Instrumentation & Measurement Magazine 25-6 - 33

information from the host level. The EDR's role is to manage
the feeding of logs and to detect potential security incidents.
Therefore, they need to collect low-level events, such as file,
process creation, start/end time, user logins, and network connections
on the managed hosts. They function based on rules,
and when an anomalous behavior is detected, an alert is triggered.
Since, they are designed for precision, they can be prone
to a high alert rate, creating false positives [8].
Cyber Security Solutions
SIEMs are tools capable of collecting, aggregating, and storing
events generated within a system. It represents the central
platform of an SOC since it is able to gather information from
multiple sensors, correlate the events, and deliver views of
the alerts [3]. SIEMs are used by administrators in enforcing
security policies. Overall, a SIEM is composed of several
blocks according to Onwubiko [3]: Log Source, Aggregation,
Processing and Normalization, Correlation, Storage,
and Examination. While each of these steps could be applied
independently, a SIEM solution requires all of them to be incorporated
to operate effectively [3].
Although the market is rich in SIEM applications to prevent
and detect cyber attacks, they are not sufficient by themselves,
and there is an emergent need for incorporating SIEMs with
People and Processes [3]. Trained people are the most important
asset of an SOC, as without them the systems, networks
and applications are not properly monitored. However, Technology
and People are also not sufficient, and technology
without proper processes loses its compass. Processes define
and document how the SOC should be operated and how an
incident should be handled. Moreover, processes establish
the responsibilities for different roles and cooperation inside
teams.
González-Granadillo et al. [8] present a comprehensive survey
of the existing SIEM tools. Their approach is to review
the most widely used SIEM tools in the context of their critical
functionality, and they provide an analysis of external
factors that could affect their adaptation. Furthermore, they
detail the needs and benefits of SIEM tools utilized in critical
infrastructures.
The most prominent tools used in the industry are IBM
QRadar, HP ArchSight, Splunk, LogRhythm and ELK-Stack
[8]. In the remainder of the article, we focus on the ELK-Stack,
which is a SIEM tool that demonstrated a rapid growth during
the last years, both in terms of features expansion and by
the number of companies deploying it. Nonetheless, it is an
open-source tool with an optional enterprise version that is
well-documented and has comparable performance shown by
other candidates. The ELK-Stack is used as the basis for the implementation
of the SOC within our platform.
Security Monitoring: Use-case
This section describes the development process of an SIEM
tool. The use-case is taken from the implementation of the cyber
range project [9], where a virtual environment is designed
for a Red Team to attack the infrastructure, while the Blue
September 2022
Team tries to monitor and detect the adversaries' movements.
In the following, we mainly focus on the setup of the SOC infrastructure
and how we use it to collect data.
Logging provides great benefits for the cyber security of an
infastructure, such as detecting unauthorized access, capturing
evidence and collecting security artefacts that can support
forensic investigation. However, logging can also generate a
huge amount of data, and therefore organizations need to decide
what data to log, since saving everything could lead to
alert fatigue for the analysts. NIST 800-92 provides a practical
guide, which offers pointers on how organizations can
establish their requirements for security log management, according
to their environment and the risk that they are facing.
The key type of logs indicated in both NIST 800-92 and ISO
27002 are:
◗ Network-based: network traffic, addresses and protocols
◗ Event-based: Authentications successful and failed,
Process ID, Date and Ownership, Policy change, Privileged
use, System Events
◗ Security tool-based: IDS, IPS, Firewalls, Routers logs
ELK-Stack and Dependencies
The ELK-Stack is based on three open-source tools: Elasticsearch,
Logstash, and Kibana. These tools are used for
searching, visualization, and formatting of logs. Elasticsearch
allows storing and indexing of all types of documents and
distributes the workload on multiple servers, each of them
considered as a node. The nodes can be grouped in a cluster,
thus, reducing the searching and indexing time. Elasticsearch
organizes the data based on the  and 
tuple. The  indicates the application
that is responsible for the generation of the logs and can take
values, like Fleet Agent, Winlogbeat, Packetbeat, IDS, or Firewall,
while  denotes the time when the log was
recorded. These indices permit near real-time search by splitting
the data into documents that contains one or more named
fields.
Fleet is a unified log collection tool; thus, it can gather monitoring
logs, metrics as well as other types of data. Fleet Server
makes the whole setup automated to control, while additional
fine tuning changes can be made by updating the policy for a
specific group of agents.
Packetbeat is a network sniffer for Elasticsearch and supports
a wide range of protocols. It can be placed either on hosts
or a network device.
System Monitor (Sysmon) is a Windows OS service that
monitors and logs the system activity. Sysmon provides log
data, such as Process Creation and Closure, Network related
Activities, File Creation, Raw Disk Access, and Process Memory
Access. The logs are shipped directly to Elastic using
Winlogbeat. Overall, Elastic Agent, Packetbeat and Winlogbeat
are based on the same tool, e.g., Beats, which is an open
source log shipper. Beats is capable of grabbing specific data
and sending it to Elasticsearch. Even more, Beats can function
as an agent which is installed on different servers within
the infrastructure. Finally, Kibana provides visualization
IEEE Instrumentation & Measurement Magazine
33
Instrumentation & Measurement Magazine 25-6

Table of Contents for the Digital Edition of Instrumentation & Measurement Magazine 25-6
