Shulou(Shulou.com)06/01 Report--

Open source security operation and maintenance platform based on OSSIM

The effectiveness of a secure operation and maintenance platform depends on the ability to collect data. if the data sources are missing, the upper-level association analysis is likely to be biased. As far as network security equipment is concerned, it mainly collects its security log (including alarm) and equipment running status information. This OSSIM best practice shows you its powerful plug-in-based data acquisition and processing capabilities. However, at present, the output information of security devices in the market varies with the types of devices and manufacturers, and there is not a unified standard to format all security logs. Therefore, collecting data from multi-source and heterogeneous security devices at the same time is a complex and difficult process for all kinds of open source tools except OSSIM. There is also a reason why OSSIM has entered the Magic Quadrant of Gartner Information Security and incident Management (SIEM) for four consecutive years.

1. Basic functions of security operation and maintenance platform

The functions of network management include:, configuration management, performance management, change management, security management, fault management and so on. From the point of view of network management, the most fundamental requirement is to monitor the real-time operation status of all security devices in the network in a unified interface, and collect, centrally analyze and regularly audit all the alarm and log information generated by them. and can complete the update and upgrade of security products, alarm of * events, response processing and other functions in a platform. Before you have experienced OSSIM, these features are just dreams. In order to realize this dream, you will build a lot of open source systems, with data scattered across various platforms. Many people will regard them as "automated operation and maintenance systems".

When you have used OSSIM, you can feel that this kind of system will collect, filter and analyze a large number of disordered and scattered security events in different security devices and different management systems, and get the results of security risk analysis from a global perspective, and then respond to the security threats that will cause losses in time according to the experience in the knowledge base of the expert database, so as to ensure the security of the enterprise network environment. The main components of the network security management platform include security event collection, security event management, security equipment monitoring and so on.

Note: security event management mainly deals with all the events provided by the event collection, such as correlation analysis, risk assessment and so on.

two。 Security operation and maintenance platform management system

Security operation and maintenance not only carry out enterprise information security management at the technical level, but also in view of the limitations of traditional security management, the construction of security operation and maintenance system is divided into two levels.

1) Technical guarantee system: the security operation and maintenance platform is used as a tool to provide strong support for ensuring the normal operation of the business system by means of monitoring, positioning, alarm, decision-making, disposal, feedback and so on.

2) Management and guarantee system: standardize the management of organizational structure, improve the management of institutional personnel and third-party service personnel, improve safety strategy and system construction, introduce standardized business processes, and form a set of perfect safety management system.

According to the research of safety management technology and the requirements of quality management system, OSSIM platform has developed a relatively complete framework of information security operation and maintenance system, but unfortunately, there is no perfect work order processing system at present, so it is necessary to combine OSSIM and itop.

The core of SIEM management is assets, and the object of asset management is the business information systems and devices in the divided security domain, including network equipment (such as routers, switches, etc.), host devices such as servers, security devices (such as IDS, firewall, etc.), business information systems, databases, middleware.

The core work of the Security Analysis Center is to correlate and analyze the collected data such as status information, performance indicators and availability indicators of IT resources, find external * *, and identify internal violations. The monitoring center is responsible for collecting the running status information, performance indicators and availability indicators of the IT resources of the whole network. The operation and maintenance center under the framework of OSSIM can help operators to establish a set of regular and regular risk management mechanism.

Let's let the book "OSSIM Best practices of Open Source Security Operation and maintenance platform" explain the asset-centered SIEM system for you.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.