Based on open source security operation and maintenance of the platform OSSIM
Operation and maintenance of a secure platform can effectively depends on the ability to collect data, if the data sources are missing, correlation analysis that the top is likely to vary. For the network security device, which security log collecting main (including alarm) and the device operation status information. This OSSIM show you best practices based on its powerful data acquisition and processing capabilities of plug-ins. However, the current output safety devices on the market with different types of equipment and manufacturers are different, and there is no single standard format all the security log. Therefore, while collecting data from multiple heterogeneous sources of safety equipment, in addition to the OSSIM all kinds of open-source tools are a complex and difficult process. OSSIM 4 consecutive years into the Gartner Security Information and Event Management (SIEM) Magic Quadrant also has his reasons.
1. Security Operation platform basic functions
It consists of network management functions: configuration management, performance management, change management, security management, fault management. From the network point of view, the most fundamental needs is a unified interface to all network monitoring real-time operating status of the security apparatus, which generates all alarms and log information is collected and centralized analysis and timing of audit; and able a platform to complete an upgrade of security products, alarm intrusion incident response processing and other functions. Before you have not experienced OSSIM, these features just a dream. To achieve this dream, you can build a lot of open source systems, data is scattered over various platforms. Many people will see them as "automated operation and maintenance system."
Once you've used OSSIM, you can feel such a system will be in a different safety equipment, different management systems and dispersed disorderly massive security event collection, filtering, correlation analysis, the results of the security risk analysis of global perspective, then based on expert knowledge base of experience through the library's security policy, timely response to security threats caused by loss events in order to protect the security of the whole flavor of the enterprise network environment. The main components of network security management platform, including security event collection, security event management, security monitoring equipment.
Note: Security Event Management is to analyze the handling of all events will be provided by event set correlation analysis, risk assessment and so on.
2. Security Operation Platform Management System
Safe operation and maintenance of information security management not only at the technical level of the enterprise, for the limitations of traditional security management, building two levels safe operation and maintenance system
1) technical support system: a secure platform for the operation and maintenance tool, monitor, locate, alarm, decision-making, disposal, feedback and other means to provide strong support for the protection of business systems running.
2) management support system: standardized organizational structure management, improve personnel management agency personnel and third-party services, improve security policies and system construction, the introduction of standardized business processes, the formation of a comprehensive Safety Management System.
OSSIM platform according to the study based on the safety management of technology and quality management system requirements, developed a relatively complete operation and maintenance of information security assurance system box, but unfortunately there is no perfect work order processing system requires a combination of OSSIM and itop up application.
The core SIEM management of assets, subject asset management is divided into various business information systems and equipment within the security domain, including: network equipment (such as: routers, switches, etc.), host devices such as servers, security devices (such as IDS, firewalls, etc.), business information systems, databases, middleware.
Core Job Safety Analysis Center is to state information, performance and availability objectives of IT resources to collect data such as correlation analysis, found that external invasion, internal recognition violations. Monitoring center is responsible for collecting the entire network operational status of IT resources, performance and availability objectives. In the operation and maintenance center in OSSIM framework can help establish a routine operation and maintenance of personnel, normalization of risk management mechanism.
Let "open source security operation and maintenance platform OSSIM best practices" for your book to explain asset-core SIEM system now.
This article comes from " Li Chenguang original technology blog " blog, be sure to keep this source http://chenguang.blog.51cto.com/350944/1732262
Reproduced in: https: //my.oschina.net/chenguang/blog/613911