Uploaded by User34717

Aplikasi Security Information & Event Management

advertisement
Aplikasi Security Information
& Event Management
BY
ARIANI
NIDAUL MUIZ AUFA
Security Information Event Management
 “SIEM” is defined as a group of complex technologies
that together, provide a centralized bird’s-eye-view
into an infrastructure. Furthermore, it provides
analysis and workflow, correlation, normalization,
aggregation and reporting, as well as log
management.
SIEM Advantages
•
•
•
•
•
•
•
•
•
•
•
•
Correlation of data from multiple systems and from different events detecting security
and operational conditions
Anomaly detection by using a baseline of events over time to find deviations from
expected or normal behavior
Comprehensive view into an environment based on event types, protocols, log sources,
etc
APT (advanced persistent threat) protection through detection of protocol and
application anomalies
Prioritization based on risk of threat to assets, staff can triage the most vulnerable
targets
Alerting and monitoring on events of interest to escalate priority
Ability to filter events and create custom views to meet business needs
Allows organizations to demonstrate adherence to polices and controls
Monitor and log the access and use of sensitive data
Limits exposure to breach disclosure costs by knowing the number or customer
records affected
Helps reduce risk to business partners and customers by detecting data loss and fraud
Reduce costs by replacing redundant functions and technologies
SIEM Applications
 Splunk Enterprise Security (ES)
 LogRhythm SIEM
 AlienVault Unified Security Management (USM)
 Micro Focus ArcSight
 McAfee Enterprise Security Manager (ESM)
 Trustwave SIEM Enterprise and Log Management
Enterprise
 IBM Security QRadar
 RSA NetWitness Suite
 SolarWinds Log & Event Manager
 LogFusion
 WhatsUpGold
 Tripwire Log Center
 Quest InTrust
Cont.
 OSSIM
 ELK
 OSSEC
 Apache Metron
 SIEMonster
 Prelude
Conclusion
ELK
Elasticsearch
 Open source
 Is a near real-time search and analytics engine.
 JSON-based search engine.
 RESTful
 scalable and flexible
API (Application Programming Interface)
Logstash
 Logstash is a tool for log data intake, processing, and output.
 Input. Ingest data of all shapes, size and source.
 Any type of log that you manage: system logs, webserver logs,
error logs, and app logs
 Filter. Parse & transform your data on the fly.
Kibana
 Kibana is your log-data dashboard
 Leverage the Elastic Maps Service to visualize geospasial.
 Perform advanced time series analysis on your Elasticsearch data
with time series UIs.
 Analyze relationship with graph
 Explore anomalies with machine learning
Map
Time Series
Graph Relationship
Machine Learning
Installation
 Prerequisites
OS Ubuntu 16.04
 RAM : 2-8 GB
 CPU : 2

Install Java 8 (repo)
 Update Ubuntu
$ sudo apt-get update
 Add repository
$ sudo add-apt-repository -y ppa:webupd8team/java
 Update Ubuntu
$ sudo apt-get update
 Install Java 8
$ sudo apt-get –y install oracle-java8-installer
Install Java 8 (tar.gz)
 ekstrak jdk.tar.gz
 sudo mkdir /usr/lib/jvm
 cd ke direktor jdk
 sudo cp -rf * /usr/lib/jvm
 cd /usr/lib/jvm
 sudo nano /etc/environment
edit file menjadi:
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bi
n:/usr/games:/usr/local/games./usr/lib/jvm/bin"
JAVA_HOME="/usr/lib/jvm"
Cont.
 sudo update-alternatives --install "/usr/bin/java" "java"




"/usr/lib/jvm/bin/java" 0
sudo update-alternatives --install "/usr/bin/javac" "javac"
"/usr/lib/jvm/bin/javac" 0
sudo update-alternatives --set java /usr/lib/jvm/bin/java
sudo update-alternatives --set javac /usr/lib/jvm/bin/javac
------cek versi java---java -version
Install Elasticsearch 6.5.1
 Apabila belum mem-download aplikasi, silahkan download
pada web:
https://artifacts.elastic.co/downloads/elasticsearch/elastics
earch-6.5.1.tar.gz
 Apabila sudah, Ekstrak Elasticsearch
$ tar –xzvf elasticsearch-6.0.0.tar.gz
 Rename
- mv elasticsearch-6.0.0 elasticsearch
 Config elasticsearch
Cont.
 cd config/
 nano elasticsearch.yml
cluster.name: avengers
node.name: hulk
http.host: 172.16.6.111
http.port: 9200
 setting java heap:
sudo sysctl -w fs.file-max=65536
sudo sysctl -w vm.max_map_count=262144
 Untuk run, cd ke direktori bin
 untuk run elastic dengan batas RAM min dan max 1GB:
ES_JAVA_OPTS="-Xms1g -Xmx1g" ./elasticsearch
 Untuk mengecek melalui browser:
 http://IP_Elasticsearch:9200/
Install Kibana 6.5.1
 Apabila belum download, silahkan download
 Jika sudah, Ekstrak kibana-6.5.1.tar.gz
$ tar –xzvf kibana-6.5.1.tar.gz
 Rename
- mv kibana-6.5.1 kibana
 Config kibana
Cont.
 cd config/
 edit kibana.yml ( nano kibana.yml)
server.port: 5601
server.host: "172.16.6.111“ (ini adalah IP kibana)
elasticsearch.url: http://172.16.6.111:9200 (ini adalah IP elastic)
kibana.index: ".kibana“ (buka pagarnya)
 Untuk percobaan

http://172.16.6.111:5601/ (IP kibana)
Install Logstash 6.5.1
 Apabila belum download, download pada:
//artifacts.elastic.co/downloads/logstash/logstash-6.0.0.tar.gz
 Ekstrak logstash-6.5.1.tar.gz
$ tar –xzvf logstash-6.5.1.tar.gz
 Rename
- mv logstash-6.5.1 elasticsearch
 Config logstash
GeoIP
 Masuk ke direktori logstash/vendor
 Buat direktori geoip
 Download GeoLite2 City
$ wget http://geolite.maxmind.com/download/geoip/database/GeoLite2City.tar.gz
 Ekstrak GeoLite2-City.tar
$ tar –xzvf GeoLite2-City.tar
 Download GeoLite2 ASN
$ wget http://geolite.maxmind.com/download/geoip/database/GeoLite2ASN.tar.gz
 Ekstrak GeoLite2-ASN.tar.gz
Download