Está en la página 1de 52

I HC QUC GIA H NI

TRNG I HC CNG NGH
















TM HIU V TRIN KHAI CNG NGH QUN
L THNG TIN V S KIN AN NINH

KHA LUN TT NGHIP I HC H CHNH QUY
Ngnh: Cng Ngh Thng Tin





H NI - 2013

I HC QUC GIA H NI
TRNG I HC CNG NGH







TM HIU V TRIN KHAI CNG NGH QUN
L THNG TIN V S KIN AN NINH



KHA LUN TT NGHIP I HC H CHNH QUY
Ngnh: Cng Ngh Thng Tin




Cn b hng dn:




H NI - 2013




VIETNAM NATIONAL UNIVERSITY, HANOI
UNIVERSITY OF ENGINEERING AND TECHNOLOGY




<THESIS TITLE>
(Upper case, bold, 18pt, centered)



Major: FACULTY OF INFORMATION TECHNOLOGY






Supervisor: DOAN MINH PHUONG



HA NOI - 2013


iv

TM TT

Tm tt: Cng vi s pht trin ca x hi, vic ng dng Cng ngh thng tin vo i
sng v lm vic ngy cng c pht trin v nng cao hiu qu. Vn An ninh thng
tin ni chung v an ninh mng ni ring ang l vn c quan tm khng ch Vit
Nam m trn ton th gii.
Trong lnh vc an ninh mng, pht hin v phng chng tn cng xm nhp cho
cc mng my tnh l mt ti hay, thu ht c s ch ca nhiu nh nghin cu
vi nhiu hng nghin cu trong v ngoi nc khc nhau. Chnh v vy em la
chn ti Tm hiu v trin khai gii php Qun l thng tin v s kin an ninh c
vit tt l SIEM (Security Information and Event Management). SIEM l mt gii mi
cung cp ci nhn tng th v h thng, qut cc l hng, nh gi tn thng, thu thp
d liu sau phn tch lin kt cc s kin an ninh a ra cnh bo v bo co p ng
vi chun quc t. Vi mong mun tm hiu cng nh trin khai trn thc t mt gii
php cng ngh mi ang l xu th ng dng m bo an ninh cho h thng mng trn
th gii. Trong qu trnh tm hiu, nghin cu v trin khai, kha lun chng minh
c vai tr, cng nh u im ca SIEM trong vic m bo an ninh cho h thng.

T kha: SIEM, Security information and event management.




v

ABSTRACT

Abstract:

Keywords: SIEM, Security information and event management.





SUPERVISORS APPROVAL

I hereby approve that the thesis in its current form is ready for committee examination
as a requirement for the Bachelor of Information Systems degree at the University of
Engineering and Technology.

Signature:




MC LC

TM TT ................................................................................................................ iv
ABSTRACT .............................................................................................................. v
MC LC ................................................................................................................ ii
LI CM N .......................................................................................................... iv
DANH MC CC HNH ........................................................................................ v
DANH MC CC BNG ...................................................................................... vi
DANH MC CC T VIT TT .......................................................................... i
M U ................................................................................................................... 1
TNG QUAN V SIEM ......................................................................................... 2
1.1. Tng quan v SIEM ......................................................................................... 2
1.1.1. Qun l nht k s kin an ninh ................................................................ 4
1.1.2. Tun th cc quy nh v CNTT ............................................................... 4
1.1.3. Tng quan lin kt cc s kin an ninh .................................................. 4
1.1.4. Cung cp cc hot ng ng ph ............................................................. 5
1.1.5. m bo an ninh thit b u cui............................................................ 6
1.2. u im ca SIEM .......................................................................................... 7
THNH PHN CA SIEM .................................................................................... 9
2.1. Thit b ngun ................................................................................................ 10
2.2. Thu thp Log ................................................................................................. 12
2.2.1. Push Log ................................................................................................. 12
2.2.2. Pull Log ................................................................................................... 12
2.3. Phn tch, chun ha Log .............................................................................. 14
2.4. K thut tng quan s kin an ninh ............................................................. 15
2.5. Lu tr Log ................................................................................................... 16
2.6. Theo di v gim st ...................................................................................... 18


iii

HOT NG CA SIEM .................................................................................... 19
3.1. Thu thp thng tin ......................................................................................... 20
3.2. Chun ha v tng hp s kin an ninh ........................................................ 22
3.3. Tng quan s kin an ninh .......................................................................... 23
3.4. Cnh bo v bo co ...................................................................................... 25
3.5. Lu tr ........................................................................................................... 26
THC NGHIM, KT QU ............................................................................... 27
4.1. Mt s cng c trin khai SIEM .................................................................... 28
4.1.1. AlienVault OSSIM ................................................................................... 28
4.1.2. Q1 Labs Qradar ...................................................................................... 29
4.1.3. MARS ...................................................................................................... 30
4.2. Trin khai SIEM vi AlienVault OSSIM ...................................................... 31
4.2.1. Phng php thu thp thng tin ............................................................. 31
4.2.2. Mt s cng c m ngun m trong AlienVault OSSIM ......................... 31
4.2.3. Tng quan s kin an ninh trong AlienVault OSSIM ........................... 33
4.2.4. nh gi ri ro ....................................................................................... 33
4.2.5. Cc hnh ng ng ph s c an ninh ................................................... 34
4.2.6. Bo co trong AlienVault OSSIM ........................................................... 35
4.3. Thc nghim kt qu vi AlienVault OSSIM ............................................... 36
4.3.1. Lab 1 ....................................................................................................... 36
4.3.2. Lab 2 ....................................................................................................... 36
4.3.3. Lab 3 ....................................................................................................... 36
KT LUN ............................................................................................................. 37
TI LIU THAM KHO ..................................................................................... 38
Ph lc A ................................................................................................................. 40



iv

LI CM N

Li u tin em xin chn thnh cm n n thy c trng i hc Cng Ngh-
HQGHN tn tnh ch bo v truyn t kin thc cho chng em trong sut cc
nm hc qua. c bit l cc thy trong b mn ht lng trc tip hng dn,
quan tm v dy d, truyn t nhiu kinh nghim cng nh cho em nhiu kin,
kin thc qu bu trong sut qu trnh chun b, thc hin v hon thnh kha lun
tt nghip ny.
Ti xin cm n cc bn sinh vin K55 trng i hc Cng Ngh - i hc
Quc Gia H Ni, c bit l cc bn sinh vin lp K55C-CLC v K55CB on
kt, gip cng ti tham gia theo hc cc mn hc b ch v th v trong chng
trnh i hc.
Vi kin thc cn hn hp, kh nng p dng kin thc vo thc tin cha
c tt. Do trong qu trnh xy dng bi kha lun khng trnh khi nhng sai
st v nhng hn ch. Em rt mong nhn c nhng ng gp, kin ca qu thy
c em hon chnh kin thc ca mnh.
Cui cng em xin chc qu Thy C v ton th cn b trong trng i hc
Cng Ngh - HQGHN di do sc khe v thnh cng trong cng vic.
Em xin chn thnh cm n!
H Ni, thng 05 nm 2013.


v

DANH MC CC HNH
Figure 2-1 UET Logo. .................................... Error! Bookmark not defined.
Figure 2-2 University of Engineering and Technology: (a) Logo of UET (b) Front view
of UET Headquater ..................................................... Error! Bookmark not defined.




DANH MC CC BNG
Table 2.1 Average day of a UET graduate student.Error! Bookmark not defined.




DANH MC CC T VIT TT
SIEM Security Information and Event Management
IDS Bit Error Rate
IPS Fast Fourier Transform
LOG Signal to Noise Ratio
Guidelines:
Put them in alphabetical order. Note that in the main text of the thesis, the first
time you introduce an abbreviation, it must be given in full. For example:
Fast Fourier transform (FFT) was developed by Cooley and Tuckey in 1965.
And even an abbreviation has been introduced earlier, you still need to re-provide
the full text when you give a definition about it.


1

M U
An ton an ninh mng cho mt h thng ang l mt nhu cu cn thit cho cc t
chc. Cc cuc tn cng ngy cng tr ln phc tp tinh vi hn. Mt h thng mng
hng ngy to ra mt lng ln d liu bn ghi log t cc thit b v ng dng khc
nhau. Vic thu thp phn tch cc bn ghi log ngy cng tr ln phc tp v kh khn
hn. c nhiu ti nghin cu v cc gii php nhm pht hin, ngn chn v a
ra cnh bo v cc s kin an ninh trong h thng nh cc thit b IDS, IPS. Mi thit
b u c nhng u im v li ch ring gip chng ta m bo phn no nhu cu an
ninh cho h thng. Song hu ht cc thit b ny hot ng mt cch ring l, vic qun
l tp trung, x l cc d liu, phn tch cc thng tin v qun l s kin an ninh trong
h thng l khng c. SIEM l mt gii php c th gip cc t chc gii quyt cc vn
trn v lm gim nguy c h thng b tn cng xm nhp. SIEM gip chng ta qun
l cc thit b, d qut cc l hng trong h thng, thu thp cc d liu t cc thit b v
cc ng dng khc nhau, d liu sau c chun ha sang mt nh dng chun ring,
phn tch tng quan cc thng tin s kin an ninh vi nhau theo ng cnh v cnh bo
cho cc qun tr vin cnh bo trong trng hp b tn cng. Bn cnh SIEM p
ng cc tun th v hot ng cng ngh thng tin v cung cp sn cc bo co theo
ng chun quc t quy nh v an ton thng tin.
Phn tip theo ca kha lun c t chc nh sau:
Chng 1: Tng quan v SIEM. Trong chng ny s gii thiu mt cch tng
quan v SIEM. Nhm cung cp ci nhn s lc v SIEM v nhng u im ca SIEM.
Chng 2: Thnh phn ca SIEM. Chng ny cung cp thng tin v thnh phn
ca SIEM.
Chng 3: Hot ng ca SIEM. Sau khi bit v thnh phn ca SIEM gm
nhng thnh phn no chng trc th chng ny cung cp cc thng tin v cch
m SIEM hot ng. Gip hiu thm v cng ngh SIEM.
Chng 4: Thc nghim kt qu. Trong chng ny, em tin hnh tm hiu mt s
cng c trin khai SIEM v la chn mt cng c trin khai thc t nhm th hin r
hn li ch ca cng ngh SIEM.
Chng 5: Kt lun. Chng ny tng..



2

Chng 1
TNG QUAN V SIEM
1.1. Tng quan v SIEM
S pht trin ca h thng mng ngy cng pht trin, mt s nhu cu t ra nh:
Lm sao qun l rt nhiu cc thit b, vic qun l thng tin v s kin an ninh trong
h thng vn hnh tt v an ton? l cu hi m cc nh nghin cu hay cc qun tr
vin an ninh mng ang i tm cu tr li sao cho ti u nht. c rt nhiu cc thit
b IDS, IPS ra i nhm tr li iu . Nhng hu ht cc thit b ny u hot ng
ring l, qun l tp chung l khng c, s tng quan lin kt cc s kin an ninh cng
khng c, bn cnh l vic m bo tun th an ninh cn hn ch v c th l rt mt
mi hon thnh cc bo co v tnh trng an ninh ca h thng ng theo chun quc
t. Chnh v vy SIEM (Security information and event management Cng ngh qun
l thng tin v s kin an ninh) ra i mt cch khch quan v theo xu hng pht trin
ca th gii. SIEM gii quyt c cc vn nu trn m bo cho h thng ca chng
ta an ton v hiu qu hn.
Gii php qun l thng tin v s kin an ninh (SIEM) l mt gii php bo mt
an ninh cung cp ci nhn tng th v h thng cng ngh thng tin ca mt t chc.
SIEM l s kt hp gia qun l thng tin an ninh (SIM - Security Information
Management) v qun l s kin an ninh (SEM - Security Event Management).
Nguyn l c bn ca SIEM l thu cc d liu v cc s kin an ninh t nhiu thit
b khc nhau cc v tr khc nhau trong h thng v chng ta c th d dng phn tch,
theo di tt c cc d liu ti mt v tr duy nht pht hin xu hng v theo di
cc du hiu bt thng.
SIEM thu thp Log v cc ti liu lin quan n an ninh khc phn tch, tng
quan lin kt. SIEM lm vic thu thp Log v cc s kin an ninh thng qua cc Agent.
T ngi dng u cui, cc my ch, cc thit b mng v thm ch l cc thit b an


3

ninh chuyn nghip nh Firewall, Anti Virus hoc cc h thng phng chng xm nhp.
Cc thit b thu thp thng tin chuyn tip thng tin ti trung tm nhm chun ha, qun
l tp trung, phn tch, tng quan cc s kin an ninh. Tip sau c th xc nh cc
s kin bt thng v thng bo ti qun tr vin.
< sach imple>
Cc chuyn gia bo mt v cc nh phn tch s dng SIEM nhm theo di, xc
nh, qun l h thng ti sn v ng ph vi cc s c an ninh. Mt s s kin an ninh
nh tn cng t chi dch v (DoS), tn cng c ch , tn cng m c hi v pht
virus. SIEM cng c th xc nh m khng d pht hin bng cc thit b khc. Nhiu
s kin kh pht hin hoc b che khut bi hng ngn cc s kin an ninh khc trong
mi giy. Bn cnh SIEM c th pht hin nhng s kin an ninh kh pht hin hn
nh cc hnh vi vi phm chnh sch, c gng truy cp tri php v phng thc tn cng
ca nhng k tn cng c trnh cao xm nhp vo h thng CNTT.
Mt mc tiu quan trng cho cc nh phn tch an ninh s dng SIEM l gim s
lng cnh bo gi. H thng an ninh c cho l yu km, chng hn nh h thng
pht hin xm nhp (IDS) thng c nhng cnh bo v nhiu s kin gi. Nhiu cnh
bo ny gy lng ph thi gian, cng sc ca cc nh phn tch an ninh v thng tp
trung ch vo cc cnh bo . iu lm cho cc nh phn tch li b qua cc cnh
bo ng n v quan trng hn. Vi h thng SIEM, vic gim cc cnh bo gi c
thc hin mt cch cn thn bi cc b lc v cc quy tc tng quan lin kt gia cc
thng tin s kin an ninh vi nhau. iu xc nh v cnh bo chnh xc khi c s
kin an ninh bt chp s lng ln nhng s kin an ninh ln v nhiu.
SIEM cung cp cc dch v sau:
- Qun l nht l s kin an ninh (Log management).
- Tun th cc quy nh v CNTT (IT regulatory compliance).
- Tng quan lin kt cc s kin an ninh (Event correlation).
- Cung cp cc hot ng ng ph (Active response).
- m bo an ninh thit b u cui (Endpoint security).


4

1.1.1. Qun l nht k s kin an ninh
SIEM qun l Log t cc thit b trong h thng. Bt u vi vic cu hnh cc v
tr quan trng trong h thng gi cc s kin an ninh vo mt c s d liu tp trung.
SIEM s chun ha cc Log ny v mt nh dng duy nht phn tch, tng quan
lin kt. Sau , SIEM lu tr cc file Log, t chc, tm kim v cc dch v khc
p ng nhu cu qun l m cc t chc yu cu. Phn qun l d liu ny cng s dng
phn tch v thi gian thc, trnh trng khai thc d liu v an ninh ca tt c h thng
CNTT.

1.1.2. Tun th cc quy nh v CNTT

Tt c cc s kin t cc h thng quan trng ang c s dng truy nhp, chng
ta c th xy dng cc b lc hoc cc thit lp cc lut v tnh ton thi gian kim
tra v xc thc vic tun th ca h hoc xc nh hnh vi vi phm cc yu cu tun
th t ra ca t chc. Cc lut c i chiu vi log c a vo h thng. C
th gim st s ln thay i mt khu, xc nh h iu hnh hoc cc bn v li ng
dng, kim tra chng virus, phn mm gin ip v cp nht. Chng ta c th xy dng
tp lut ring ca mnh cho cc b lc hoc cc lut h tr trong vic tun th cc
quy nh ra. Nhiu nh cung cp SIEM c cc tp ng gi sn cc quy tc c
thit k c bit p ng cc yu cu v php lut v cc quy nh khc nhau m cc
doanh nghip cn phi tun th. Chng c ng gi v cung cp bi cc nh cung cp
mt cch min ph hoc mt mt khon chi ph.

1.1.3. Tng quan lin kt cc s kin an ninh
S tng quan lin kt gia cc s kin an ninh mang em li thng bo tt hn
cho h thng. Chng ta khng ch qua mt s kin duy nht quyt nh cch ng ph
hay khng ng ph vi n. Vi tng quan lin kt gia cc s kin an ninh, chng ta
xem xt iu kin khc nhau trc khi kch hot bo ng. V d, mt my ch c CPU
s dng 100% c th c gy ra bi nhiu nguyn nhn khc nhau. N c th do mt
vn xy ra hoc c th khng. Cng c th l mt du hiu cho thy h thng b qu
ti vi cc hot ng v yu cu mt hoc nhiu dch v hoc cc ng dng cn c


5

chia s trn cc my ch khc. V cng c th l my ch t n ht cng sut do mt
mt tn cng t chi dch v (DoS) vo h thng. Hoc n c th l ngng tr tm thi
mt cch t nhin ca my ch.
Cc cng c tng quan trn mt SIEM c th kim tra v xem xt (tng quan)
cc s kin khc khng phi lin quan n vic s dng CPU. C th cung cp mt bc
tranh y hn v tnh trng ca my ch loi tr gi thuyt v nguyn nhn ca
vn . V d, trong trng hp s dng CPU 100%, SIEM c th c cu hnh xem
xt mt s nguyn nhn sau y:
- Phn mm chng virus xc nh c phn mm c hi trn my ch hay khng?
- Bt k my ch no c CPU s dng 100%? Cn xem xt c hay khng s tn
ti ca virus?
- Mt ng dng hoc nhiu ng dng, dch v ngng hot ng?
- S gia tng lu lng mng do nhu cu chnh ng ca ngi dng nhng vt
qu s cung cp dch v ca my ch.
- S gia tng lu lng mng nhng khng do nhu cu chnh ng ca ngi dng
vt qu s cung cp dch v ca my ch nh mt cuc tn cng DoS? T cc ngun
khc nhau? C th l mt t chi dch v phn tn (DDoS)?
l s tng quan cc s kin an ninh. Cnh bo ca SIEM gip chng ta a
ra cch ng ph ty thuc vo cc iu kin.

1.1.4. Cung cp cc hot ng ng ph
Tt c cc thit b cung cp u vo cho SIEM, cc quy tc v b lc s xc nh
v phn tch mi quan h gia cc thng tin u vo . Chng ta c th cu hnh cc
hnh ng v thc hin cc phn ng ng ph cho tt c cc s kin an ninh hoc c th
cu hnh ring bit cho tng loi s kin khc nhau.
Li ch vic thc hin cc hot ng ng ph l rt tt, nhng bn cnh n cng
c iu bt li. Nu chng ta khng cu hnh cn thn v chnh xc th n c th a ra
cc hnh ng ng ph khng cn thit. Hot ng ng ph t ng ny d dng tr
thnh con dao hai li cho chng ta.


6

1.1.5. m bo an ninh thit b u cui
Hu ht cc h SIEM c th gim st an ninh cho cc thit b u cui thng
bo s an ton ca h thng. SIEM cung cp vic qun l cng nh nh gi ti sn cc
thit b. Bn cnh l vic d qut l hng v cp nht cc bn v. Nhiu h thng SIEM
c th theo di cc thit b nh PC, server, Firewall. Mt s h thng SIEM thm ch c
th qun l an ninh cho thit b u cui, c s iu chnh v hon thin hn i vi
thit b an ninh trn h thng. Nh cu hnh Firewall, cp nht v theo di Anti-Virus,
chng spyware, chng spam email.



7

1.2. u im ca SIEM
Vi s pht trin ca h thng mng th ngy cng nhiu cc thit b gia tng v
vic qun l n tr ln phc tp hn rt nhiu. Do vy SIEM l mt gii php gip chng
ta qun l chng tt hn.
Log t cc thit b to ra ngy cng nhiu (C th hng trm triu bn ghi log trong
mt ngy) th cc qun tr vin hay cc cng c trc kh c th phn tch mt cch
nhanh chng, chnh xc c. SIEM cung cp vic tch hp d liu qun l file log t
nhiu ngun, bao gm c mng, my ch, c s d liu, ng dng, cung cp kh nng
hp nht d liu trnh mt cc s kin quan trng.
Vic nh gi gi tr ti sn ca cc thit b trong h thng l khng c vi cc h
thng an ninh trc . SIEM cung cp vic nh gi gi tr ca cc thit b hay ng
dng trong h thng (Gi tr tng dn t 0-5) v sp xp theo s u tin cnh bo v bo
v chng.
SIEM cung cp s tng quan lin kt gia cc s kin an ninh li vi nhau ri
sau a ra kt lun c hay khng mt cuc tn cng. V d nh tn cng Brute Force.
Nu nhn thy c hnh vi qut cng, bn cnh l thy s ln ng nhp sai tn ng
nhp hoc mt khu qu mt gi tr no v t mt IP ngun trong mt thi gian th
SIEM lin kt cc s kin ny vi nhau v khng chc rng c mt tn cng Brute Force
ang xy ra vi h thng. Vi cc h thng an ninh trc cc s kin an ninh ny
khng c lin kt li vi nhau. Chng ch c th a ra cnh bo rng c nhng hnh
vi nh qut cng, ng nhp sai hay g Vi SIEM nu c mt trong cc s kin an
ninh ni trn th chng a ra cnh bo mc trung bnh v nu cng vi xy ra cc
s kin an ninh tip theo xy ra th nng mc cnh bo cao hn v bo cho qun tr vin
bit ng ph.
SIEM cung cp cng c nh gi l hng ca cc thit b trong h thng xem chng
c nhng l hng anh ninh no? Hoc c nhng bn v cp nht cho nhng l hng
cn c cp nht.
SIEM cung cp ci nhn trc quan thng qua cc biu , th gip theo di r
rng hn. Cng c c th hin d liu s kin v c th th hin thnh biu thng tin
h tr cho thy m hnh hoc xc nh hot ng khng ph hp.
SIEM cung cp cc khun mu bo co chun theo cc tiu chun v an ninh quc
t nhau nh HIPAA, ISO27001 cc qun tr vin bo mt c th tp trung vo cc
hot ng tng cng an ninh mng.


8

Cung cp vic lu tr cc bn ghi log trong mt thi gian lu di phc v cho nhu
cu iu tra tng hp sau ny v tun th cc quy nh trong hot ng CNTT.



9

Chng 2
THNH PHN CA SIEM
SIEM bao gm nhiu phn, mi phn lm mt cng vic ring bit. Mi thnh
phn trong h thng ny c th hot ng c lp vi cc thnh phn khc nhng nu
tt c khng cng hot ng cng mt lc th chng ta s khng c mt SIEM hiu qu.
Ty thuc vo h thng ang s dng nhng mi SIEM s lun lun c cc thnh phn
c bn c bn c m t trong chng ny. Bng s hiu bit tng phn ca SIEM v
cch thc hot ng, chng ta c th qun l mt cch hiu qu v khc phc s c cc
vn khi pht sinh.





10

2.1. Thit b ngun
Hnh 2.1.
Thnh phn u tin ca SIEM l cc thit b u vo cung cp d liu cho SIEM.
Thit b ngun c th l mt thit b thc t trong h thng mng nh Router, Switch
hoc mt s loi my ch v cng c th l cc bn ghi log t mt ng dng hoc ch l
bt k d liu no khc. Vic bit v nhng g mnh c trong h thng l rt quan trng
trong vic trin khai SIEM. Hiu r nhng ngun m chng ta mun ly cc bn ghi log
trong giai on u s gip chng ta tit kim c cng sc, s tin ng k v gim
s phc tp trong trin khai.
H iu hnh: Microsoft Windows v cc bin th ca Linux v UNIX, AIX,
Mac OS l nhng h iu hnh thng hay c s dng. Hu ht cc h iu hnh v
c bn cng ngh khc nhau v thc hin chuyn mt nhim v no nhng mt trong
nhng iu m tt c u c im chung l chng to ra cc bn ghi log. Cc bn ghi
log s cho thy h thng ca bn lm g: Ai l ngi ng nhp, lm nhng g trn
h thng?...Cc bn ghi log c to ra bi mt h iu hnh v h thng v ngi s
dng hot ng s rt hu ch khi tin hnh ng ph s c an ninh hoc chn on vn
hay ch l vic cu hnh sai.
Thit b: Hu ht cc thit b l cc hp en, cc qun tr h thng khng c
quyn truy cp trc tip vo h thng thc hin mt s vic qun l c bn. Nhng
c th qun l cc thit b thng qua mt giao din. Giao din ny c th da trn web,
dng lnh hoc chy qua mt ng dng c ti v my trm ca qun tr vin. H iu
hnh cc thit b mng chy c th l mt h iu hnh thng thng, chng hn nh
Microsoft Windows hoc phin bn ca Linux, nhng n cng c th c cu hnh
theo cch m h iu hnh thng thng. Mt v d nh mt router hoc switch. N
khng ph thuc vo nh cung cp, chng ta khng bao gi c th truy cp trc tip vo
h thng iu hnh c bn ca n m ch c th truy cp vo thng qua dng lnh hoc


11

giao din web c s dng qun l. Cc thit b lu tr cc bn ghi log ca chng
trn h thng hoc thng c th c cu hnh gi cc bn ghi ra thng qua syslog
hoc FTP.
ng dng: Chy trn cc h iu hnh l nhng ng dng c s dng cho mt
lot cc chc nng. Trong mt h thng chng ta c th c h thng tn min (DNS),
dch v cp pht a ch ng (DHCP), my ch web, h thng th in t v v s cc
ng dng khc. Cc bn ghi ng dng cha thng tin chi tit v tnh trng ca ng dng,
v d nh thng k, sai st, hoc thng tin tin nhn. Mt s ng dng sinh ra bn ghi log
s c ch cho chng ta? Chng ta c yu cu duy tr, lu tr cc bn ghi log theo
s tun th ca php lut.
Xc nh bn ghi log cn thit: Sau khi xc nh cc thit b ngun trong h
thng, chng ta cn xem xt vic thu thp cc bn ghi log t cc thit b no l cn thit
v quan trng cho SIEM. Mt s im cn ch trong vic thu thp cc bn ghi log nh
sau:
- Thit b ngun no c u tin? D liu no l quan trng m chng ta cn phi
thu thp?
- Kch thc cc bn ghi log sinh ra trong khong thi gian nht nh l bao nhiu?
Nhng thng tin ny dng xc nh SIEM cn bao nhiu ti nguyn cho chng, c
bit l khng gian lu tr.
- Tc cc thit b ngun ny sinh ra cc bn ghi log l bao lu? Thng tin ny
cng vi kch thc bn ghi log la chn vic s dng ng truyn mng khi thu
thp cc bn ghi.
- Cch thc lin kt gia cc thit b ngun vi SIEM?
- C cn cc bn ghi log theo thi gian thc hay thit lp qu trnh thc hin ti
mt thi im c th trong ngy?
Cc thng tin trn rt c ch trong vic xc nh ngun thit b cn thit cho SIEM
ca chng ta. Chng c qu nhiu nhng n l cn thit xc nh chnh xc hn iu
g l cn thit cho SIEM. S lng ngi s dng, lch bo tr h thng v nhiu yu t
khc c th tc ng ng k n s lng cc bn ghi log c to ra mi ngy.



12

2.2. Thu thp Log
Bc tip theo trong s l lm th no thu thp cc bn ghi log t cc thit
b khc nhau. C ch thu thp cc bn ghi log ph thuc vo tng thit b nhng c bn
nht c hai phng thc nh sau: Pull log v Push log.
2.2.1. Push Log
Push log: Cc bn ghi log s c cc thit b ngun gi v SIEM.
Phng php ny c li ch: D dng ci t v cu hnh. Thng thng, chng ta
ch cn thit lp mt b tip nhn v sau kt ni thit b ngun n b phn tip nhn
ny. V d nh syslog. Khi cu hnh thit b ngun s dng syslog, chng ta c th thit
lp a ch IP hoc DNS tn ca mt my ch syslog trn mng v thit b s t ng
gi cc bn ghi ca n thng qua syslog. Tuy nhin phng php nay cng cn mt s
nhc im. V d, s dng syslog trong mi trng UDP. Bn cht vn ca vic s
dng syslog trong mi trng UDP c ngha l khng bao gi c th m bo rng cc
gi tin n ch, v UDP l mt giao thc khng hng kt ni. Nu mt tnh hung xy
ra trn mng chng hn nh khi mt loi virus mnh trn mng, chng ta c th khng
nhn c gi tin syslog. Mt vn c th pht sinh l nu khng t quyn iu khin
truy cp thch hp trn my thu nhn cc bn ghi log th khi cu hnh sai hoc c phn
mm c hi c th lm trn ngp cc thng tin sai lch. iu lm cho cc s kin
an ninh kh c pht hin. Nu l mt cuc tn cng c ch nhm chng li SIEM
th mt k xu c th lm sai lch cc thng tin v v thm cc d liu rc vo SIEM.
Do vy s hiu bit v cc thit b gi cc bn ghi log cho SIEM l iu rt quan trng.
2.2.2. Pull Log
Pull log: Cc bn ghi log s c SIEM i ti v ly v.
Khng ging nh phng php Push log, trong thit b ngun gi cc bn ghi
log cho SIEM m khng cn bt k s tng tc t SIEM. Pull log i hi SIEM bt
u kt ni vi cc thit b ngun v ch ng ly cc bn ghi t cc thit b ngun .
Mt v d nu cc bn ghi log c lu tr trong tp tin vn bn chia s trn mt mng.
SIEM s thit lp mt kt ni ly cc thng tin c lu tr v c cc file bn ghi t
cc thit b ngun.


13

i vi phng php Push Log, cc bn ghi log ca thit b ngun thng gi cc
bn ghi n SIEM ngay sau khi n c to ra. Nhng vi phng php Pull Log th
mt kt ni s c to ra SIEM tip cn vi cc thit b ngun v ko cc bn ghi
log t cc thit b ngun v. Chu k ca vic kt ni ly cc bn ghi log ca Pull Log
c th l vi giy hoc theo gi. Khong thi gian ny chng ta c th cu hnh theo ty
chn hoc cu hnh mc nh cho SIEM.
- Prebuilt Log collection: Ty thuc vo SIEM, thng c cc phng php c
xy dng sn c sn ly c cc bn ghi t cc thit b hoc cc ng dng. V d,
chng ta c th tr mt my ch SIEM chy c s d liu Oracle cung cp cho cc thng
tin c s d liu SIEM. SIEM s c nhng phng php xc thc v quy tc (logic)
c xy dng ly thng tin t c s d liu Oracle.
V d ny lm cho vic ly cc bn ghi t cc thit b ngun c d dng hn.
Nhng i vi mt ng dng no m chng ta mun ly nhng bn ghi log nhng
khng c phng php hay quy tc logic no c xc nh trc th hi kh. Trong
trng hp ny, cn thay i cc bn ghi t cc nh dng file gc thnh mt ci g
m SIEM c th hiu c. Mt v d l nu chng ta ang chy mt ng dng trn mt
my ch v ng dng lu tr cc bn ghi ca n trong mt nh dng tp tin trn my
ch. Chng ta c th s dng mt ng dng khc c tp tin ny v gi cc bn ghi
thng qua syslog. Trong trng hp my ch Windows, mt cch khc lm vic vi
cc bn ghi khng chun s c vit nht k Windows Event Log v ko
Windows Event Log vo SIEM.
- Custom Log Collection: Vi cc thit b khc nhau trong mng c th c mt s
ngun bn ghi log khng c phng php thu thp log chun cung cp sn bi SIEM.
Chng ta cn c phng thc ly cc bn ghi log t mt ngun bng vic xy dng
phng php ring thu thp cc bn ghi log. Vic xy dng phng thc ring ly
bn ghi log v phn tch c th tn nhiu cng sc v thi gian, nhng nu c thc
hin ng cch, n s c ngha l cc bn ghi s c ko trc tip t cc thit b vo
SIEM. Mt li ch khc ca vic xy dng phng php thu tp ring l chng ta c th
kim sot tt c cc qu trnh phn tch v tm kim.



14

2.3. Phn tch, chun ha Log
V s cc bn ghi log c gi t cc thit b v ng dng trong mi trng
n SIEM, iu g s xy ra tip theo? Ti thi im ny, tt c cc bn ghi ang
nh dng gc ban u, do chng ta khng thc hin c bt c iu g ngoi tr
lu n vo mt ni no . Nhng cc bn ghi log hu ch trong SIEM chng ta
cn nh dng li chng sang mt nh dng chun duy nht. Vic thay i tt c cc
loi bn ghi log khc nhau thnh cc bn ghi c cng mt nh dng duy nht c
gi l chun ha. Vic chun ha cc bn ghi log gip cho SIEM c th thng nht
cc bn ghi log, nhanh chng phn tch cng nh tng quan s kin an ninh sau nay.



15

2.4. K thut tng quan s kin an ninh
Cc quy lut cho php m rng vic chun ha cc bn ghi cc s kin an ninh t
cc ngun khc nhau trong vic kch hot cnh bo trong SIEM. Cch vit cc quy lut
trong SIEM bt u thng kh n gin, nhng c th tr nn cc k phc tp. Chng
ta thng vit cc quy tc s dng mt biu thc Boolean logic xc nh iu kin
c th c p ng v kim tra xem c ph hp trong cc d liu.
Tng quan l mt tp hp cc quy tc. Tng quan s kin an ninh gip lin kt
cc s kin an ninh t cc ngun khc nhau thnh mt s kin an ninh chnh xc. Tng
quan cc s kin an ninh c thc hin nhm n gin ha cc th tc ng ph s c
cho cho h thng, bng vic th hin mt s c duy nht c lin h t nhiu s kin
an ninh n t cc thit b ngun khc nhau. Nu nhn vo v d trong bng di, n cho
thy nhiu s kin an ninh ng nhp vo SIEM trong khong thi gian 10 giy. Nhn
vo iu ny c th nhn thy s tht bi ng nhp v ng nhp thnh cng t nhiu
a ch n mt s a ch ch. Nu nhn k, c th thy mt mt a ch ngun duy
nht ng nhp vo nhiu a ch ch nhiu ln, v sau t ngt thy mt ng nhp
thnh cng. iu ny c th l mt cuc tn cng brute-force vi my ch. Nhng tr
khi chng ta c mt tr nh rt tt mi nhn ra iu . Thng l chng ta c th
qun cc s kin an ninh u tin xy ra.
(Hnh bng)
M rng theo v d ny v thay v ch 10 s kin an ninh trong mt khong thi
gian 10 giy, chng ta c 1000 s kin an ninh trong 10 giy. Hy chn ra nhng s
kin an ninh t tt trong h thng c th hin th mt s kin an ninh nguy c nguy hi
l iu cc k kh khn. Chng ta cn mt cch loi b tt c cc thng tin s kin
an ninh khng lin quan trong cc bn ghi log v ch cn theo di cc thng tin s kin
an ninh m c th ch ra mt nguy hi qua nhiu s kin an ninh.




16

2.5. Lu tr Log
Vi cc bn ghi log gi ti SIEM chng ta cn mt cch lu tr chng phc
v cc mc ch lu gi v truy vn sau ny. C ba cch m c th lu tr cc bn ghi
trong SIEM l: Dng mt c s d liu, file Text v di dng file nh phn.
Lu tr di dng c s d liu
Lu tr cc bn ghi log trong c s d liu l cch lu tr cc bn ghi log hay
c dng nht trong SIEM. C s d liu thng l mt nn tng c s d liu chun
nh Oracle, MySQL, Microsoft SQL hoc mt trong cc ng dng c s d liu ln
khc ang c s dng trong doanh nghip. Phng php ny cho php kh d dng
tng tc vi d liu v cc truy vn c s d liu l mt phn ca ng dng c s d
liu. Hiu sut cng kh tt khi truy cp vo cc bn ghi log trong c s d liu, ph
thuc vo phn cng c s d liu ang chy, nhng cc ng dng c s d liu phi
c ti u ha chy vi SIEM. S dng c s d liu l mt gii php tt cho vic
lu tr nht k, nhng mt s vn c th pht sinh ty thuc vo cch SIEM trin
khai c s d liu tng ng vi n. Nu SIEM l mt thit b thng khng c nhiu
s tng tc vi c s d liu, do vic cung cp v bo tr thng khng phi l mt
vn . Nhng nu SIEM ang chy trn phn cng ring th vic qun l c s d liu
cho mnh cng l vn ln. iu ny c th l kh khn nu chng ta khng c mt
DBA.
Lu tr di dng file Text
Mt tp tin vn bn chun lu tr cc thng tin trong mt nh dng c th c
c. Cc thng tin cn phi c mt ranh gii phn cch c th l du phy, tab hoc
mt s k hiu khc. V vy thng tin c th c phn tch v c ng. Phng php
lu tr ny khng c s dng thng xuyn. Hnh ng vit v c t tp tin vn bn
dng nh chm hn so vi cc phng php khc. Tht s khng c nhiu li ch khi
s dng mt tp tin text lu tr d liu, nhng n d dng cho cc ng dng bn
ngoi truy cp d liu ny. Nu cc bn ghi log c lu tr trong mt tp tin vn
bn, th s khng kh khn khi mt vit m ca ring m cc tp tin v ly thng tin
cung cp cho cho mt ng dng khc. Mt li ch khc l khi tp tin vn bn con
ngi c th c c v d dng nh phn tch tm kim v hiu n. Chng ta c
th m cc tp tin v s dng lnh grep hoc mt s cng c tm kim tp tin vn bn
khc tm ra thng tin tm kim m khng cn m mt giao din iu khin.


17

Lu tr di dng file nh phn
nh dng tp tin nh phn l s dng mt tp tin vi nh dng ty chnh lu
tr thng tin dui dng nh phn. SIEM bit lm th no c v ghi vo nhng file
ny.







18

2.6. Theo di v gim st
Khi c tt c cc bn ghi log trong SIEM v cc s kin an ninh c x l,
iu cn lm tip theo nh th no s dng hu ch vi cc thng tin t cc bn ghi
log khc nhau. SIEM c mt giao din iu khin da trn web hoc ng dng ti v
my trm. C hai giao din s cho php tng tc vi cc d liu c lu tr trong
SIEM. Giao din iu khin ny cng c s dng qun l SIEM.
Giao din ng dng ny cho php x l s c hoc cung cp ci nhn tng quan v
mi trng ca chng ta. Bnh thng khi mun xem cc thng tin hoc x l s c cc
k s s phi i n cc thit b khc nhau v xem cc bn ghi log trong nh dng gc
ca n. Nhng vi SIEM s n gin v tin li hn nhiu. N c th x l ti mt ni
duy nht, phn tch tt c cc bn ghi log khc nhau d dng bi v SIEM chun ha
cc thng tin d liu . Trong qun l v gim st giao din iu khin ca SIEM,
chng ta c th pht trin ni dung v quy nh c s dng tm ra thng tin t cc
s kin an ninh c x l. Giao din iu khin ny l mt cch giao tip vi cc
d liu c lu tr trong SIEM.



19

Chng 3
HOT NG CA SIEM
Vic quan trng khi thc hin trin khai SIEM l cn phi hiu n lm vic nh
th no? i vi mi nh cung cp khc nhau s c i cht khc nhau nhng chng
u da trn nhng khi nim ct li. Thnh phn c bn vn l thu thp thng tin, phn
tch v lu tr. Cc bn ghi Log c thu thp t cc thit b khc nhau v chng c th
c nhng nh dng theo tng loi thit b. Chng ta cn thu thp v chuyn n v mt
nh dng chung. Qu trnh ny gi l hp nht d liu (consolidation). Sau s tin
hnh phn tch t cc d liu ny v thc hin tng quan s kin an ninh (Correlation)
a ti kt lun c mt cuc tn cng hay khng? Cc thng tin v mi trng mng
v cc mi e da ph bin rt c ch trong giai on ny. Vic a ra cnh bo v cc
bo co s c to ra nh mt kt qu ca vic phn tch. Cc bn ghi Log c lu
tr trc tip trn SIEM t nht vi gi ng h sau chuyn ti ni lu tr lu di
phc v cho qu trnh iu tra hoc s dng sau ny.










20

3.1. Thu thp thng tin
Hnh 3.1.
Mc ch vic thu thp thng tin l nm bt v chun ha cc thng tin t cc
thit b an ninh khc nhau v cung cp n cho cc my ch phn tch tip. Chc nng
ny l rt quan trng v cc d liu c nh dng khc nhau t cc thit b v nh cung
cp khc nhau. Sau khi d liu c thu thp v chun ha c th c s dng kt
hp vi cc d liu khc t cc ngun khc. Khi cng mt nh dng th vic pht
hin s kin an ninh c kh nng c hi c nng cao v chnh xc hn.
SIEM thu thp cc bn ghi Log t rt nhiu cc thit b khc nhau, vic truyn cc
bn ghi log t cc thit b ngun ti SIEM cn c gi b mt, xc thc v tin cy bng
vic s dng syslog hoc cc giao thc SNMP, OPSEC, SFTP, IDXP. Sau cc bn
ghi log chun ha a v cng mt nh dng. Nu cc thit b khng h tr syslog hay
cc giao thc ny chng ta cn phi s dng cc Agent. l mt iu cn thc hin
thc hin vic ly cc bn ghi log c nh dng m SIEM c th hiu c. Vic ci t
cc Agent c th ko di qu trnh trin khai SIEM nhng chng ta s c nhng bn ghi
log theo dng chun mong mun.
C hai cch SIEM thu thp bn ghi log t cc thit b ngun. Cc th nht l
Pull log, trong cch ny SIEM s truy xut ti cc thit b ngun v ly cc bn ghi log
v. Thi gian truy xut ti cc thit b SIEM c th ty chn. Cch th hai l Push
log, cc thit b ngun t y cc bn ghi log v cho SIEM. iu ny cng cn tnh ton
v chu k thi gian y cc bn ghi v SIEM v nu khng s dn ti vic trn v bn
ca SIEM khi qu nhiu cc thit b ngun cng gi bn ghi log v.


21

Pull Log: Mt phn mm c ci t trn cc thit b an ninh v s dng ly
d liu t cc thit b bng cm bin hoc my ch. Cc thit b an ninh s dng plugin
phn tch thng tin t mt nh dng c th ty thuc vo thit b hoc nh cung cp.
K thut ny thng s dng trn cc my ch v my trm v n rt d dng ci t
thm phn mm vo.
Push Log: D liu nh dng gc c ly t cc thit b an ninh. Vic ny c
thc hin bng SNMP hoc SYSLOG v khng thay i c cc phn mm chy trn
cc thit b an ninh. K thut ny thng dng cho cc thit b m kh c th ci t
thm phn mm vo.
Khi cc s kin an ninh n my ch, mc u tin s c nh dng theo chun
t 0 n 5. Ngi qun tr c th iu chnh cc gi tr mc nh thng qua mt bng
tiu chun v chnh sch u tin.
Chnh sch thu thp thng tin: C th thit lp mt chnh sch u tin v thu thp
cc b cm bin lc v cng c cc thng tin s kin an ninh trc khi gi chng
n my ch. K thut ny cho php ngi qun tr iu tit s kin an ninh v qun
l nhng thng tin, nu khng s rt nhiu cc s kin an ninh trong h thng mng lm
cho chng ta lng tng khng bit bt u t u.



22

3.2. Chun ha v tng hp s kin an ninh
Rt nhiu cc d liu bn ghi log cn c SIEM chun ha a v mt nh dng
ring m n c th hiu c. Khi cc d liu c chun ha th mt s thng s quan
cn c lu nh ngy thng, thi gian v thi gian thu thp d liu. Cc thng s ny
thng thng c cung cp bi Network Time Protocol (NTP).
Sau qu trnh chun ha cc bn ghi log th qu trnh tng hp s kin an ninh din
ra. Mc ch ca qu trnh ny l tng hp cc s kin an ninh thuc cng mt kiu
thy c s tng th ca h thng. iu ny c v tng t nh vi qu trnh tng
quan s kin an ninh nhng thc s khng phi vy. Tng quan s kin an ninh th s
tng hp nhiu s kin an ninh khc nhau a ra kt lun c hay khng v mt cuc
tn cng.



23

3.3. Tng quan s kin an ninh
Qu trnh tng quan s kin an ninh l t cc bn ghi s kin an ninh khc nhau
c lin kt li vi nhau nhm a ra kt lun c hay khng mt tn cng vo h thng.
Qu trnh i hi vic x l tp trung v chuyn su v chng phi hiu c mt tn
cng din ra nh th no? M thng thng s s dng cc thng tin d liu trong c s
d liu sn c v lin kt vi cc thng tin v bi cnh trong mi trng mng ca h
thng. Cc thng tin ny c th nh cc th mc ngi dng, cc thit b v v tr ca
chng. iu tuyt vi l SIEM c th hc c t nhng s kin an ninh mi m d
liu gi v v cp nht cc thng tin v bi cnh.
Nh chng ta bit, c nhiu thit b IDS v IPS l nhng thit b pht hin v
ngn chn tn cng ph bin ang c dng trong hin ti. Nhng chng u l hot
ng mt cch c lp hay ring l. Mt cu hi t ra trong nhu cu tt yu ca s pht
trin liu c mt gii php no gii quyt c nhng hn ch trn. Nu duy nht mt
tp tin c th cha tt c cc thng tin cn thit phn tch an ninh, chng ta s khng
cn phi bn tm vi vic thu thp v lin kt cc s kin t nhiu ngun khc nhau. S
tht l mi bn ghi log hoc s kin c cha mt mu thng tin. a ra quyt nh
c chnh xc v nhng g ang xy ra vi cc ng dng v trong h thng, chng ta cn
phi kt hp cc s kin t nhiu ngun khc nhau. Cc s kin chng ta mun v phn
no ca d liu t nhng s kin chng ta cn l nhng g m SIEM mang n cho
chng ta.
Vy tng quan l g? Tng quan l vic lin kt nhiu s kin li vi nhau
pht hin hnh vi l. N l s kt hp ca cc s kin khc nhau nhng lin quan n
mt s c duy nht trong h thng. Thng thng c hai kiu Correlation l da trn
cc quy tc kin thc bit (Rule - based) v da trn phng php thng k
(statistical-based).
Rule - based: L phng php tng quan s kin da trn cc quy tc v kin
thc bit v cc cuc tn cng. Cc kin thc bit v cc cuc tn cng c s
dng lin kt cc s kin li vi nhau v phn tch chng trong mt bi cnh chung.
Cc quy tc c xy dng vo cc mu xc nh v do cc nh cung cp pht
trin hoc chng ta c th t xy dng, pht trin v b sung vo h thng theo thi gian
v kinh nghim tch ly.


24

V d: Nu mt qun tr vin dng cc quy tc theo di gim st xem c s qut
cc cng trn cc thit b. Nu thy rng c s qut cng c gng telnet vo , cc
quy tc sau tip tc theo di xem khong thi gian trc xy ra hay cha? Nu
c mt kt ni telnet c xc nh t mt ngun IP khng r th h thng tng quan
s kin ny s gi cnh bo qua giao din iu khin hoc c th nhn tin, gi mail n
cho cc qun tr vin c bit.
Statistical - based: Phng thc tng quan khng s dng bt k kin thc ca
cc hot ng cho l nguy him bit trc . Nhng thay v da vo nhng kin
thc ca cc hot ng bnh thng c cng nhn v tch ly theo thi gian. Cc
s kin ang din ra c nh gi bi mt thut ton v c th c so snh vi mu
bnh thng phn bit hnh vi bnh thng v hnh vi bt thng.
H thng phn tch cc s kin an ninh trong mt khong thi gian v s dng
trng s nh gi ti sn, h thng. Cc gi tr trng ny sau c phn tch
xc nh nguy c kiu tn cng ny xy ra. Cc h thng ny cng thit lp mc hot
ng mng bnh thng v tm kim sai lch so vi nhng mu c hnh vi bnh thng
c th ch ra mt cuc tn cng.


25

3.4. Cnh bo v bo co
SIEM cung cp ba cch SIEM thng bo ti cc qun tr vin mt cuc tn cng
hay mt hnh vi bt thng ang xy ra. Th nht, SIEM c th a ra mt cnh bo
ngay khi chng nhn ra rng c iu g bt thng. Th hai, SIEM s gi mt thng bo
vo mt thi im c xc nh trc ca cuc tn cng v th ba l cc qun tr vin
theo di gim st SIEM theo thi gian thc thng qua mt giao din web. Cc IDS thng
thng a ra nhiu cnh bo gi nhng vi SIEM n to ra mt t l nh cc thng
bo gi nh vy. Tuy nhin tt c nhng thng bo c th l cn thit thc hin mt
hnh ng hay n gin l b qua n cn ty thuc vo mc ca s kin an ninh.
Mt s sn phm ca SIEM c th thc hin cc hnh ng ng ph nh xa cc
phn mm c hi, ng mt s cng no thng qua vic kt ni ti cc thit b .
Bo co c lp lch a ra cc bo co thng xuyn. Cc bo ny c th
hin theo chun quc t v c th th hin qua nhng biu trc quan v nhng s
liu. Nhng bo co ny cung cp nhanh chng ci nhn tng quan cho cc qun tr vin
v nh qun l.



26

3.5. Lu tr
Khi phn tch th cc d liu c lu tr trc tuyn v khi khng cn cn thit th
chng s c chuyn ti ni khc lu tr di hn. D liu c th c lu tr di
dng chun ha (hay tng hp) nhm y nhanh tc tm kim s dng sau ny.
Bn cnh chng cng c lu tr di dng gc ban u nhm phc v nhu cu
bng chng v iu tra php y sau ny. Thng thng chng c lu tr di dng
nn v c th c m ha. SIEM cung cp kh nng lu tr n TB hng trm triu s
kin an ninh khc nhau.





27

Chng 4
THC NGHIM, KT QU
Guidelines:
1. Restate the Thesis Problem, the Thesis Objectives, the Methods used to carry out the
Objectives, and ALL corresponding results obtained in Chapter 4.
2. Provide interpretations/perspectives of several MOST important results which you think
they are significant and help draw a better picture about the Context of the thesis.
3. Give 1 or 2 future directions/tasks such that, apart from the results obtained in Chapter 4,
by undertaking these directions/tasks, one (not just you) can help solve the Thesis
Problem, or even to extend it. This helps guide other people to complete/extend your
work. Do not write about future works which are FAR related to the Thesis Problem.
A good length of this chapter is about 2 pages.


28

4.1. Mt s cng c trin khai SIEM
4.1.1. AlienVault OSSIM
OSSIM l mt cch tip cn hp dn i vi SIEM. OSSIM l m ngun m do
c th ti v min ph, ci t v chnh sa ph hp vi hot ng ring cho tng h
thng. OSSIM c pht trin bi AlienVault, gm hai phin bn min ph v tnh ph.
Phin bn min ph c mt s hn ch lin quan n hiu sut, lu tr v vic h tr.
Tuy nhin khi chng ta dng cc phin bn cao hn phin bn min ph th n c th
p ng rt nhiu nhu cu ca chng ta.
Mt tnh nng quan trng AlienVault OSSIM l Logger. N l mt c s d liu
b sung cho mc ch php y. Logger cho php lu tr cc bn ghi s lng ln trong
thi gian lu di. Chng s dng ch yu l h thng lu tr NAS/SAN. OSSIM pht
trin da trn cng ng v kh nng ty chnh ging nh vi bt k phn mm m
ngun m khc.
OSSIM c th c s dng bi cc t chc nh nhng hiu qu nht khi c s
dng bi cc t chc ln, ni c nhiu thit b mng nh Firewall, IDS/IPS, Anti-Virus
v cc my ch web,... OSSIM c tch hp vi cc cng c bo mt m ngun m
khc nhng khng gii hn Snort, ntop, OpenVAS, P0f, PADs, arpwatch, OSSEC,
Osiris, Nagios, OCS, v Kismet. C cng c m ngun m ni ting nh l mt phn
ca nn tng lm cho cc chuyn gia an ninh d dng lm vic vi n.
Hot ng c bn ca AlienVault OSSIM:
ng dng bn ngoi v cc thit b to ra cc s kin an ninh.
Cc ng dng chuyn vi AlienVault to ra s kin an ninh ( AlienVault cm
bin )
S kin an ninh c thu thp v chun ha trc khi c gi n mt my
ch trung tm.
Cc AlienVault Server nh gi ri ro, tng quan v lu tr cc s kin an ninh
trong mt c s d liu SQL.
Cc my ch lu tr AlienVault cc s kin an ninh trong mt h thng lu tr,
thng NAS cho bn m ngun m hoc SAN cho bn thng mi.


29

Mt giao din web cho php v cung cp mt h thng s liu, bo co, (bng
iu khin, h thng, bo co l hng, h thng qun l v thng tin thi gian thc ca
mng.
4.1.2. Q1 Labs Qradar
Q1 Labs tham gia vo th trng SIEM vo nm 2001 vi dng sn phm y
tnh nng. H cung cp cng ngh trong mt thit b (bao gm c phn cng v phn
mm) v mt phin bn phn mm m chng ta c th ci t trn phn cng ca ring.
Sn phm hng u ca h c gi l QRadar SIEM. H thng ny bao gm tt c mi
th cn thit c c nhng thng tin v mc bo mt ca v cc dch v qun l
s kin an ninh. H thng QRadar p ng yu cu tun th lu tr s kin an ninh,
gim st, bo co v bao gm cc chc nng sau y thc hin yu cu an ninh bo
mt ca t chc:
Theo di s kin an ninh.
Theo di lu lng mng.
Tch hp my qut l hng.
Kim k ti sn v to ra h s v n.
Phn tch d liu.
Tng quan d liu.
Pht hin ra nhng mi e da.
To ra cc bo co.
Cc dng sn phm gm: QRadar 2100 c gi khng qu cao dnh cho cc doanh
nghip va v nh. Dng sn phm QRadar 3100 dnh cho cc doanh nghip quy m
ln hn. Trong trin khai cc thit b gim st, lu tr trn ton mng to thnh mt h
thng phn cp v cung cp ngun d liu vo Management Console. QRadar l mt
trong nhng sn phm n gin nht trin khai SIEM. N d dng c thu nh v ty
chnh m rng nhm gim thiu cc thng bo gi, lc cc lung v phn tch s kin
an ninh.


30

4.1.3. MARS
H thng theo di, gim st v ng ph (MARS - Monitoring Analysis and
Response System) l mt sn phm trin khai SIEM c sn xut bi Cisco. MARS l
mt sn phm thng mi rt c a chung trong vic trin khai SIEM. Do cng ty
chim lnh a phn th trng thit b mng nn vic p dng rng di v tc ng ca
n cng tr ln d dng hn. Theo ngun tin t cng ty th MARS c mt l trnh trong
tng lai l tch hp cng c ny vi cc sn phm ca h trong thi gian ti.
MARS c thit k vi mc ch gim nh mt phn ca SIEM. Khi trin khai
mt cch chnh xc th MARS c th:
Xc nh mt cuc tn cng no c tin hnh.
Hin th cc thng tin chi tit v mng hay ng dn lin quan n s vic.
Xc nh cc thit b c th s dng ngn chn cc cuc tn cng.
Trong nhiu trng hp n c th cung cp cc lnh c th p dng cho cc thit
b ngn chn cc cuc tn cng.
Ging nh nhiu sn phm SIEM khc, MARS cng cung cp chc nng phc v
iu tra php y v bo co. Kim ton cc chnh sch v h thng mng, bo co hin
trng mng, vic s dng cc thit b v xc nh nh hng quy hoch phm vi ca
SIEM.
MARS vn cung cp kh nng thu thp thng tin s kin an ninh t cc thit b v
ng dng qua Syslog hoc giao thc SNMP.







31

4.2. Trin khai SIEM vi AlienVault OSSIM
Cc bn ghi log lun phn nh ng cc s kin an ninh, n rt quan trng tng
hp v phn tch cc bn ghi mng ni b v bn ngoi cc cng ty c th ngn chn
hnh vi vi phm hoc thc hin ng ph s c mt cch kp thi. V l do an ninh, cc
cng ty s dng SIEM nh mt gii php v n c trin khai trong mt t chc
gii quyt cc mi e da qun l, ng ph s c v tun th. Theo Magic Quadrant hn
80% ca vic trin khai ban u SIEM mt mt chi ph rt ln. l mt iu khng
may v hu ht ban gim c ch ph duyt ngn sch cho SIEM khi h gp rc ri
v an ninh. khng phi l mt hnh ng l an ninh ch ng.
Tht may mn, c mt cch qun l h thng ca chng ta m khng chi tiu
mt xu no khi s dng SIEM bng cch trin khai OSSIM AlienVault ca (Open
Source SIM). OSSIM c th l mt iu tuyt vi cho nhng cng ty c nhu cu cho
SIEM nhng khng th kh nng ti chnh hoc cho nhng cng ty ang xem xt
vic qun l an ninh ca AlienVault nhng mun th cc chc nng c bn trc khi
mua bn tnh ph.
OSSIM AlienVault tham gia th trng SIEM t nm 2003, nn tng SIEM m
ngun m hin nay theo trang web ca AlienVault vic trin khai OSSIM l khong
18.000, l mt con s kh ln i vi cc sn phm cng loi khc trn th gii.
4.2.1. Phng php thu thp thng tin
C nhiu cch thu thp cc bn ghi t my ch s dng cc Agent nh OSSEC
v Snare. La chn thay th ci t cc Agent cho cc h thng Linux ch n gin
l cu hnh rsyslog hoc thit lp snmptrapd. Cch tt nht chuyn tip cc bn ghi
t mt h thng Windows l s dng Snare.
4.2.2. Mt s cng c m ngun m trong AlienVault OSSIM
Cc cng c m ngun m cung cp s linh hot, cho php cc t chc gim chi
ph v tn dng ti nng ca hng ngn lp trnh vin trn ton th gii. Hu ht cc t
chc s dng mt s loi ng dng bo mt c xy dng t m ngun m. OSSIM
tch hp v s dng nhng cng c ny. Hn 15 loi cng c m ngun m tt nht
c bin dch vo OSSIM.
Snort


32

Snort l cng c m ngun m hng u v IDS ngy nay. Mt phin bn vi
nhng ty chn c tch hp vo OSSIM. N cung cp cc cnh bo lin quan n cc
cuc tn cng mng.
OpenVAS
OpenVAS c cp php (GPL) ca phin bn Nessus. Mt cng c m ngun
m qut l hng ph bin. Cng c ny c s dng nhm cung cp cc thng tin v
cc l hng qut trong mng v thm cc thng tin c gi tr cho c s d liu OSSIM.
Ntop
Ntop l mt cng c m ngun m gim st lu lng mng ph bin. Cng c
ny cung cp nhng thng tin v lu lng truy cp trn mng, c th c s dng
pht hin mt cch ch ng nhng vn bt thng hay c hi.
Nagios
Nagios l mt cng c phn mm m ngun m gim st thit b mng ph bin.
Cng c ny c s dng gim st cc thit b mng, cc dch v theo thi gian v
cung cp cc cnh bo trong trng hp ngng hot ng.
PADs
(Passive Asset Detection System) H thng pht hin th ng ti sn l mt cng
c duy nht. Cng c lng l theo di lu lng mng, cc bn ghi log v dch v. D
liu ny c theo di bi OSSIM khi c s bt thng trong dch v mng.
P0f
Cng c P0f c s dng thu thp thng tin v h iu hnh. Cng c ny theo
di lu lng truy cp mng v xc nh h iu hnh. Thng tin ny rt hu ch trong
qu trnh suy lun tng quan.
OCS-NG
(Open Computer and Software Inventory Next Generation) Phn mm gim st,
thng k cc thit b, ti sn ca h thng. Cng c ny thc hin mt cch t ng theo
di nhng ti sn v cung cp cc phn tch thng tin an ninh cn thit.
OSSEC


33

OSSEC l mt cng c m ngun m pht hin xm nhp trn host. Cng c ny
cung cp nn tng phn tch log, kim tra tnh ton vn ca tp tin, pht hin rootkit,
gim st chnh sch, thi gian thc v a ra cnh bo.
OSVDB
(Open Source Vulnerability Database) L mt d n m ngun m cp nht thng
tin l hng c s d liu. N c tch hp vo OSSIM s dng trong qu trnh tng
quan v cho cc nh phn tch.
NFSen/NFDump
Netflow l mt phn quan trng ca theo di h thng mng v rt ch trong qu
trnh tng quan. NFSen cung cp mt giao din da trn web ha lm vic. C
NFSen v NFDump c tch hp vo OSSIM v c iu chnh lm vic
vi cc cng c khc.
Inprotect
Inprotect l th hin giao din trn nn web ca Nessus, OpenVAS v Nmap.
Inprotect c tch hp vo OSSIM v cung cp kh nng qut theo mu, qut theo
lch v xut ra kt qu sang cc nh dng khc nhau.
4.2.3. Tng quan s kin an ninh trong AlienVault OSSIM
S tng quan lin kt s kin an ninh l mt trong nhng tnh nng ct li ca
OSSIM phn bit n vi IDS/IPS. N gip gim cc cnh bo gi bng cch tng quan
lin kt nhiu s kin an ninh khc nhau v bo ng cho cc qun tr vin bit v ch
n cc s kin an ninh. Tnh nng tng quan bao gm tng quan cho v tng
quan hp l (tng quan Ch th ). Cho tng quan ch lm vic vi cc s kin an ninh
c xc nh IP ch n bi v n kim tra cc my ch ch xc nh xem
n c bt k l hng khng c trong c s d liu v thay i gi tr tin cy ca s
kin an ninh ph hp. Gi tr tin cy ca s kin an ninh l mt trong nhng s liu
c s dng tnh ton ri ro trong OSSIM.
4.2.4. nh gi ri ro
nh gi ri ro l vic lm quan trng nhm xc nh ci g l quan trng ci g l
khng? Vic nh gi ri ro c coi nh l mt tr l ca qu trnh ra quyt nh.


34

OSSIM tnh ton ri ro cho tng s kin an ninh. Vic tnh ton ny da trn ba thng
s sau:
Gi tr ti sn (Mt bao nhiu gi tr nu b xm nhp?)
Nguy c no s xy ra?
Xc sut xy ra n l bao nhiu?
Bn ghi log c cung cp t cc ngun d liu khc nhau n my ch OSSIM.
Cc bn ghi log chun ha v hin th trong giao din qun l web nh cc s kin an
ninh. Tickets c t m hoc t ng to ra trong OSSIM. x l s c, OSSIM s
c xem xt bo ng, to ra mt ticket v s c c lin quan v gn n cho thnh phn
thch hp. Bo ng xy ra khi gi tr ri ro ca s kin an ninh bng hoc ln hn mt
gi tr no . Ri ro c tnh ton theo cng thc sau:
[ASSET VALUE(0-5)*PRIORITY(0-5)*RELIABILITY(0-10)] /25 = RISK OF
THE EVENT(0-10)
Trong :
ASSET VALUE: Gi tr ca ti sn.
PRIORITY: u tin cho tng s kin an ninh.
RELIABILITY: tin cy ca s kin an ninh.
RISK OF THE EVENT: Mc ri ro ca s kin an ninh.
Cc ti sn trong OSSIM c gi tr ti sn t 0-5. S cng cao l cng c gi tr ti
sn. Ti sn c th l mt nhm my ch, cc nhm my ch, mng v nhm mng. Cn
c vo tin cy c th nhn thy xc sut ca mt cuc tn cng. V d, mt gi tr
cao (9 hoc 10) c ngha l cc cuc tn cng l c tht.
4.2.5. Cc hnh ng ng ph s c an ninh
OSSIM c kh nng ng ph t ng vi cc s kin an ninh nht nh hoc thit
lp cc ng ph cho cc s kin an ninh. ng ph bao gm vic gi mt email ti qun
tr vin, a ra cnh bo trn giao din qun l hoc thc hin mt hnh ng no
nhm ngn chn cc hnh vi vi phm an ninh. iu ny rt c ch nhng cng nguy him
bi chng ta cu hnh khng tt s gy ra nhng cnh bo gi hay a ra cc hnh ng
khng tt cho h thng.


35

4.2.6. Bo co trong AlienVault OSSIM
AlienVault OSSIM cung cp cng c to bo co mt cch trc quan thng qua
cc biu v nhiu kiu bo co khc nhau. Bn cnh l kh nng ty chnh, m
rng v d dng lm vic to cc bo co tng ng vi mc ch c th theo chun
quc t.







36

4.3. Thc nghim kt qu vi AlienVault OSSIM
4.3.1. Lab 1: Tn cng Bruteforce

4.3.2. Lab 2: Tn cng khai thc l hng bo mt

4.3.3. Lab 3: Tn cng Ddos botnet









37

Chng 5
KT LUN
Guidelines:
4. Restate the Thesis Problem, the Thesis Objectives, the Methods used to carry out
the Objectives, and ALL corresponding results obtained in Chapter 4.
5. Provide interpretations/perspectives of several MOST important results which you
think they are significant and help draw a better picture about the Context of the
thesis.
6. Give 1 or 2 future directions/tasks such that, apart from the results obtained in
Chapter 4, by undertaking these directions/tasks, one (not just you) can help solve
the Thesis Problem, or even to extend it. This helps guide other people to
complete/extend your work. Do not write about future works which are FAR
related to the Thesis Problem.
A good length of this chapter is about 2 pages.



38

TI LIU THAM KHO
Ting Vit

Ting Anh
(V d)
[1] ITU, Internet protocol data communication service IP packet transfer
and availability performance parameters, ITU-T Recommendation Y.1540,
Feb. 1999.
[2] IEEE Reference Format [Online] http://www.ieee.org/auinfo03.pdf
[3] B. Callaghan, Voices from the Margins: Postmodernism and Latin
American Fiction, Master thesis, University College Cork, 1994.
[4] H. Schimanski and C. Thanner, Raiders of the lost ark, IEEE Trans.
Electromagnetic Compatibility, vol. 51, no. 5, pp. 543547, May 2003.
[5] J. Matula and R. Franck, A case for two, in Proc. 15th Int. Zurich
Symposium and Technical Exhibition on Electromagnetic Compatibility,
Zurich, Switzerland, Feb. 2003, vol. 1, pp. 347350.


39

Guidelines to format the references, in accordance with the IEEE.
Journal articles:
[6] H. Schimanski and C. Thanner, Raiders of the lost ark, IEEE Trans.
Electromagn. Compat., vol. 51, no. 5, pp. 543547, May 2003.
Conference papers:
[7] J. Matula and R. Franck, A case for two, in Proc. 15th Int. Zurich Symp.
and Technical Exhibition on Electromagnetic Compatibility, Zurich,
Switzerland, Feb. 2003, vol. 1, pp. 347350.
Books:
[8] F.T. Ulaby, Fundamentals of Applied Electromagnetics, 2
nd
edn., Prentice
Hall, 2004
Standards:
[9] ITU, Internet protocol data communication service IP packet transfer and
availability performance parameters, ITU-T Recommendation Y.1540,
Feb. 1999.
Online:
[10] IEEE Reference Format [Online] http://www.ieee.org/auinfo03.pdf
Thesis:
[11] B. Callaghan, Voices from the Margins: Postmodernism and Latin
American Fiction, Master thesis, University College Cork, 1994.



40

Ph lc A
Guidelines:
This includes some concepts/materials which are used in the thesis but do not fit
with the structures written in the thesis. For examples:
1. While in a previous chapter you wrote about definition of this function and use it
to analyse the bit-error-rate performance of a communication system, you may
want to explain about the properties of the Q(x) function and how it is used in
detection theory.
2. Provide some important MATLAB codes.