Creation of SIEM Labs
In the field of computer security, security information and event management (SIEM) software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware.
Vendors sell SIEM as software, as appliances or as managed services; these products are also used to log security data and generate reports for compliance purposes.
Nagios and OSSIM are two examples of open-source SIEM software. Usage cases
- SIEM visibility and anomaly detection could help detect zero-days or polymorphic code. Primarily due to low rates of anti-virus detection against this type of rapidly changing type of malware.
- Automatic parsing, log normalization and categorization can occur automatically. Regardless of the type of computer or network device as long as it can send a log.
- Visualization with a SIEM using security events and log failures can aid in pattern detection.
- Protocol anomalies which can indicate a mis-configuration or a security issue can be identified with a SIEM using pattern detection, alerting, baseline and dashboards.
- SIEMS can detect covert, malicious communications and encrypted channels.
- Cyberwarfare can be detected by SIEMs with accuracy, discovering both attackers and victims.
Detail of Assignment
Setup a working version of each of Nagios and OSSIM (AlienVault).
Design three labs for each to demonstrate functionality and use-cases for SIEM.
Deliverables:
- Video recording of lab demos (YouTube or Vimeo) of each lab. This should total around 30 minutes for the six labs.
- Report/paper. This should lay out the labs in a step-by-step manner appropriate to the level of your assignment.