Beginner’s guide to build a Security information and event management (SIEM) solution using open-sourced technologies

Hi Readers ( ??? )/

In last week’s sharing, the topic of discussion was Threat Intelligence Platform (TIP). Apart from TIP, there is another important component known as SIEM. Similar to the previous blog posting, we will be using Docker to build our SIEM but first, let us understand the meaning of SIEM.

According to Gartner Information Technology Glossary:

"Security information and event management (SIEM) technology supports threat detection, compliance and security incident management through the collection and analysis (both near real time and historical) of security events, as well as a wide variety of other event and contextual data sources. The core capabilities are a broad scope of log event collection and management, the ability to analyze log events and other data across disparate sources, and operational capabilities (such as incident management, dashboards and reporting)"

Based on this terminology, a SIEM solution would have three important features:

  1. Collecting logs/events: Aggregate data from different sources.
  2. Analyzing logs/events from different data sources: Analysis of logs via non, semi or automated process to search through logs and correlate events.
  3. Presenting information: Visualization of data or report to provide information based on the data aggregated and analyzed.

However, a SIEM solution is not limited to the features listed above. Service providers have included more advanced features such as alerting and machine learning to complement the available features as well as automation. One of the well-known open-source technologies that have features for a SIEM is the “ELK stack” by Elastic. co. In this blog post, we are going to get our hands dirty and let me introduce all of you to two of ELK stack components, Elasticsearch and Kibana.

If you have read the previous blog on using docker-compose, you are all good to proceed with the next step. If you haven’t read it, don’t worry! Take some time to read the post and come back because you don’t want to miss this blog post.

  • Create a docker-compose.yml file in a specific directory that you use to build docker images using docker-compose.

version: '2.2'

services:

  es01:

    image: docker.elastic.co/elasticsearch/elasticsearch:7.15.2

    container_name: es01

    environment:

      - node.name=es01

      - cluster.name=es-docker-cluster

      - discovery.seed_hosts=es02,es03

      - cluster.initial_master_nodes=es01,es02,es03

      - bootstrap.memory_lock=true

      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"

    ulimits:

      memlock:

        soft: -1

        hard: -1

    volumes:

      - data01:/usr/share/elasticsearch/data

    ports:

      - 9200:9200

    networks:

      - elastic

  es02:

    image: docker.elastic.co/elasticsearch/elasticsearch:7.15.2

    container_name: es02

    environment:

      - node.name=es02

      - cluster.name=es-docker-cluster

      - discovery.seed_hosts=es01,es03

      - cluster.initial_master_nodes=es01,es02,es03

      - bootstrap.memory_lock=true

      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"

    ulimits:

      memlock:

        soft: -1

        hard: -1

    volumes:

      - data02:/usr/share/elasticsearch/data

    networks:

      - elastic

  es03:

    image: docker.elastic.co/elasticsearch/elasticsearch:7.15.2

    container_name: es03

    environment:

      - node.name=es03

      - cluster.name=es-docker-cluster

      - discovery.seed_hosts=es01,es02

      - cluster.initial_master_nodes=es01,es02,es03

      - bootstrap.memory_lock=true

      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"

    ulimits:

      memlock:

        soft: -1

        hard: -1

    volumes:

      - data03:/usr/share/elasticsearch/data

    networks:

      - elastic

 

volumes:

  data01:

    driver: local

  data02:

    driver: local

  data03:

    driver: local

 

networks:

  elastic:

    driver: bridge

  • Paste the above script in the docker-compose file. The Elasticsearch and Kibana version that I’m using in this blog posting is 7.15.2 as shown in the docker-compose script.
  • “docker-compose up” to create containers and volumes and you are all set.

Figure 1: Elasticsearch

  • Open up your browser and go to http://localhost:9200 and If you can see the page similar to Figure 1 you now have Elasticsearch running on your device.

Figure 2: Kibana start page

  • Next is to check if Kibana has started successfully by opening a new tab and going to http://localhost:5601. Figure 2 shows one of the new features included by Elastic.co in the latest version of the product which gives us the option to explore Kibana using sample data. For now, we are going to skip the complex process of ingesting data into Elasticsearch and displaying the data in Kibana. We can just use the sample data by clicking on the add data button.

Figure 3: Sample data

  • Then, click on the sample data tab and the add button for sample web logs as shown in Figure 3. Easy right? It’s a good thing that this awesome feature is added.
  • Go get yourself a cup of coffee or tea after clicking on the “Add data” button because it will take a while to index the sample data in Elasticsearch and generate visualization in Kibana. Now, you understand why I said that that this is a cool feature and be glad this automatically performed for you.

Figure 4: View data

  • Now that you are fresh and wide awake and energized from the caffeine and herbs, let us view the data as shown in Figure 4 by clicking on the dashboard link.

Figure 5: Kibana dashboard

  • Figure 5 shows the dashboard that provides information on web traffic. Take some time to have a look at the informative graph and visualization displayed.

Figure 6: Index

  • You can explore canvas and other links or have a look at the index as shown in Figure 6 to understand the data ingested into Elasticsearch.

So, that is all for this blog posting! I have covered what SIEM is all about - aggregating, analyzing and presenting the information so that SOC analysts would have visibility by monitoring activities at multiple sources e.g. network and endpoint.

There are a lot more to be discussed on this topic and will be saved for the next posting. In the meantime, refer to these links for more information on ‘ELK stack’

 

Stay in tune for more sharing on the configuration and in-depth discussion on this topic. Stay safe. Goodbye for now.

Credits: Elastic.co, Gartner

Comments are closed