A carregar...
Publicação
Controlos de cibersegurança em ambientes MS Windows de grandes empresas: integração efetiva de eventos relevantes de segurança no SIEM AlienVault USM
| Nome: | Descrição: | Tamanho: | Formato: | |
|---|---|---|---|---|
| 5.18 MB | Adobe PDF |
Autores
Resumo(s)
Atualmente, vivemos numa era cada vez mais digital, onde o cibercrime tem vindo rapidamente a ganhar terreno através de redes organizadas mais sofisticadas, e com acesso a mais e melhores recursos. Neste contexto, os CSOC (Cyber Security Operation Center) são indispensáveis para detetar, analisar e combater esse avanço, e garantir a cibersegurança das organizações, sobretudo aquelas em que as suas redes assumem uma dimensão elevada, ou que esteja envolvida nos seus processos informação sensível. Por forma a ser humanamente possível tratar a informação recebida pelo CSOC, esta deverá passar por um processo onde são coletados eventos das fontes de informação (dispositivos de rede, plataformas de segurança e sensores), sendo estes filtrados, normalizados, classificados e correlacionados num SIEM (Security Information and Event Management), dando origem à geração de alertas em caso de incidentes de segurança. Este projeto visa adicionar fontes de informação que atualmente a Altice Portugal não dispõe no SIEM Alienvault USM (Unified Security Management), relativas aos eventos de segurança das inúmeras estações de trabalho e servidores MS (Microsoft) Windows a operar dentro da rede corporativa e infraestruturas de datacenter (perto de 25 mil). Esta informação irá permitir uma melhor cobertura da sua infraestrutura, e deteção de anomalias de segurança em tempo real. Estas capacidades são fundamentais, dado que a maioria dos ataques com recurso a malware são direcionados aos ecossistemas MS Windows. Torna-se assim necessário, desenvolver um processo técnico robusto e eficiente de fazer chegar, de forma adequadamente filtrada ao SIEM, os eventos relevantes de segurança dos dispositivos MS Windows (tipicamente associados a Indicators of Compromise (IoC) conhecidos). De igual forma, é necessário desenvolver regras personalizadas no SIEM, que permitam endereçar os alertas relevantes ao CSOC, através da correlação e deteção de padrões anómalos dos eventos recebidos. A ferramenta proposta neste projeto aumenta o nível de segurança da infraestrutura de rede da empresa, oferecendo uma melhor visibilidade dos sistemas MS Windows, de forma não intrusiva. Esta solução apresenta uma elevada capacidade de escalabilidade a nível da recolha e centralização de eventos, assim como na deteção de comportamentos anómalos, através da criação de diretivas personalizadas no SIEM.
Nowadays, we live in an increasingly digital age, where cybercrime has growing very quickly, through increasingly sophisticated organized networks and the ease of access to more and better resources. In this context, Cyber Security Operation Centers (CSOC) are indispensable to detect, analyze and face this advance, and guarantee the cyber security of organizations, especially those in which their networks are large, or sensitive information is involved in their processes. In order to be humanly possible to handle the information received by the CSOC, it must pass through a process where network and platform events are collected by sensors, which are filtered, normalized, classified and correlated in a SIEM (Security Information and Event Management), to be able of rise alarms in case of security incidents. This project aims to add sources of information that currently Altice Portugal does not have in the Alienvault USM (Unified Security Management) SIEM, related to the security events of MS (Microsoft) Windows workstations and servers operating within the corporate network and datacenter infrastructures (about 25 thousand). This will enable a better coverage of their infrastructure, and detection of security anomalies in real time. These are key capabilities, as most malware attacks target MS Windows ecosystems. It is therefore necessary to develop a robust and efficient technical process to ensure that relevant security events of the MS Windows devices (typically associated with known Indicators of Compromise (IoC)) arrive in an adequately filtered way to the SIEM. Likewise, it is necessary to develop customized rules in the SIEM, which allow addressing relevant alerts to the CSOC team, through the correlation and detection of anomalous patterns of the events received. The tool proposed in this project increases the level of security of the company's network infrastructure, offering better visibility of MS Windows systems, in a non-intrusive way. This solution reveals a high scalability in the event collection and centralization environment, as well in the detection of abnormal behaviors, through the creation of customized directives in SIEM Alienvault USM.
Nowadays, we live in an increasingly digital age, where cybercrime has growing very quickly, through increasingly sophisticated organized networks and the ease of access to more and better resources. In this context, Cyber Security Operation Centers (CSOC) are indispensable to detect, analyze and face this advance, and guarantee the cyber security of organizations, especially those in which their networks are large, or sensitive information is involved in their processes. In order to be humanly possible to handle the information received by the CSOC, it must pass through a process where network and platform events are collected by sensors, which are filtered, normalized, classified and correlated in a SIEM (Security Information and Event Management), to be able of rise alarms in case of security incidents. This project aims to add sources of information that currently Altice Portugal does not have in the Alienvault USM (Unified Security Management) SIEM, related to the security events of MS (Microsoft) Windows workstations and servers operating within the corporate network and datacenter infrastructures (about 25 thousand). This will enable a better coverage of their infrastructure, and detection of security anomalies in real time. These are key capabilities, as most malware attacks target MS Windows ecosystems. It is therefore necessary to develop a robust and efficient technical process to ensure that relevant security events of the MS Windows devices (typically associated with known Indicators of Compromise (IoC)) arrive in an adequately filtered way to the SIEM. Likewise, it is necessary to develop customized rules in the SIEM, which allow addressing relevant alerts to the CSOC team, through the correlation and detection of anomalous patterns of the events received. The tool proposed in this project increases the level of security of the company's network infrastructure, offering better visibility of MS Windows systems, in a non-intrusive way. This solution reveals a high scalability in the event collection and centralization environment, as well in the detection of abnormal behaviors, through the creation of customized directives in SIEM Alienvault USM.
Descrição
Trabalho de projecto de mestrado, Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2018
Palavras-chave
Eventos de segurança MS Windows SIEM Deteção de intrusões Cibersegurança Trabalhos de projecto de mestrado - 2018