Implementing network traffic control can be very easy with the right tools. However, if more tools are used and more networks need to be monitored, problems can also occur with good tools. Therefore, the idea was born in the Cyber Security Operations Center to develop a platform that would combine all monitoring tools and monitored networks into one system. Such a tool would simplify the work of technicians and make it possible to connect between different networks and make it easier to find and correct errors. Detecting and responding to errors and attacks in the system would be shortened.
The platform described in the final thesis will collect data from SIEM systems, other network monitoring devices such as IDS / IPS and firewalls, and system servers such as DNS, domain controllers, and authentication servers. From collected data, the platform will do analyses and look for correlations between them. With such a comprehensive analysis and overview of the network, it will be clear what is happening in the network in real time.
When the platform is ready, it will use machine learning to find anomalies in the network and users behavior changes. For known anomalies, the procedures for their resolution will be automated, and for new anomalies, the notification of technicians and interval escalation of notification will be automated.
The platform will automate the procedures of resolving various anomalies from different networks according to network priorities. The final part describes the development of the platform, how the work was set and what the purpose and goal of the platform is. Currently, the platform framework is already in place. The next steps in development are dictated by the needs that arise during the development of the platform, as well as the needs that arise in the work organization itself. The different parts of the platform, their operation and interconnection are also described. Currently, the most important thing is to complete the basic functionality of the platform, which is to inform about anomalies. Adding interfaces for SIEM control devices and systems will be the next stage of development.