Aplikasi Security Information & Event Management BY ARIANI NIDAUL MUIZ AUFA Security Information Event Management “SIEM” is defined as a group of complex technologies that together, provide a centralized bird’s-eye-view into an infrastructure. Furthermore, it provides analysis and workflow, correlation, normalization, aggregation and reporting, as well as log management. SIEM Advantages • • • • • • • • • • • • Correlation of data from multiple systems and from different events detecting security and operational conditions Anomaly detection by using a baseline of events over time to find deviations from expected or normal behavior Comprehensive view into an environment based on event types, protocols, log sources, etc APT (advanced persistent threat) protection through detection of protocol and application anomalies Prioritization based on risk of threat to assets, staff can triage the most vulnerable targets Alerting and monitoring on events of interest to escalate priority Ability to filter events and create custom views to meet business needs Allows organizations to demonstrate adherence to polices and controls Monitor and log the access and use of sensitive data Limits exposure to breach disclosure costs by knowing the number or customer records affected Helps reduce risk to business partners and customers by detecting data loss and fraud Reduce costs by replacing redundant functions and technologies SIEM Applications Splunk Enterprise Security (ES) LogRhythm SIEM AlienVault Unified Security Management (USM) Micro Focus ArcSight McAfee Enterprise Security Manager (ESM) Trustwave SIEM Enterprise and Log Management Enterprise IBM Security QRadar RSA NetWitness Suite SolarWinds Log & Event Manager LogFusion WhatsUpGold Tripwire Log Center Quest InTrust Cont. OSSIM ELK OSSEC Apache Metron SIEMonster Prelude Conclusion ELK Elasticsearch Open source Is a near real-time search and analytics engine. JSON-based search engine. RESTful scalable and flexible API (Application Programming Interface) Logstash Logstash is a tool for log data intake, processing, and output. Input. Ingest data of all shapes, size and source. Any type of log that you manage: system logs, webserver logs, error logs, and app logs Filter. Parse & transform your data on the fly. Kibana Kibana is your log-data dashboard Leverage the Elastic Maps Service to visualize geospasial. Perform advanced time series analysis on your Elasticsearch data with time series UIs. Analyze relationship with graph Explore anomalies with machine learning Map Time Series Graph Relationship Machine Learning Installation Prerequisites OS Ubuntu 16.04 RAM : 2-8 GB CPU : 2 Install Java 8 (repo) Update Ubuntu $ sudo apt-get update Add repository $ sudo add-apt-repository -y ppa:webupd8team/java Update Ubuntu $ sudo apt-get update Install Java 8 $ sudo apt-get –y install oracle-java8-installer Install Java 8 (tar.gz) ekstrak jdk.tar.gz sudo mkdir /usr/lib/jvm cd ke direktor jdk sudo cp -rf * /usr/lib/jvm cd /usr/lib/jvm sudo nano /etc/environment edit file menjadi: PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bi n:/usr/games:/usr/local/games./usr/lib/jvm/bin" JAVA_HOME="/usr/lib/jvm" Cont. sudo update-alternatives --install "/usr/bin/java" "java" "/usr/lib/jvm/bin/java" 0 sudo update-alternatives --install "/usr/bin/javac" "javac" "/usr/lib/jvm/bin/javac" 0 sudo update-alternatives --set java /usr/lib/jvm/bin/java sudo update-alternatives --set javac /usr/lib/jvm/bin/javac ------cek versi java---java -version Install Elasticsearch 6.5.1 Apabila belum mem-download aplikasi, silahkan download pada web: https://artifacts.elastic.co/downloads/elasticsearch/elastics earch-6.5.1.tar.gz Apabila sudah, Ekstrak Elasticsearch $ tar –xzvf elasticsearch-6.0.0.tar.gz Rename - mv elasticsearch-6.0.0 elasticsearch Config elasticsearch Cont. cd config/ nano elasticsearch.yml cluster.name: avengers node.name: hulk http.host: 172.16.6.111 http.port: 9200 setting java heap: sudo sysctl -w fs.file-max=65536 sudo sysctl -w vm.max_map_count=262144 Untuk run, cd ke direktori bin untuk run elastic dengan batas RAM min dan max 1GB: ES_JAVA_OPTS="-Xms1g -Xmx1g" ./elasticsearch Untuk mengecek melalui browser: http://IP_Elasticsearch:9200/ Install Kibana 6.5.1 Apabila belum download, silahkan download Jika sudah, Ekstrak kibana-6.5.1.tar.gz $ tar –xzvf kibana-6.5.1.tar.gz Rename - mv kibana-6.5.1 kibana Config kibana Cont. cd config/ edit kibana.yml ( nano kibana.yml) server.port: 5601 server.host: "172.16.6.111“ (ini adalah IP kibana) elasticsearch.url: http://172.16.6.111:9200 (ini adalah IP elastic) kibana.index: ".kibana“ (buka pagarnya) Untuk percobaan http://172.16.6.111:5601/ (IP kibana) Install Logstash 6.5.1 Apabila belum download, download pada: //artifacts.elastic.co/downloads/logstash/logstash-6.0.0.tar.gz Ekstrak logstash-6.5.1.tar.gz $ tar –xzvf logstash-6.5.1.tar.gz Rename - mv logstash-6.5.1 elasticsearch Config logstash GeoIP Masuk ke direktori logstash/vendor Buat direktori geoip Download GeoLite2 City $ wget http://geolite.maxmind.com/download/geoip/database/GeoLite2City.tar.gz Ekstrak GeoLite2-City.tar $ tar –xzvf GeoLite2-City.tar Download GeoLite2 ASN $ wget http://geolite.maxmind.com/download/geoip/database/GeoLite2ASN.tar.gz Ekstrak GeoLite2-ASN.tar.gz
