Use SIEM tools to protect organizations
使用 SIEM 工具保護組織
Previously, you were introduced to security information and event management (SIEM) tools and a few SIEM dashboards. You also learned about different threats, risks, and vulnerabilities an organization may experience. In this reading, you will learn more about SIEM dashboard data and how cybersecurity professionals use that data to identify a potential threat, risk, or vulnerability.
之前,你已經接觸過安全資訊和事件管理(SIEM)工具以及一些 SIEM 儀表板。你還了解了組織可能面臨的不同威脅、風險和漏洞。在這篇閱讀中,你將進一步了解 SIEM 儀表板數據,以及網路安全專業人員如何利用這些數據來識別潛在的威脅、風險或漏洞。
Splunk
Splunk offers different SIEM tool options: Splunk® Enterprise and Splunk® Cloud. Both allow you to review an organization's data on dashboards. This helps security professionals manage an organization's internal infrastructure by collecting, searching, monitoring, and analyzing log data from multiple sources to obtain full visibility into an organization’s everyday operations.
Splunk 提供不同的 SIEM 工具選項:Splunk® Enterprise 和 Splunk® Cloud。這兩者都允許你在儀表板上查看組織的數據。這有助於安全專業人員通過收集、搜索、監控和分析來自多個來源的日誌數據,來管理組織的內部基礎設施,以獲得對組織日常運作的全面可見性。
Review the following Splunk dashboards and their purposes:
查看以下 Splunk 儀表板及其用途:
Security posture dashboard
安全狀態儀表板
The security posture dashboard is designed for security operations centers (SOCs). It displays the last 24 hours of an organization’s notable security-related events and trends and allows security professionals to determine if security infrastructure and policies are performing as designed. Security analysts can use this dashboard to monitor and investigate potential threats in real time, such as suspicious network activity originating from a specific IP address.
安全狀態儀表板是為安全運營中心(SOCs)設計的。它顯示組織在過去 24 小時內的顯著安全相關事件和趨勢,並允許安全專業人員判斷安全基礎設施和政策是否按設計運行。安全分析師可以使用此儀表板即時監控和調查潛在威脅,例如來自特定 IP 地址的可疑網路活動。
Executive summary dashboard
執行摘要儀表板
The executive summary dashboard analyzes and monitors the overall health of the organization over time. This helps security teams improve security measures that reduce risk. Security analysts might use this dashboard to provide high-level insights to stakeholders, such as generating a summary of security incidents and trends over a specific period of time.
執行摘要儀表板分析並監控組織隨時間的整體健康狀況。這有助於安全團隊改進降低風險的安全措施。安全分析師可能會使用此儀表板向利益相關者提供高層次的見解,例如生成特定時間段內的安全事件和趨勢摘要。
Incident review dashboard
事件審查儀表板
The incident review dashboard allows analysts to identify suspicious patterns that can occur in the event of an incident. It assists by highlighting higher risk items that need immediate review by an analyst. This dashboard can be very helpful because it provides a visual timeline of the events leading up to an incident.
事件審查儀表板允許分析師識別在事件發生時可能出現的可疑模式。它通過突出需要分析師立即審查的高風險項目來提供協助。這個儀表板非常有幫助,因為它提供了事件發生前的事件視覺時間線。
Risk analysis dashboard 風險分析儀表板
The risk analysis dashboard helps analysts identify risk for each risk object (e.g., a specific user, a computer, or an IP address). It shows changes in risk-related activity or behavior, such as a user logging in outside of normal working hours or unusually high network traffic from a specific computer. A security analyst might use this dashboard to analyze the potential impact of vulnerabilities in critical assets, which helps analysts prioritize their risk mitigation efforts.
風險分析儀表板幫助分析師識別每個風險對象(例如,特定用戶、電腦或 IP 地址)的風險。它顯示風險相關活動或行為的變化,例如用戶在非正常工作時間登錄或特定電腦的網路流量異常高。安全分析師可能會使用這個儀表板來分析關鍵資產中漏洞的潛在影響,這有助於分析師優先考慮其風險緩解工作。
Chronicle
Chronicle is a cloud-native SIEM tool from Google that retains, analyzes, and searches log data to identify potential security threats, risks, and vulnerabilities. Chronicle allows you to collect and analyze log data according to:
Chronicle 是 Google 提供的一款雲端原生 SIEM 工具,用於保留、分析和搜索日誌數據,以識別潛在的安全威脅、風險和漏洞。Chronicle 允許您根據以下條件收集和分析日誌數據:
A specific asset 特定資產
A domain name 域名
A user 使用者
An IP address IP 位址
Chronicle provides multiple dashboards that help analysts monitor an organization’s logs, create filters and alerts, and track suspicious domain names.
Chronicle 提供多個儀表板,幫助分析師監控組織的日誌、創建篩選器和警報,以及追蹤可疑的網域名稱。
Review the following Chronicle dashboards and their purposes:
查看以下 Chronicle 儀表板及其用途:
Enterprise insights dashboard
企業洞察儀表板
The enterprise insights dashboard highlights recent alerts. It identifies suspicious domain names in logs, known as indicators of compromise (IOCs). Each result is labeled with a confidence score to indicate the likelihood of a threat. It also provides a severity level that indicates the significance of each threat to the organization. A security analyst might use this dashboard to monitor login or data access attempts related to a critical asset—like an application or system—from unusual locations or devices.
企業洞察儀表板突顯了最近的警報。它在日誌中識別可疑的域名,這些域名被稱為妥協指標(IOCs)。每個結果都標有信心分數,以指示威脅的可能性。它還提供了一個嚴重性等級,以指示每個威脅對組織的重要性。安全分析師可能會使用此儀表板來監控與關鍵資產(如應用程式或系統)相關的登入或數據訪問嘗試,這些嘗試來自不尋常的位置或設備。
Data ingestion and health dashboard
數據攝取和健康儀表板
The data ingestion and health dashboard shows the number of event logs, log sources, and success rates of data being processed into Chronicle. A security analyst might use this dashboard to ensure that log sources are correctly configured and that logs are received without error. This helps ensure that log related issues are addressed so that the security team has access to the log data they need.
數據攝取和健康儀表板顯示事件日誌的數量、日誌來源以及數據處理進入 Chronicle 的成功率。安全分析師可能會使用此儀表板來確保日誌來源配置正確,並且日誌接收無誤。這有助於確保解決與日誌相關的問題,以便安全團隊能夠獲取他們所需的日誌數據。
IOC matches dashboard IOC 匹配儀表板
The IOC matches dashboard indicates the top threats, risks, and vulnerabilities to the organization. Security professionals use this dashboard to observe domain names, IP addresses, and device IOCs over time in order to identify trends. This information is then used to direct the security team’s focus to the highest priority threats. For example, security analysts can use this dashboard to search for additional activity associated with an alert, such as a suspicious user login from an unusual geographic location.
IOC 匹配儀表板顯示對組織的主要威脅、風險和漏洞。安全專業人員使用此儀表板來觀察域名、IP 地址和設備的 IOC 隨時間的變化,以識別趨勢。然後,這些資訊用於引導安全團隊將重點放在最高優先級的威脅上。例如,安全分析師可以使用此儀表板搜尋與警報相關的其他活動,例如來自不尋常地理位置的可疑用戶登入。
Main dashboard 主儀表板
The main dashboard displays a high-level summary of information related to the organization’s data ingestion, alerting, and event activity over time. Security professionals can use this dashboard to access a timeline of security events—such as a spike in failed login attempts— to identify threat trends across log sources, devices, IP addresses, and physical locations.
主儀表板顯示與組織的數據攝取、警報和事件活動相關的高層次摘要信息。安全專業人員可以使用此儀表板訪問安全事件的時間線,例如失敗登入嘗試的激增,以識別跨日誌來源、設備、IP 地址和實體位置的威脅趨勢。
Rule detections dashboard
規則檢測儀表板
The rule detections dashboard provides statistics related to incidents with the highest occurrences, severities, and detections over time. Security analysts can use this dashboard to access a list of all the alerts triggered by a specific detection rule, such as a rule designed to alert whenever a user opens a known malicious attachment from an email. Analysts then use those statistics to help manage recurring incidents and establish mitigation tactics to reduce an organization's level of risk.
規則檢測儀表板提供與事件最高發生次數、嚴重性和檢測相關的統計數據。安全分析師可以使用此儀表板訪問由特定檢測規則觸發的所有警報列表,例如設計用來在用戶從電子郵件中打開已知惡意附件時發出警報的規則。分析師然後使用這些統計數據來幫助管理重複事件並建立緩解策略,以降低組織的風險水平。
User sign in overview dashboard
使用者登入概覽儀表板
The user sign in overview dashboard provides information about user access behavior across the organization. Security analysts can use this dashboard to access a list of all user sign-in events to identify unusual user activity, such as a user signing in from multiple locations at the same time. This information is then used to help mitigate threats, risks, and vulnerabilities to user accounts and the organization’s applications.
使用者登入概覽儀表板提供有關整個組織中使用者存取行為的信息。安全分析師可以使用此儀表板訪問所有使用者登入事件的列表,以識別不尋常的使用者活動,例如使用者同時從多個地點登入。然後,這些信息用於幫助減輕對使用者帳戶和組織應用程式的威脅、風險和漏洞。
Key takeaways 關鍵要點
SIEM tools provide dashboards that help security professionals organize and focus their security efforts. This is important because it allows analysts to reduce risk by identifying, analyzing, and remediating the highest priority items in a timely manner. Later in the program, you’ll have an opportunity to practice using various SIEM tool features and commands for search queries.
SIEM 工具提供儀表板,幫助安全專業人員組織和集中他們的安全工作。這很重要,因為它允許分析師通過及時識別、分析和修復最高優先級的項目來降低風險。在課程的後期,您將有機會練習使用各種 SIEM 工具的功能和命令來進行搜尋查詢。