SIEM-Platform for Research and Educational Tasks on Processing of Security Information Events
SIEM-Platform for Research and Educational Tasks on Processing of Security Information Events
Author(s): Alexey MITKOVSKIY, Andrey A. Ponomarev, Andrey PROLETARSKIYSubject(s): Social Sciences, Education, Higher Education
Published by: Carol I National Defence University Publishing House
Keywords: SIEM-systems; attack detection; educational process; information security incidents; correlation rules;
Summary/Abstract: Nowadays, the technology of Security Information and Event Management (SIEM) becomes one of the most important research applications for advanced security threat detection in a complex enterprise environment. The underlying principles of every SIEM system is the aggregation of security events, captured from across an enterprise network and analysis of the gathered log data in real time through set of correlation rules to provide rapid response to security incidents. This article is about applying a unique practical method of teaching undergraduate students in the field of enterprise infrastructure protection from cyberattacks. The introduction of practical methods in learning consists of a review of stages, required for an attacker to infiltrate an enterprise's network, allowing students to realize, which events need to be monitored to detect signs of possible threats on the network. The architecture and principles of the SIEM-platform are described in details. In addition, this paper discusses how an emulation testbed of virtual enterprise can serve as a platform for generating event logs from network security appliances to analyze, which sequences of events are likely indications of cyberattack. The article also discusses how students can develop and test their own correlation rules to identify threats within IT environment. The following cases can be considered as the basis for testing the correlation rules: logon success and failures, systems with disabled security services, modification of user accounts and other events. After completing this course, students acquire skills to detect and identify assets in the network, collect events using various protocols to detect suspicious activities and investigate policy violations.
Journal: Conference proceedings of »eLearning and Software for Education« (eLSE)
- Issue Year: 15/2019
- Issue No: 03
- Page Range: 48-56
- Page Count: 9
- Language: English