The purpose of this thesis is to present the SIEM (Security Information and Event Management) system. I have focused on the functionalities of the SIEM system, which are essential for the operation of this analytical tool. SIEM's mission is to unify all the logs it receives from other devices, correlate similar events, have the ability of analytical view on network events through dashboards and deeper analytical ability to monitor events. In addition, the solution architecture is described, which presents key steps in the process of system operation. The process begins with the selection of source devices from which we will then collect logs. The process of parsing and normalization follows. Without the last step we cannot build rules and perform correlations. All phases of the architecture complement each other and SIEM would not be able to function if any were missing. The architecture concludes with log retention as well as with monitoring important security events and incidents.
Some of the most popular SIEM products are also theoretically presented. These include Splunk, IBM QRadar, and ArcSight, which I used to compare the practical part of this thesis the most.
The practical part of this thesis covers the deployment and operation of the open source AlienVault OSSIM system. All the deployment steps are described in details as well as the alert testing. The conclusion after testing free system OSSIM is positive. The tested system AlienVault OSSIM can be used by small and medium-sized enterprises to detect various cyber-attacks.
|
