OSSIM identified three axes APT
Many suffer APT unit where the victims of the attack have firewall, anti-virus system, monitoring system, but failed to prevent threats from entering these systems fail to perceive the abnormal behavior, until the loss of exposure. The security team should take into account today's complex network threat environment, it can be assumed that IT environment or have been subjected to intermittent attacks by unknown hackers, then we need to understand the details of the various stages of the attacks, including the continued threat experience and fast attack detection. Used in the past Cacti , of ZABBIX other tools, until the problem is found in the system has reached the stage of completion of the attack, the attacker has already succeeded, and disappeared without a trace. To improve visualization of network attacks, improve the sensitivity and speed of cyber attacks handle advanced threats, SIEM (Security Information and Event Management) is an ideal platform for enterprise data security analysis to the current large-scale concentrated. As open source SIEM product OSSIM have the following 3 capability areas:
( 1 ) Visualization - learn heterogeneous IT environments, all the information required happened variety of data sources, including the reconstruction of a network packet capture, and a complete session, and the log file from a network device, a server, a database, you need to be these data efficiently organized, presented to the user through a graphical manner, but also the various views into a single unified position, isolated log collection system is only skin deep furnishings.
( 2 ) Scalability - platform must be able to collect safety data in the horizontal and vertical scaling to handle massive security events from inside and outside, as well as in-depth analysis of network traffic will produce a large pcap file, which makes security analysis multiplied data platform, OSSIM has processed by the distributed data-intensive multi-tier storage architecture.
( 3 ) correlation analysis - has a certain intelligence analysis in because of the built-in correlation analysis engine. Traditional emphasis on computer security static, closed threat protection, can only passively respond to security threats, often after a security incident handling, the face of hacking, intrusion detected during the scan, injection, brute force and vulnerability when using the attack OSSIM correlation engine to obtain data from multiple data sources, collect maximum effective range and depth of information received through packet capture and multiple data sources, such as abnormal indicators related to login failures and other applications in the system log, proactive safety analysis, event stage early warning information for administrators to respond quickly.
This article comes from " Li Chenguang original technology blog " blog, declined reproduced!
Reproduced in: https: //my.oschina.net/chenguang/blog/613903