说说SIEM与SOC

作者 | 2011-01-21 22:50 | 类型 行业动感 | 17条用户评论 »

Sina WeiboBaiduLinkedInQQGoogle+RedditEvernote分享




缘起:看到弯曲中有审计和SOC的文章,正好自己做了一段时间,有点心得,希望得到诸位高手的指教。
当下国内的等级保护已在如火如荼的进行,据悉今年,C-SOX开始启动,安全审计也就水涨船高,因为国内有的厂商就是通过SOC产品满足其审计要求的。
说到SIEM就不能不提SOC,国内的SOC实际就是一个SIEM产品,而国外的SOC,除了产品还有人,流程等,因此可以基于SIEM产品去建立一个SOC。去年HP以15亿收购Arcsight后,有意思的是其股东抱怨价格过低。Arcsight是SIEM领域的Leader,事实上国内的大部分SOC产品都是模仿Arcsight(先代理后模仿),Arcsight是专注做SIEM的厂商,不象是Symantec,因为专注所以其产品的一个特点就是细节的地方到位,我很佩服那些开发者,软件做的很精致,简洁易用功能强大,可以满足最大规模的企业应用,最著名的一个客户就是国防部。
SIEM系统分为三层:采集层、分析层、展现层,这三层中,采集层是最基础的,分析层是核心层,展现层我认为倒不那么重要,因为既然都有分析结果了,如何展现也就相对简单了。实际中发现即使Arcsight最领先的ESM仍然存在一些问题,并以此为例讨论一下:
标准化问题:采集层的标准化是个极为头疼的问题,尤其是Syslog。开发人员在对现有产品做标准化映射时,由于缺乏对产品的了解或者缺乏运维等经验,导致标准化后丢失某些关键信息,而很多SIEM产品除了字段不足外更是缺乏灵活的定制能力,要支持一个新的产品和应用,将会很困难。更严重的是,由于缺乏足够的扩展能力,针对业务系统定制时,不得不丢弃大量的字段(虽然可以合并),例如要从数据库读取一个表,有80个字段,参与关联分析的字段会可能有40个,但由于无法扩展不得不丢弃或者合并;
关联分析:SIEM的真正价值不仅仅为了满足合规,而在于异构、多系统间的关联分析,但当前所有的产品均是着重对基础设施的关联分析,有些会有一些针对业务的解决防范,如银行卡等,但由于对业务层面了解不够,从而缺乏真正有效的针对业务层面的威胁分析,我想这是Arcsight的防欺诈解决方案在国内至今还没有成功案例的原因之一;
缺乏预警机制:由于SIEM是通过收集其他产品的日志进行分析,意味着最多只能做到事中监视,比如蠕虫爆发,而无法实现事前预警。Symantec SSIM唯一的优势就是可以借助其分布在全球的数万台安全探针所形成的一个僵尸网络库,SSIM系统可以和这个库进行关联分析,实现一定程度的预警;而Arcsight曾经帮助一个银行用户建立反钓鱼系统,但是由于缺乏这些数量庞大的安全探针,只能在客户的邮件网关上进行采集分析,因此我估计效果将会大受限制;
融合不够:为了采集日志,往往要在被采的对象上安装agent,但既然安装了agent,为什么不索性连网管的数据一起采集?在SIEM实现监视告警,和网管系统整合成为一个平台?可惜在其5.0的系统中,还未看到融合,相反国内的厂商开始融合,而这些厂家就是从网管起家的,吼吼;
缺乏策略配置管理:从长远看,SIEM作为安管系统也应该实现统一的策略配置管理,尽管这个难度比日志标准化更大,却是今后的一个挑战和方向,这是当前许多用户的需求,DSL有个TR069,但企业这块还缺乏一个统一的标准,各管各的一亩三分地;
后记: CISCO的MARS早就不玩了,RSA的eVsion停止不前,而据小道消息Symantec的SSIM已经不再开发支持。Arcsight有了HP的渠道支持,还将一支独秀,钱途光明。其基于BI的分析模块我将在一个卡系统中验证其功能,看到底能发挥多大功能,并希望对这块有研究的高手多多指教。

(3个打分, 平均:4.00 / 5)

工具箱
本文链接 | | 打印此页 | 17条用户评论 »

雁过留声

“说说SIEM与SOC”有17个回复

  1. newer 于 2011-01-22 12:32 上午

    我认为展示很重要,长得美也要出来遛遛:)

  2. tom 于 2011-01-23 5:48 下午

    从整个系统来讲,展示是相对最简单的一块,所以只要前边的两部分做好了,展示才能最终体现价值,而不仅仅是花哨的报表等。

  3. willchen 于 2011-01-24 5:59 下午

    SOC的信息整合是老大难问题,事实证明已经不是一个厂商能解决的问题了。arcsight被HP收购的最大好处就是能够将HP的产品线全部融合。但估计也不是一朝一夕能够完成的工作。国内的SOC现在虽然由国家推动,但真实效果我也很不看好。最可能的结果是,拿了国家的大笔科研经费,最后出个花架子,应付评审了事。
    这种事儿咱干了不是一回两回了。

  4. Tech 于 2011-01-25 2:14 下午

    做技术的可以技术做到顶级,但一定不能轻视展现,核心技术都坐上去了,何必不让花开的更漂亮呢!

  5. anony 于 2011-01-25 4:20 下午

    1. 转自友人Raffael Marty关于“Data-Cloud-Tool-Security”的一段评论:

    Data
    It’s very simple. If you don’t have the data, you cannot visualize it. A lot of companies are still struggling to collect the necessary data. In some cases, the data is not even available because applications do not generate it. This is where data analysis or security people have to start voicing their needs to the application owners and developers in order to generate the data that they need. In addition, developers and security people have to communicate more to learn from each other. Ideally, it is not even the security folks that visualize and analyze the application logs, but it is the application people. Just a thought!
    What we will see next year is that the Big Data movement is going to enable us to crunch more and bigger data sets. Hopefully 2011 will also give us an interoperability standard that is going to ease log analysis.

    Cloud
    What does the cloud have to do with security visualization? Well, it has to do with processing power and with application development. Applications generate logs and logs are used for security visualization. Cloud services are new pieces of software that are being developed. We have a chance here to build visibility into those applications, meaning we have an opportunity to educate these developers to apply logging in the right way.
    Next year we will see a lot of companies that are going to roll their own log analysis systems based on big data technology, such as Hadoop. We have seen a number of companies doing this already in 2010: Facebook, Linkedin, NetFlix, Zynga, etc. Traditional log management solutions just don’t scale to these companies’ needs. This will continue next year.

    Tools
    With tools I mean security visualization tools. We are absolutely nowhere with this. There are a couple of simple tools out there, but there is no tool that really does what we need: brushing, linked views, supports large data sets, easy to use, contextualized, etc.
    Next year won’t really change anything in this area. What we will see is that more and more tools are built on the Web. The cloud movement is kind of responsible for this push, but so is the broad utilization of HTML5 with all of it’s goodness (e.g., Websockets, Canvas). We will see advances in the social space with regards to visualization tools. Security will continue utilizing those tools to analyze security data. It’s not ideal because these tools are not meant for this, but hey, better than nothing! Maybe this will help creating awareness and will surface some interesting use-cases for security visualization.

    Security
    What will we see in security visualization? Well, as we saw earlier, we don’t have the data. What that means is that we haven’t really had a chance to learn how to visualize that data. And because we didn’t have that chance, we don’t really understand our data. Read that again. I think this is an important point!
    Next year will give us more bad security visualization examples. And I am lumping product displays into this. Have you looked at your tool lately? During the SANS summit, I had a chance to look at some of the vendor’s dashboards. They are horrible. 3D charts, no legends, bad choice of colors, non actionable dashboards, etc. Note to log management vendors: I offer a security visualization class. You might want to consider taking it! But back on topic. Visualization, just like security, will stay an afterthought. It’s being added when everything else is in place already. We know how that generally turns out.
    I know, I am painting a gloomy picture. Hopefully 2011 will have some surprises for us!

    2. 多年以前也曾涉足SOC(SIEM),当时借鉴已小有名气的OSSIM较多,基于Zeroc ICE实现的基本框架(内部对象的注册、管理、事务处理、消息机制等,系统组件的安装、部署和升级等)及扩展机制(资产属性、关系的定义,资产关系的映射等,策略的下发、同步,事件的采集、可视化等);此过程,有得有失,”得“的是实现一个SOC的基本框架并不难,满足垂直性单点或多点(少数)管理需求并不难,但实现多角色多场景异构跨界SOC确实有相当大的难度,非一朝一夕之功;”失“的是过于具有Key-Factor依赖性,从Arcsight的成长中看到了一个好的管理工具应具备强大的可复制性、(近似于)”零“交付维护成本等鲜明特点,而当时却并没意识到这一点,只是懵懂的在Arcsight强大的数据挖掘|场景设计能力面前长吁短叹了一番,转过头又继续自己的老路。

    3. 俱往矣,凌晨将数年前的SOC相关设计、开发以及日日志快速翻阅了一遍,沧桑巨变;相信关注强强合并的弯友们比例更高,安全或许最后只能成为寡头的游戏;管理又何尝不是呢?那么介于二者之间的安全管理(以事件和策略为主)又该走向何方?

  6. willchen 于 2011-01-25 5:22 下午

    to:anony
    这篇文章写得真是太好了。当然,我英文很烂,所以借助了谷歌翻译才大致看懂文章意思。
    其中的第一点我尤其赞同。在大家就日志如何做分析讨论的头焦额烂时,却忘了日志的源头。如果日志的源头能做到标准化和可读化,日志分析的难度可以少走很多弯路,准确性也会大大提高。
    当然,这需要行业标准,而且不是一个行业的标准。应用软件、操作系统、数据库、网络设备甚至机房设备、监控系统等等日志的统一化标准,多么美好而不现实的梦啊…

  7. anony 于 2011-01-25 5:46 下午

    另推荐另外一篇评论文章,下一次科技革命

    http://hbr.org/2010/11/the-big-idea-the-next-scientific-revolution/ar/1

    作者详尽的阐述了”海量数据(对象)“与”微观技术(过程)“之间的关系,并提出了第四范式,请参考如下段落以及其中部分案例:

    The Four Paradigms of Science

    The first two paradigms for scientific exploration and discovery, experiment and theory, have a long history. The experimental method can be traced back to ancient Greece and China, when people tried to explain their observations through natural rather than supernatural causes. Modern theoretical science originated with Isaac Newton in the 17th century. After high-performance computers were developed in the latter half of the 20th century, Nobel Prize winner Ken Wilson identified computation and simulation as a third paradigm for scientific exploration. Detailed computer simulations capable of solving equations on a massive scale allowed scientists to explore fields of inquiry that were inaccessible to experiment and theory, such as climate modeling or galaxy formation.

    By the Numbers

    The fourth paradigm also involves powerful computers. But instead of developing programs based on known rules, scientists begin with the data. They direct programs to mine enormous databases looking for relationships and correlations, in essence using the programs to discover the rules. We consider big data part of the solution, not the problem. The fourth paradigm isn’t trying to replace scientists or the other three methodologies, but it does require a different set of skills. Without the ability to harness sophisticated computer tools that manipulate data, even the most highly trained expert would never manage to unearth the insights that are now starting to come into focus.

  8. anony 于 2011-01-25 5:55 下午

    顺推荐此书:
    http://research.microsoft.com/en-us/collaboration/fourthparadigm/

  9. tom 于 2011-01-25 6:06 下午

    日志的标准化问题越来越突出,国家却没有动作,靠厂商来推动太难,只有靠政策

  10. willchen 于 2011-01-25 6:43 下午

    to:anony
    能推荐个中文的么?我英文实在太烂。。。。

    to:tom
    这事儿恐怕也不是咱国家能行的。因为主流的操作系统、应用软件、数据库甚至网路设备都是国外的。

  11. tom 于 2011-01-25 7:19 下午

    to willchen,至少针对国内的厂商还是可以的,但这事没钱途,不像等保,有钱赚的事情就会有人抢着推进

  12. willchen 于 2011-01-25 7:25 下午

    to:tom
    这事儿据我说知军队空军和总参都做了不下4、5年。当然也是外包给公司做的。至今还是没有正式产品。
    毕竟每个厂商都有自己的小九九,从技术上说,日志结构的改变可能会涉及到软件架构的变动,难度很大,成本太高。另外,日志可能会暴露出产品的问题和bug等等,一旦被别人知晓后果很严重。所以我很不看好。
    另,等保这事儿其实目前没啥人真正的赚钱了。不信你问几个国内厂商,每家都是一把鼻涕一把泪。纯属鸡肋啊。

  13. tom 于 2011-01-25 8:14 下午

    willchen,虽然厂商赚钱的不多,但是真正赚钱的却是xx部,这事总之“难”

  14. willchen 于 2011-01-25 9:37 下午

    to:tom
    xx部也赚得不多,其实也就够发些奖金补助啥的。毕竟人家摊子太大,张嘴的人多啊。扯远了,咱还是论技术吧

  15. tom 于 2011-01-25 9:58 下午

    willchen说的是,不扯太远。淘宝,阿里,盛大等当前都在搞用户行为分析监测,不知道坛里哪位对此有研究能否开贴讲下?

  16. bigrong 于 2011-01-25 10:33 下午

    就怕有人做事情光做头不做腚。

  17. kernelchina 于 2011-01-31 11:13 下午

    盛大的网络太烂了,几个网络文学网站,起点的体验太差了,有时候有想砸了这帮家伙。