intermediary step to allow the neural network to receive logs. In the theoretical part, the thesis describes log files, their most common formats, standards and protocols, and the processing of log files. It also focuses on the working principles of SIEM platforms and an overview of current solutions. It further describes neural networks, especially those designed for natural language processing. In the practical part, the thesis explores possible solution paths and describes their advantages and disadvantages. It also analyzes popular log collectors (Fluentd, Logstash, NXLog) from aspects such as system load, configuration method, supported operating systems, or supported input log formats. Based on the analysis of the solutions and log collectors, an approach to application development was chosen. The interface was created based on the concept of a REST API that works in multiple modes. After receiving the records from the log collector, the application allows saving and sorting the records by origin and offers the user the possibility to specify the number of records that will be saved to the file. The collected logs can be used to train the neural network. In another mode, the interface forwards the logs directly to the AI model. The ingestion and prediction of the neural network are done using threads. The interface has been connected to five sources in an experimental network.
|
|
|
Mikrotik RouterOS Module for IBM QRadar
Sysel, Václav ; Polčák, Libor (referee) ; Hranický, Radek (advisor)
The goal of this work is to design and implement an extension for the IBM QRadar system. It is a security system that detects cyber attacks by collecting information from the computer network. The purpose of the extension is to enable the collection, processing and visualization of information from MikroTik RouterOS operating system. The designed software provides administrators of networks with MikroTik elements with a better awareness of what is happening in the protected network and a comprehensive overview of the security situation.
|
|
|
Suricata Module for IBM QRadar
Kozák, Martin ; Žádník, Martin (referee) ; Hranický, Radek (advisor)
This work integrates the Suricata program into the QRadar system. The main objective of this work is to design and implement a DSM module in QRadar system that can analyze the records from Suricata. The events can then be investigated in the QRadar system environment. Another objective is to design an application that displays the data detected by the Suricata program. The application can be installed in the QRadar environment and used with other built-in components. The application is programmed in the Flask library using Jinja2 templates. The application includes two tabs that display events in different graphs and table.
|
|
|
Tool for mapping computer infrastructure assets and designing SIEM correlation rules for security monitoring
Hrabálek, Matěj ; Caha, Tomáš (referee) ; Safonov, Yehor (advisor)
With the growing popularity of the SOC service, which often uses SIEM tools, new challenges arise regarding the implementation of these tools into individual infrastructures that can face cyber attacks. SIEM tools can detect cyber attacks only if they are configured correctly, i.e. they collect the right logs. This bachelor’s thesis is used for the facilitation of the process of implementing SIEM into the internal infrastructure. They discuss the appropriate categorization of log sources and correlation rules, the naming of correlation rules, and a system for mapping log sources to relevant correlation rules is proposed, which facilitates the implementation of SIEM into the infrastructure. All knowledge is then implemented into a web application, which is the practical output of this bachelor’s thesis. The web application allows the user, who is going to implement a SIEM service into their own infrastructure, to enter data about the infrastructure, especially log sources that can be generated in the infrastructure, and offers suitable correlation rules, including their naming, to the respective log sources. In addition to logs, SIEM technology and correlation rules, the theoretical part also discusses general knowledge from cyber security and describes the Security Operations Center.
|
|
|
Web application for development and maintenance of SIEM system correlation rules
Bielik, Oliver ; Mikulec, Marek (referee) ; Safonov, Yehor (advisor)
Today’s world of technology is developing rapidly and constantly. Just as quickly, new risks are forming that threaten this sphere. For this reason, technologies need to be monitored and hazards prevented from entering systems. One of the technologies that helps this protection is a system called SIEM. This system serves as an investigative tool that allows security monitoring and investigations to be carried out. Security monitoring is carried out based on the correlation rules that are developed in security operations centers (SOC). Their task is to look for the potential dangers and report them. The main goal of the presented bachelor thesis is to create a tool that allows developers in SOC to easily develop correlation rules. The aim of the application is to simplify development and ensure a better overview of individual correlation rules. The theoretical part of the bachelor thesis focuses on the issue of security monitoring and explains it to the reader. It describes in more detail the functioning of the system and the work of SOC operators, whose job is the development of correlation rules as well. The practical part of the bachelor thesis is aimed at facilitating the development of these rules. The last part of the bachelor thesis is a conclusion, it briefly describes to the reader the observed facts and processing of the requirements for the bachelor thesis.
|
guest ::
