Building Own SIEM Environment using Opensource Tools (Part 4)

 

Building Own SIEM Environment using Opensource Tools (Part 4)

Wazuh Server

As per last blog, we are going to install Wazuh server and Wazuh agents on different clients. we are going to build an environment for  120 workstations, 15 servers, and 10 network devices with 2-3 year logs for view.  Following are software and hardware, that we used  for Wazuh server & ELK Server

We go to deploy following method for log collection from Wazuh agent (Windows, Mac OS & Linux-Ubuntu ) and shifted to Wazuh server and then synchronize these logs with ELK server. Following diagram show the detail of this,

 Wazuh installation guide give you two method of deployment. Following are these methods

• All-in-one Deployment
• Distributed Deployment

All-in-Deployment:-

In this we installed Wazuh Server and Elastic Stack on same server. This type of deployment only support small network or testing environment. 

All-in-one

As per above diagram, you see that Wazuh manager, Filebeat, Elasticsearch and Kibana all on same node.

Distributed Deployment:-

In this we installed Wazuh Server and ELK on separate server. We follow the Distributed deployment, because we going to build a production environment   for  120 workstations, 15 servers, and 10 network devices.

As per above diagram, you can see that Wazuh server installed on different cluster and ELK on different.

Lets go to install Wazuh manger on Wazuh Server,

# 192.168.0.161 | wazuh.kccl.com # Wazuh Manager

For Check System Status

# hostnamectl status

 

For Checking  Operating System

# cat /etc/redhat-release

 

 We need to add following ports in firewall to communicate with agents and API.

• 514/UDP/TCP - Syslog
• 1514/UDP/TCP - To get events from the agent.
• 1515/TECP - Port Used for agent Registration.
• 1516/TCP - Wazuh Cluster communications.
• 55000/TCP - Wazuh API port for incoming requests.

 For adding to  ports in firewall

# firewall-cmd --permanent --add-port={514,1514,1515,1516,55000}/tcp

# firewall-cmd --permanent --add-port={514,1514}/udp

# firewall-cmd --reload

# firewall-cmd --list-all

 For installation of Wazuh manger,

# curl -sO https://packages.wazuh.com/4.3/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

After installation of Wazuh server, you write down admin user name and password for enter on Wazuh. Now you open your browser and enter IP and give username admin and password you noted

After password you see following screen

After successful login you see following screen,

Now you explore it and next blog  we going to install  Wazuh agent install on different OS.

If you have any question, you cam ask in comments section. and if you not read early parts of this blog. just click on following links,

for  you miss part 1, click on following link,

https://cybersecurity-why-for-me.blogspot.com/2022/10/building-own-siem-using-opensource-tools.html

for  you miss part 2, click on following link,

https://cybersecurity-why-for-me.blogspot.com/2022/10/building-own-siem-environment-using.html

for  you miss part 3, click on following link,

https://cybersecurity-why-for-me.blogspot.com/2022/10/building-own-siem-environment-using_18.html

 

Building Own SIEM Environment using Opensource Tools (Part 3)

 

Building Own SIEM Environment using Opensource Tools (Part 3)

In last  2 parts of  Building Own SIEM Environment using Opensource Tools, we recovered following topics,

• What is SIEM
• What is SOC
• Why we need SIEM
• SIEM Types
• SIEM platforms
• Advantages and Disadvantages of SIEM platforms
• Difference between  OPEN Source SIEM

Now we are going to build our own First SIEM Environment. Following open source tools, we used to create own SIEM

• WAZUH
• Elastic Slack 
• Logstash
• Kibana
• filebeat
• Suricata

First we discus above  open tools one by one for understanding these tools.

 

Wazuh

Wazuh is a open source enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance of standard. Wazuh is utilized by hundreds of companies worldwide, ranging from small to large organizations. The main concept of Wazuh is a security data collection, aggregation, indexing, and analysis tool. That helps to organizations  in detecting intrusions, threats, suspicious activity and  behavior. Wazuh also show you vulnerabilities of your systems and endpoints. Wazuh has multiple built in reporting and dashboard, which helps to organization for continually monitoring the  entire assets and network.

We discus feature of Wazuh in detail, when we going to install Wazuh.

 

Elastic Slack

 Elastic Slack is a open search and analytics engine for all types of data, including textual, numerical, geospatial, structured, and unstructured.  Elastic engine built on Apache Lucene. Elasticsearch can be used for   "classical" full text search, analytics store, auto completer, spell checker, alerting engine, and as a general purpose document store. Because Elasticsearch is built on top of Lucene, its excels to Elasticsearch  near real-time search platform, meaning the latency from the time a document is indexed until it becomes searchable is very short time.

Logstash

Logstash is a light-weight, open-source, server-side data processing pipeline that allows you to collect data from a variety of sources, transform it on the fly, and send it to your desired destination.  We used  Logstash as data pipeline between Wazuh and Elasticsearch.

Filebeat

Filebeat is a lightweight shipper for forwarding and centralizing log data.  We Installed it as an agent on Wazuh servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them to Logstash and Elasticsearch for indexing.

 

Kibana

Kibana is a data visualization and exploration tool used for log and time-series analytics, application monitoring, and operational intelligence use cases. We Installed Kibana on Elasticsearch server and Its give  us  histograms, line graphs, pie charts, heat maps, and built-in geospatial support.

Suricata

Suricata is an open-source detection engine that can act as an intrusion detection system (IDS) and an intrusion prevention system (IPS).  We installed and intergrade it with Wazuh server. Suricata was developed by the Open Information Security Foundation (OSIF) and is a free tool used by small and large organization.

 I focus on only definitions of all tools, which we used to build own SIEM environment. When we implement above tools , we discuss in depth features and function of each tool. 

Following picture show you the whole interface of our SIEM ,

In  part 4, we discus system requirement, OS requirement for Wazuh  server and install Wazuh server and also install Wazuh agent on 3 different machine like windows,  Linux and MAC. 

I need your comment on installation methods. We are  going installation  through documentation or I also include videos of installation for  your understanding.

for  you miss part 1, click on following link,

https://cybersecurity-why-for-me.blogspot.com/2022/10/building-own-siem-using-opensource-tools.html

for  you miss part 2, click on following link,

https://cybersecurity-why-for-me.blogspot.com/2022/10/building-own-siem-environment-using.html

Building Own SIEM Environment using Opensource Tools (Part 2)

 

Building  Own SIEM Environment using Opensource Tools  (PART 2)

SIEM Types

There are 50+ SIEM solutions available in market. We can divide it in 2 major following types,

• Commercial SIEM Solution
• Open Source / Community  Edition SIEM Solution

Commercial SIEM Solution:-

Commercial SIEM tools do require a financial investment, Its give you comprehensive SIEM capabilities and are built by experts to meet industry compliance standards. Commercial SIEM tools provide the in-depth protection enterprises need and they can even scan  every packet of network. Its best thing is  ongoing customer support provides invaluable peace of mind for any business. Its update feeds day-by-day and its fully protect the business from any kind of attack like threat & intrusion  etc. Following are some commercial SIEM solutions,

1. Splunk
2. IBM Qradar SIEM
3. SolarWinds
4. AT&T Cybersecurity AlienVault
5. Microsoft Sentinel

Open Source / Community  Edition SIEM Solution:-

Open Source / Community  Edition SIEM  grown in their popularity. Open Source SIEM  limited in their capabilities (compared with their Commercial SIEM).You found much usage of  Open Source SIEM in  small to medium size organizations. Mostly open source SIEM are  community base and following are  some of the best free and open source SIEM tools out there today,

1. SIEM Monster
2. Wazuh
3. OSSEC
4.  AlienVault OSSIM 
5. Logit.io

SIEMs  are available in cloud-base and on-premise edition. Both on-premise and cloud-base SIEMs offer specific benefits and drawbacks to an organization. For decide of SIEMs solution, we must know the difference between cloud-base and on-premise edition. Following are some benefits and disadvantage's of on-premise SIEMs,

Advantages on-premise SIEMs

• The best advantage of on-premise SIEMs is organization keeps sensitive data on-site and many organization may want to avoid transferring sensitive data to a cloud. It might be due to regulatory requirements.
• Organization want to keeps complete control over the SIEMs platform. When your SIEMs on-premise, you can customize how the platform runs and also  produce best results in the context of your specific business operations. 
• Organization also want to keep control on cyber security team. SIEMs platform on-premise, organization  also keeping control over training the team members to the specific needs of your business.
• On-premise also enable to organization to customize SIEMs deliverable and also adopt best policy and procedure for its business.

Disadvantages on-premise SIEMs

• SIEMs platform on-premise requires much  financial efforts to keep on-premise live. The overall cost is not limited to the expenditures for purchasing, installing and maintaining the software and its also  includes costs for collecting, storing and analyzing vast amounts of data from each collection point. 
• Hiring, training and managing knowledgeable cyber-security specialists on-premise  is expensive. and its also difficult to keep this security talent. Because is in high demand and require lucrative compensation.
•  For produce viable results, The cyber security team that runs the SIEMs should fully understand an organization’s business model.  which means that the process of implementing an operational SIEMs platform can take a year or even more, depending on the size of the organization. Its also increase the expenditure.
• You know that, organization has complex business IT infrastructure  and also involves dozens of business applications as well as hardware and software modules. For mitigate security risks,  requires specific expertise and you know that the cost of these persons are high.

For deciding SIEMs, you must also know the advantages and disadvantages of cloud base SIEMs,

Advantages Cloud-base  SIEMs

• Most of vendors of SIEMs give SaaS versions of their respective SIEM platform and some of them only give cloud-base version of SIEMs. The best advantage of cloud-base SIEMs, you immediately gain expert knowledge and you get a pre-configured SIEMs system operated by a expert team. You can reduce the time for deployment, as there is no need to train an internal team to manage the platform.
• On selection the cloud-base SIEM, you can  custom implementations faster. because you have team of experts, which  comes with software and  they  configure it to your needs without any IT training required.
• Organization also save cost of infrastructure on SaaS base SIEMs. Organizing don't need to purchase expensive hardware to run the SIEM platform and well mange service provider of cloud-base SIEMs also give you software maintenance, updates and support. its also reduce of cost of IT cyber security team for SIEMs maintenance. 

Disadvantages Cloud-base  SIEMs

• The major disadvantage of cloud-base SIEMs is that organization facing risk of moving there sensitive data on cloud.  As cyber security expert, You know that risk of data in transit always high. 
• When you selecting a cloud-based SIEM solution, you may face an issue of limiting the access of your raw data. Even though this is your data that comes from your endpoints and systems. estimates. Cloud-base SIEMs only give your reports and dashboard of your data.
• On cloud-base SIEM, you depend on service provider on all events and alerts.    

Lets now focus on our main topic open source SIEM environment. Before going forward, now we  Compare three open source SIEM solutions,

In Part 3,  we are going to build 1 of  open source SIEM .If you have any question, you can ask me in comments section and follow my blogs for cyber security tools and discussion.

if you miss part 1, click on following link,

https://cybersecurity-why-for-me.blogspot.com/2022/10/building-own-siem-using-opensource-tools.html

Building Own SIEM Environment using Opensource Tools

Building  Own SIEM Environment using Opensource Tools  (PART 1)

What is a SIEM?
Security Information and Event Management  are systems collect data from a variety of sensors,  perform pattern matching and correlation of events, generate alerts, and provide dashboards that enable analysts to see the state of the Servers, Systems and Networks. 

Before we discuss further, What is a  Security Operations Center (SOC)?

Security Operation Center (SOC) is a centralized function within an organization, which monitor, detect, prevent, investigate, inform, respond to cyber threats and security 24/7. SOC working as central command post, taking automatic action & measurement on an organization's IT infrastructure, including its networks, devices, appliances, and information stores, wherever those assets reside. 

SOC is the correlation point for every event, which logged with in organization and its also monitor  and decide  it. how they will be managed and action on them. As the implementation component of an organization's overall cybersecurity framework, security operations teams act as the central point of collaboration in coordinated efforts to monitor, assess, and defend against cyberattacks.

SOCs have been built around a  central architecture, Where we  implemented  a variety of systems, such as Security Information & Event Management (SIEM), vulnerability assessment solutions (VAS), governance, risk and compliance (GRC) systems, application and database scanners (ADS), intrusion prevention systems (IPS), user and entity behavior analytics (UEBA), endpoint detection and remediation (EDR), and threat intelligence platforms (TIP).

SIEM system require well-written rule sets for process data. Every SIEM system may also have own query language, enabling us to write detailed, complex query sets so we can further automate data transformation and analysis actions. Every SIEM System has some of following particulars,

Dashboard:- The SIEM dashboard is the central nerve center of a security analysis tool for a cybersecurity analyst. It presents all the information the analyst needs to know, at their fingertips, as well as provides the interface to managing the different data that can be manipulated and viewed. Analysts can create queries, execute them, and view the results from the dashboard, as well as manage the different functions and options of the analysis software itself. This makes using the tool much simpler, more efficient, and effective. 

Rule and Query Writing: All network devices, whether routers, firewalls, intrusion detection/prevention systems, or SIEM systems, have their own built-in rulesets and queries. Rulesets are typically found in network devices that actually take action, such as routers and firewalls. Queries are more often found in more advanced devices where you need to analyze information coming from those devices, such as an IDS or SIEM system. Most popular SIEM systems, such as Splunk and the Elasticsearch, Logstash, Kibana (ELK) open-source system, have their own unique rule and query languages. Splunk has the Search Processing Language (SPL), while ELK uses its Kibana Query Language (KQL).  Many SIEM systems have the ability to import rules and queries created in other language. Queries can be very simple or quite complex, depending on what type of specific data you are looking for, the volume of data stores you must search through, and the complexity of the criteria you are imposing on the search. One of the key elements of a query is the string search. Queries can look for characteristics of certain data elements, such as an IP address, that are frequently found in defined fields. Typical search parameters for queries include the following

• IP or MAC addresses
• Domain names
• TCP/UDP port
• Protocol
• Traffic classified as allowed, denied, or dropped
• Username
• Dates and Times
• FileName
• File Size & Contents
• Bandwidth usage or volume of traffic
• Action (for example, account creation, file deletion, or website accessed)
• Inbound versus outbound traffic

 Why we need SIEM ?
Next question in your mind is why we need SIEM ? IT  teams perform daily basis task. But organization has no centrally view of what IT team do daily basis. Following are some reason Why we need SIEM,

• Compliance:- You know that every organization follow some rules and regulations for long survival in the market. It's very tough for every organization to follows security procedure to handle them individually. SIEM can easily handle them directly or indirectly. Such as PCI-DSS, GDPR, HIPPA, SOX, and other compliance standards.

• Operation Support:-  You know that every organization give support to end users.  Organization size increase day by day and its difficult to give to mange all services of NOC and SOC. But when any threat or intrusion happens then all of our users have to suffer. But when you are  using SIEM then it collects all your data from different sources and stores them in one place. Then that data is managed, monitor and scan by a team of specialists. So you can easily  give support to end users on security, threat and intrusions.

• Zero Day Threat:-  zero-day exploit (also called a zero-day threat) is an attack that takes advantage of a security vulnerability that does not have a fix in place. Three are many solutions that are available in the market do not equip us with zero-day threat detection. SIEM solution provides you zero threat detection system technique and you can trust a SIEM for your business safety and security.

• Advance Persistent Threats:-  You know that advanced persistent threat (APT) is a broad term used to describe an attack campaign in which an intruder, or team of intruders, establishes an illicit, long-term presence on a network in order to mine highly sensitive data. Security team is not successful to provide a depth security and  they are not capable of handling that much data and activities of your business. But using SIEM  technology, its bring centrally operation engine, where you can perform all your task, such as monitor, detection, investigate and scanning etc..

• Investigation and Forensic:-  You know that the forensic investigation is a long-term process. And that investigation also demands old data of the business to solve any kind of case regarding your business. Normal business security doesn't have enough strength to handle that much data in its storage. But SIEM provides you a large data storage option which you can use for storing data and you can show it to others very well.

In Part 2, we discuss further on SIEM and we are going to build 2 different open source SIEM .If you have any question, you can ask me in comments section and follow my blogs for cyber security tools and discussion.

OWASP ZAP Tool

 

OWASP ZAP Tool 

The Zed Attack Proxy (ZAP) developed by Open Web Application Security Project (OWASP). OWASP operates as a non-profit focused on software security. This web application assessment tool written in Java. For Automate the discovery of links  and content of web application, ZAP used  crawlers. Crawler is a program that automatically searches documents on the Web. ZAP uses its position between the user’s browser and the web application to intercept and inspect user requests, modify the contents if required, and then forward them to a web server.

ZAP also include automated vulnerability scan engine for vulnerability. ZAP will scan a web application and determine if it has common vulnerabilities like cross-site scripting, injection vulnerabilities and input validation issues. ZAP also determine if the web application server has non-secure files and directories. ZAP also show you  insecure permissions and other configuration problems.

Following are some screen shots of  ZAP, which we used to perform web application scan. we used Kali Linux environment for these scanning,

OWASP-ZAP  -h

ZAP Welcome Screen 

For Scanning Type the URL and click on attack. You can also select traditional and ajax on attack.

ZAP Scan Website

After Scanning you click on Alerts, which show you alerts on scan web site,

ZAP Alerts

On clicking on each alert displayed in that window, It's show  the vulnerability detected in the right side of the Information Window. You can also check response of webpages on clicking on response tab. You see the contents of the header and body of the response and any alert generated  will be highlighted.

The Heads Up Display (HUD) is a new an innovative interface that provides access to ZAP functionality directly in the browser. it's provides alert indicators and scan tools within the browser for use as you open pages within a website.

There is a good guide available for use ZAP,   just click on learn more

*As per my last blog, In future  we discuss one-by-one Vulnerability Assessment  (VA) tools. If you have any question, you can ask me in comments section and follow my blogs for cyber security tools and discussion.

Qualys Tool

Qualys Tool

Qualys cloud-based vulnerability management solution. Qualys can compete head-to-head with Nessus. Qualys is a commercial product. Qualys is agent-base tool.  Qualys installed sensor agents at various points in their network and  systems.  The agent sensors upload data to the cloud platform for detection and analysis.

Qualys  provide following type of services,

• Asset Management
• IT Security
• Compliance
• Cloud Container Security
• Web App Security

You can make login and try some tools of Qualys on trail biases. 

Qualys Asset Inventory

Asset Details

Endpoint Detection 

Qualys Agent 

Like any other Vulnerability Assessment Tool, Qualys  follow a Vulnerability Management Life Cycle model Predict – Prevent – Detect – Respond - Learn .

*As per my last blog, In future  we discuss one-by-one Vulnerability Assessment  (VA) tools. If you have any question, you can ask me in comments section.