Get a broad understanding of management and control of the SIEM system, setup and maintenance, which can help upgrade the effectiveness and speed of reaction to cyber—incidents and provide a high—security mode for your information system. Get knowledge about the type of architecture building with SIEM for small and medium businesses. Explore more features of controlling cyber—incidents, based on correlation analysis and risk management methods.
SIEM system
SIEM (Security Event Management + Security Information Management) — systems that monitor information systems, analyze real—time security events originating from network devices, information security tools, IT services, design and application infrastructure, and help detect information security incidents. Problems of detecting incidents in corporate networks:
- security tools, servers and network devices create millions of events, terabytes of logs;
- it is ineffective to respond to all IB incidents: 50—95% of them are false positives on the SPI;
- data from a single means of protection does not reveal complex and targeted attacks;
- the events are scattered across different systems and dozens of reports
- regulatory requirements in the field of information security.
Setup SIEM system
Before installing any software, we need to update the index and package on Debian:
sudo apt update && sudo apt upgrade -y
Next stage: install the required packages.
sudo apt-get install suricata
Configure Suricata
sudo nano /etc/suricata/suricata.yaml
In the configuration file, set the appropriate network interface for Suricata to monitor:
default-log-dir: /var/log/suricata/
...
af-packet:
- interface: enp0s5
Note: Replace "enp0s5" with your network interface name, you can use the command below:
ifconfig
Save and close the configuration file. Start Suricata in IDS mode:
sudo suricata -c /etc/suricata/suricata.yaml -i enp0s5 --init-errors-fatal
Verify that Suricata is running by checking its log files:
tail -f /var/log/suricata/fast.logAs a result output system will look like a string with information about your settings, if you don't enter any value, you receive an appropriate answer.
SIEM system conclusion
In conclusion, setting up an open—source SIEM system on Debian is a crucial step towards enhancing the security of information systems for small and medium businesses. SIEM systems help detect potential security incidents by monitoring and analysing real-time security events. However, detecting incidents in corporate networks can be challenging due to the high volume of events generated by various security tools and devices. With a properly configured SIEM system, businesses can effectively manage cyber incidents based on correlation analysis and risk management methods, thus providing a high—security mode for their information system.
