{"id":910,"date":"2020-09-07T13:10:16","date_gmt":"2020-09-07T13:10:16","guid":{"rendered":"https:\/\/hackemall.live\/?p=910"},"modified":"2020-09-07T13:10:41","modified_gmt":"2020-09-07T13:10:41","slug":"siem-roadmap","status":"publish","type":"post","link":"https:\/\/hackemall.live\/index.php\/2020\/09\/07\/siem-roadmap\/","title":{"rendered":"SIEM Roadmap"},"content":{"rendered":"\n

SIEM<\/strong>? N\u1ebfu c\u00e1c b\u1ea1n l\u00e0m an to\u00e0n v\u1eadn h\u00e0nh th\u00ec SIEM l\u00e0 gi\u1ea3i ph\u00e1p kh\u00f4ng th\u1ec3 thi\u1ebfu v\u00e0 b\u00e0i vi\u1ebft h\u00f4m nay m\u00ecnh s\u1ebd chia s\u1ebb c\u00f4ng vi\u1ec7c li\u00ean quan \u0111\u1ebfn n\u00f3,\u00a0 hi v\u1ecdng nh\u1eefng chia s\u1ebb c\u00f3 th\u1ec3 gi\u00fap \u0111\u01b0\u1ee3c c\u00e1c b\u1ea1n ph\u1ea7n n\u00e0o khi l\u00e0m An to\u00e0n v\u1eadn n\u00f3i chung v\u00e0 SIEM n\u00f3i ri\u00eang.<\/p>\n\n\n\n

Tr\u01b0\u1edbc khi \u0111i v\u00e0o chi ti\u1ebft, m\u00ecnh gi\u1edbi thi\u1ec7u qua v\u1ec1 SIEM \u2013 \u0110\u00e2y l\u00e0 m\u1ed9t h\u1ec7 th\u1ed1ng qu\u1ea3n l\u00fd an to\u00e0n th\u00f4ng tin t\u1eadp trung, cho ph\u00e9p thu th\u1eadp d\u1eef li\u1ec7u log t\u1eeb nhi\u1ec1u ngu\u1ed3n \u0111\u1ec3 l\u01b0u tr\u1eef t\u1eadp trung, th\u1ef1c hi\u1ec7n t\u01b0\u01a1ng quan (correlation) v\u00e0 ph\u00e2n t\u00edch, x\u1eed l\u00fd \u0111\u1ec3 ph\u00e1t hi\u1ec7n c\u00e1c h\u00e0nh vi b\u1ea5t th\u01b0\u1eddng li\u00ean quan \u0111\u1ebfn h\u1ec7 th\u1ed1ng c\u00f4ng ngh\u1ec7 th\u00f4ng tin trong m\u1ed9t t\u1ed5 ch\u1ee9c<\/strong>. <\/p>\n\n\n\n

C\u00f4ng vi\u1ec7c ch\u00ednh c\u1ee7a c\u00e1c b\u1ea1n l\u00e0 d\u1ef1a v\u00e0o d\u1eef li\u1ec7u log t\u1eeb c\u00e1c ngu\u1ed3n trong h\u1ec7 th\u1ed1ng \u0111\u1ec3 c\u1ed1 g\u1eafng \u201ccontrol\u201d \u0111\u01b0\u1ee3c c\u00e1c r\u1ee7i ro \u0111ang gi\u00e1m s\u00e1t, \u0111\u00e1nh gi\u00e1 \u0111\u01b0\u1ee3c c\u00e1c s\u1ef1 ki\u1ec7n, h\u00e0nh vi b\u1ea5t th\u01b0\u1eddng \u0111\u1ec3 \u0111\u01b0a ra c\u00e1c x\u1eed l\u00fd k\u1ecbp th\u1eddi, \u0111\u1eb7c bi\u1ec7t trong c\u00e1c t\u00ecnh hu\u1ed1ng di\u1ec5n ra t\u1ea5n c\u00f4ng m\u1ea1ng, th\u00ec t\u1ed1c \u0111\u1ed9 l\u00fac n\u00e0y l\u00e0 y\u1ebfu t\u1ed1 quy\u1ebft \u0111\u1ecbnh, ch\u00fang ta c\u00e0ng nhanh h\u01a1n th\u00ec x\u00e1c su\u1ea5t chi\u1ebfn th\u1eafng c\u00e0ng cao.<\/p>\n\n\n\n

T\u00f9y t\u1eebng v\u00e0o m\u00f4i tr\u01b0\u1eddng lab nghi\u00ean c\u1ee9u hay Enterprise \u1edf c\u00e1c c\u00f4ng ty l\u1edbn th\u00ec c\u0169ng s\u1ebd c\u00f3 c\u00e1c y\u00eau c\u1ea7u kh\u00e1c nhau, n\u00ean v\u1edbi m\u1ed7i v\u1ea5n \u0111\u1ec1 m\u00ecnh s\u1ebd tr\u00ecnh b\u00e0y d\u1ef1a tr\u00ean g\u00f3c nh\u00ecn c\u1ee7a c\u1ea3 hai.<\/p>\n\n\n\n

C\u1ee7ng c\u1ed1 c\u0103n c\u01a1<\/span><\/em><\/strong><\/h1>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Nh\u1eefng \u0111i\u1ec1u b\u1ea1n h\u1ecdc \u0111\u01b0\u1ee3c \u1edf nh\u1eefng b\u01b0\u1edbc \u0111\u1ea7u c\u0169ng s\u1ebd \u1ea3nh h\u01b0\u1edfng tr\u1ef1c ti\u1ebfp t\u1edbi qu\u00e1 tr\u00ecnh ph\u00e1t tri\u1ec3n sau n\u00e0y c\u1ee7a ch\u00ednh b\u1ea1n, v\u00ec v\u1eady h\u00e3y nghi\u00eam t\u00fac v\u00e0 th\u00e0nh th\u1eadt ngay t\u1eeb l\u00fac b\u1eaft \u0111\u1ea7u nh\u00e9.<\/p>\n\n\n\n

1. N\u1ec1n t\u1ea3ng v\u00e0 h\u1ec7 th\u1ed1ng m\u1ea1ng<\/span><\/strong><\/h4>\n\n\n\n

C\u00f3 th\u1ec3 c\u00e1c b\u1ea1n tr\u1ebb b\u00e2y gi\u1edd \u0111\u00e3 \u0111\u01b0\u1ee3c ti\u1ebfp c\u1eadn v\u1edbi c\u00f4ng ngh\u1ec7, IT t\u1eeb s\u1edbm ch\u1ee9 th\u1eddi m\u00ecnh th\u00ec m\u00e3i l\u00ean \u0111\u1ea1i h\u1ecdc th\u00ec m\u00ecnh m\u1edbi ch\u00ednh th\u1ee9c \u0111\u01b0\u1ee3c h\u1ecdc hi\u1ec3u v\u1ec1 IT (tr\u01b0\u1edbc kia ch\u1ec9 ch\u01a1i game). <\/p>\n\n\n\n

Theo quan \u0111i\u1ec3m c\u1ee7a m\u00ecnh, khi m\u1edbi h\u1ecdc v\u1ec1 IT, th\u00ec vi\u1ec7c quan tr\u1ecdng nh\u1ea5t l\u00e0 h\u1ecdc t\u1ed1t c\u00e1c ki\u1ebfn th\u1ee9c v\u1ec1 l\u1eadp tr\u00ecnh, hi\u1ec3u c\u00e1ch th\u1ee9c ho\u1ea1t \u0111\u1ed9ng c\u1ee7a m\u1ed9t h\u1ec7 th\u1ed1ng, v\u00e0 c\u00e1c d\u1eef li\u1ec7u giao ti\u1ebfp qua m\u00f4i tr\u01b0\u1eddng m\u1ea1ng. <\/p>\n\n\n\n

\u0110\u00e2y \u0111\u1ec1u l\u00e0 n\u1ec1n t\u1ea3ng \u0111\u1ec3 c\u00e1c b\u1ea1n \u0111i xa. Gi\u1ed1ng nh\u01b0 vi\u1ec7c b\u1ea1n mu\u1ed1n x\u00e2y 1 ng\u00f4i nh\u00e0 3 t\u1ea7ng th\u00ec n\u1ec1n m\u00f3ng c\u1ee7a b\u1ea1n ph\u1ea3i v\u1eefng, n\u1ebfu n\u1ec1n m\u00f3ng kh\u00f4ng v\u1eefng ch\u1eafc th\u00ec ng\u00f4i nh\u00e0 s\u1ebd \u0111\u1ed5 s\u1eadp.<\/p>\n\n\n\n

\u0110\u1ec3 c\u00f3 ki\u1ebfn th\u1ee9c t\u1ed1t v\u1ec1 m\u1ea3ng n\u00e0y, th\u00ec m\u1ed9t s\u1ed1 t\u00e0i li\u1ec7u sau c\u00e1c b\u1ea1n c\u00f3 tham kh\u1ea3o ngo\u00e0i gi\u00e1o tr\u00ecnh tr\u00ean tr\u01b0\u1eddng l\u1edbp nh\u01b0:<\/strong><\/p>\n\n\n\n

–   Linux in Action<\/p>\n\n\n\n

–   Richard Stevens, TCP\/IP Illustrated<\/p>\n\n\n\n

–   Operating System Concepts 8th Edition<\/p>\n\n\n\n

–   Windows Internal<\/p>\n\n\n\n

– \u00a0 AWS Certified Solutions Architect Official<\/p>\n\n\n\n

\u0110\u1ec3 \u0111\u1ee1 bu\u1ed3n ch\u00e1n khi ch\u1ec9 \u0111\u1ecdc s\u00e1ch, khuy\u1ebfn kh\u00edch c\u00e1c b\u1ea1n n\u00ean th\u1ef1c h\u00e0nh v\u1edbi c\u00e1c tool trong \u0111\u00f3 nh\u01b0: Wireshark, tcpdump, nmap, process explorer,\u2026 hay tr\u1ea3i nghi\u1ec7m cloud.<\/strong><\/p>\n\n\n\n

2. H\u1ecdc Code<\/span><\/strong><\/h4>\n\n\n\n

H\u00e3y h\u1ecdc code th\u1eadt ch\u0103m ch\u1ec9 v\u00e0 \u201cd\u00e1m \u0111\u01b0\u01a1ng \u0111\u1ea7u\u201d.<\/p>\n\n\n\n

Khi b\u1ea1n m\u1edbi h\u1ecdc code th\u00ec s\u1ebd g\u1eb7p nhi\u1ec1u kh\u00f3 kh\u0103n nh\u01b0ng tin m\u00ecnh \u0111i, n\u00f3 m\u1edbi ch\u1ec9 l\u00e0 b\u1eaft \u0111\u1ea7u. Code \u0111\u1ec3 ch\u1ea1y \u0111\u01b0\u1ee3c \u0111\u00e3 kh\u00f3, code s\u1ea1ch kh\u00f3 h\u01a1n, t\u1ed1i \u01b0u kh\u00f3 h\u01a1n n\u1eefa, \u0111\u1ea3m b\u1ea3o an to\u00e0n b\u1ea3o m\u1eadt th\u00ec \u2026 V\u1eady h\u1ecdc security th\u00ec h\u1ecdc code \u0111\u1ec3 l\u00e0m g\u00ec?<\/p>\n\n\n\n

C\u00e2u tr\u1ea3 l\u1eddi l\u00e0 b\u1ea1n code cho nh\u1eefng v\u1ea5n \u0111\u1ec1 c\u1ee7a b\u1ea1n, v\u00e0 \u0111\u1ec3 \u201c\u0111o\u00e1n\u201d \u0111\u01b0\u1ee3c \u00fd c\u1ee7a ng\u01b0\u1eddi kh\u00e1c. Sau khi \u0111i l\u00e0m, \u0111i hack, c\u00e1c b\u1ea1n s\u1ebd ph\u1ea3i code nh\u1eefng script \u0111\u1ec3 l\u00e0m m\u1ecdi th\u1ee9 nhanh v\u00e0 chu\u1ea9n x\u00e1c h\u01a1n, n\u1ebfu ch\u1eadm th\u00ec s\u1ebd b\u1ecb b\u1ecf r\u01a1i l\u1ea1i r\u1ed3i, v\u00e0 l\u00fac \u0111\u00f3 m\u1edbi \u0111i h\u1ecdc ch\u1eafc? Hay b\u1ea1n ngh\u0129 sao khi b\u1ea1n \u0111o\u00e1n \u0111\u01b0\u1ee3c nh\u1eefng sai l\u1ea7m c\u1ee7a ng\u01b0\u1eddi kh\u00e1c v\u00e0 t\u1eadn d\u1ee5ng ch\u00fang? V\u00e0 c\u0169ng ch\u1ec9 h\u1ecdc code, b\u1ea1n m\u1edbi c\u00f3 th\u1ec3 hi\u1ec3u v\u00e0 t\u00ecm \u0111\u01b0\u1ee3c ph\u01b0\u01a1ng \u00e1n x\u1eed l\u00fd, v\u00e1 l\u1ed7i cho nh\u1eefng l\u1ed7 h\u1ed5ng.<\/p>\n\n\n\n

Trong th\u1ebf gi\u1edbi IT, code c\u0169ng ch\u00ednh l\u00e0 vi\u1ec7c n\u00f3i \u1edf th\u1ebf gi\u1edbi th\u1ef1c, b\u1ea1n kh\u00f4ng mong mu\u1ed1n m\u00ecnh b\u1ecb c\u00e2m ch\u1ee9? V\u00e0 n\u1ebfu c\u00f3 th\u1ec3 th\u00ec h\u00e3y code th\u1eadt nhi\u1ec1u ng\u00f4n ng\u1eef v\u00e0 gi\u1ecfi m\u1ed9t v\u00e0i, tr\u01b0\u1edbc sau g\u00ec th\u00ec \u0111i\u1ec1u \u0111\u00f3 c\u0169ng s\u1ebd c\u00f3 \u00edch v\u1edbi b\u1ea1n s\u1edbm th\u00f4i.<\/p>\n\n\n\n

3. CTF<\/span><\/strong><\/h4>\n\n\n\n

Ki\u1ebfn th\u1ee9c v\u1ec1 security th\u1ef1c s\u1ef1 r\u1ea5t r\u1ed9ng, n\u1ebfu b\u1ea1n \u0111ang kh\u00f4ng bi\u1ebft b\u1eaft \u0111\u1ea7u t\u1eeb \u0111\u00e2u th\u00ec h\u00e3y ch\u01a1i CTF v\u00e0 \u0111\u1ecdc series Hackemall.<\/p>\n\n\n\n

V\u00e0 khi mu\u1ed1n l\u00e0m SIEM analysis th\u00ec h\u00e3y h\u1ecdc t\u1ea5t c\u1ea3 c\u00e1c m\u1ea3ng \u0111\u01b0\u1ee3c chia s\u1ebb \u1edf Hackemall nh\u01b0 Web, Pwn, Re, Crypto c\u00f3 khi c\u1ea3 Forensic. <\/strong><\/p>\n\n\n\n

V\u00ec b\u1ea1n ch\u1ec9 c\u00f3 th\u1ec3 ph\u00e2n t\u00edch, \u0111\u00e1nh gi\u00e1 \u0111\u01b0\u1ee3c c\u00e1c h\u00e0nh vi t\u1ea5n c\u00f4ng v\u00e0o h\u1ec7 th\u1ed1ng hay tr\u00e1i ph\u00e9p th\u00ec tr\u01b0\u1edbc ti\u00ean c\u1ea7n ph\u1ea3i n\u1eafm \u0111\u01b0\u1ee3c c\u01a1 b\u1ea3n c\u00e1c ki\u1ec3u t\u1ea5n c\u00f4ng. N\u1ebfu kh\u00f4ng bi\u1ebft v\u1ec1 c\u00e1c ki\u1ec3u t\u1ea5n c\u00f4ng th\u00ec ch\u1eafc ch\u1eafn s\u1ebd b\u1ecf s\u00f3t s\u1ed1 l\u01b0\u1ee3ng l\u1edbn c\u00e1c payload t\u1ea5n c\u00f4ng, th\u1eadm ch\u00ed c\u00f2n kh\u00f4ng ngh\u0129 t\u1edbi vi\u1ec7c ph\u1ea3i thu th\u1eadp nh\u1eefng d\u1eef li\u1ec7u log tr\u00ean \u0111\u1ec3 ph\u1ee5c v\u1ee5 cho vi\u1ec7c analysis sau hay incident response,\u2026<\/p>\n\n\n\n

4. Tr\u1ea3i nghi\u1ec7m v\u1edbi Bug Bounty<\/span><\/strong><\/h4>\n\n\n\n

\u00c1p d\u1ee5ng c\u00e1c ki\u1ebfn th\u1ee9c security \u0111\u00e3 h\u1ecdc \u0111\u01b0\u1ee3c v\u00e0 kinh nghi\u1ec7m t\u1eeb c\u00e1c cu\u1ed9c thi CTF, h\u00e3y ch\u01a1i Bug Bounty khi r\u1ea3nh r\u1ed7i , \u0111\u1ec3 hi\u1ec3u th\u1ef1c t\u1ebf, t\u00ecnh h\u00ecnh security c\u1ee7a c\u00e1c t\u1ed5 ch\u1ee9c nh\u01b0 n\u00e0o?<\/p>\n\n\n\n

H\u00e3y \u0111\u1ecdc writeup v\u1ec1 c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng APT, c\u00e1c bounty report s\u1ebd gi\u00fap c\u00e1c b\u1ea1n hi\u1ec3u v\u00e0 n\u1eafm \u0111\u01b0\u1ee3c c\u00e1c r\u1ee7i ro \u0111ang t\u1ed3n t\u1ea1i tr\u00ean c\u00e1c n\u1ec1n t\u1ea3ng, c\u00f4ng ngh\u1ec7<\/strong>. T\u1eeb \u0111\u00f3 th\u1ec3 gi\u00fap \u00edch cho vi\u1ec7c n\u1eafm \u0111\u01b0\u1ee3c t\u1eeb kh\u00f3a, y\u1ebfu t\u1ed1 \u0111\u1ec3 ph\u00e1t hi\u1ec7n c\u00e1c h\u00e0nh vi b\u1ea5t th\u01b0\u1eddng t\u1ea5n c\u00f4ng v\u00e0o h\u1ec7 th\u1ed1ng. Hay ki\u1ec3m tra c\u00e1c l\u1ed7 h\u1ed5ng, r\u1ee7i ro \u0111\u1ed1i v\u1edbi h\u1ec7 th\u1ed1ng c\u1ee7a c\u00f4ng ty b\u1ea1n, c\u00f3 k\u1ebf ho\u1ea1ch x\u1eed l\u00fd nhanh ch\u00f3ng n\u1ebfu ph\u00e1t hi\u1ec7n c\u00f3 d\u1ea5u hi\u1ec7u b\u1ecb t\u1ea5n c\u00f4ng, v\u00e0 c\u00e1c ph\u01b0\u01a1ng \u00e1n x\u1eed l\u00fd l\u00e2u d\u00e0i, d\u1ee9t \u0111i\u1ec3m.<\/p>\n\n\n\n

V\u1edbi h\u1ec7 th\u1ed1ng SIEM, b\u1ea1n c\u00f3 th\u1ec3 t\u1ef1 pentest h\u1ec7 th\u1ed1ng c\u1ee7a c\u00e1 nh\u00e2n, c\u00f4ng ty b\u1ea1n, v\u00e0 n\u1eafm \u0111\u01b0\u1ee3c nhi\u1ec1u th\u00f4ng tin t\u1eeb c\u00e1c log debug, log internal,\u2026 gi\u00fap cho vi\u1ec7c pentest, \u0111\u00e1nh gi\u00e1 l\u1ed7 h\u1ed5ng h\u1ec7 th\u1ed1ng c\u1ee7a m\u1ed9t c\u00f4ng ty, t\u1ed5 ch\u1ee9c t\u1ed1t h\u01a1n.<\/p>\n\n\n\n

5. D\u1ef1ng lab SIEM<\/span><\/strong><\/h4>\n\n\n\n

L\u00e0m v\u1ec1 SIEM th\u00ec ph\u1ea3i t\u1ef1 m\u00ecnh d\u1ef1ng h\u1ec7 th\u1ed1ng SIEM, \u0111\u1ec3 c\u00f3 th\u1ec3 hi\u1ec3u v\u00e0 t\u1eadn d\u1ee5ng n\u00f3 t\u1ed1t h\u01a1n. C\u00e1c gi\u1ea3i ph\u00e1p SIEM c\u00f3 r\u1ea5t nhi\u1ec1u nh\u01b0ng theo m\u00ecnh th\u00ec c\u00e1c b\u1ea1n n\u00ean ch\u1ecdn 2-3 gi\u1ea3i ph\u00e1p \u0111\u1ec3 nghi\u00ean c\u1ee9u s\u00e2u v\u00e0 c\u00f3 s\u1ef1 so s\u00e1nh, \u0111\u1ed1i chi\u1ebfu l\u1eabn nhau. Nh\u01b0 m\u00ecnh th\u00ec ch\u1ecdn nghi\u00ean c\u1ee9u v\u00e0 l\u00e0m s\u00e2u v\u1ec1 Splunk v\u00e0 ELK (Elasticsearch, Logstash, Kibina)<\/p>\n\n\n\n

V\u1edbi kinh nghi\u1ec7m c\u1ee7a m\u00ecnh th\u00ec khi b\u1eaft \u0111\u1ea7u, c\u00e1c b\u1ea1n n\u00ean t\u1ef1 tri\u1ec3n khai h\u1ec7 th\u1ed1ng ELK \u0111\u1ec3 n\u1eafm \u0111\u01b0\u1ee3c c\u00e1c ph\u1ea7n sau:<\/strong><\/p>\n\n\n\n

–  C\u00e1c th\u00e0nh ph\u1ea7n c\u1ee7a h\u1ec7 th\u1ed1ng SIEM<\/p>\n\n\n\n

–   Kinh nghi\u1ec7m t\u00ecm ki\u1ebfm t\u1eeb kh\u00f3a, d\u1ef1ng c\u00e1c b\u1ea3ng bi\u1ec3u \u0111\u1ec3 theo d\u00f5i, gi\u00e1m s\u00e1t d\u1ef1a tr\u00ean c\u00e1ch ph\u00e1t hi\u1ec7n h\u00e0nh vi t\u1ea5n c\u00f4ng<\/p>\n\n\n\n

–   Tri\u1ec3n khai \u0111\u01b0a ra c\u1ea3nh b\u00e1o khi ph\u00e1t hi\u1ec7n h\u00e0nh vi t\u1ea5n c\u00f4ng<\/p>\n\n\n\n

–   Tri\u1ec3n khai c\u00e1c case detect, ph\u00f2ng th\u1ee7 l\u00ean SIEM theo m\u1ed9t k\u1ecbch b\u1ea3n t\u1ea5n c\u00f4ng<\/p>\n\n\n\n

–   Simulator attack: Th\u1eed t\u1ea5n c\u00f4ng xem kh\u1ea3 n\u0103ng ph\u00e1t hi\u1ec7n \u1edf c\u00e1c case tr\u00ean SIEM,  \u0111\u1ec3 \u0111\u00e1nh gi\u00e1 kh\u1ea3 n\u0103ng c\u1ee7a SIEM m\u00ecnh v\u1eeba d\u1ef1ng.<\/p>\n\n\n\n

 C\u00e1c b\u1ea1n c\u00f3 th\u1ec3 d\u1ef1ng theo nhi\u1ec1u gi\u1ea3i ph\u00e1p SIEM kh\u00e1c nhau t\u00f9y \u00fd m\u00ecnh th\u00edch, m\u00ecnh th\u00ec follow theo c\u00e1i n\u00e0y \u0111\u1ec3 ti\u1ec7n c\u00e1c b\u1ea1n theo d\u00f5i:<\/p>\n\n\n\n

ELK : https:\/\/www.elastic.co\/guide\/en\/elastic-stack\/current\/installing-elastic-stack.html<\/a><\/p>\n\n\n\n

Splunk : https:\/\/docs.splunk.com\/Documentation\/Splunk\/8.0.5\/SearchTutorial\/InstallSplunk<\/a><\/p>\n\n\n\n

V\u00e0 c\u00e1c b\u1ea1n n\u00ean t\u00ecm th\u00eam th\u00f4ng tin v\u1edbi c\u00e1c t\u1eeb kh\u00f3a nh\u01b0 \u201c(SIEM\/ELK\/Splunk) Deployment Architecture\u201d \u0111\u1ec3 c\u00f3 th\u1ec3 hi\u1ec3u r\u00f5 h\u01a1n v\u1ec1 ki\u1ebfn tr\u00fac m\u00f4 h\u00ecnh m\u00e0 b\u1ea1n \u0111ang tri\u1ec3n khai nh\u00e9. Hay c\u0169ng c\u00f3 th\u1ec3 vi\u1ebft s\u1eb5n c\u00e1c script \u0111\u1ec3 ph\u1ee5c v\u1ee5 cho vi\u1ec7c deployment t\u1ef1 \u0111\u1ed9ng c\u00e1c ph\u1ea7n trong h\u1ec7 th\u1ed1ng SIEM.<\/p>\n\n\n\n

<\/p>\n\n\n\n

H\u1eadu t\u00edch b\u1ea1c ph\u00e1t<\/span><\/em><\/strong><\/h1>\n\n\n\n
\"\"<\/figure>\n\n\n\n

T\u00edch l\u0169y c\u0103n c\u01a1 th\u1eadt s\u00e2u v\u00e0 ch\u1ecdn l\u1ecdc tinh hoa t\u1eeb c\u00e1c ki\u1ebfn th\u1ee9c \u0111\u00f3 \u0111\u1ec3 tri\u1ec3n khai, ph\u00e1t tri\u1ec3n. Ti\u1ebfp t\u1ee5c h\u1ecdc h\u1ecfi nhi\u1ec1u h\u01a1n n\u1eefa v\u00e0 chu\u1ea9n b\u1ecb th\u1eadt k\u1ef9 l\u01b0\u1ee1ng, kh\u00f4ng s\u1ee3 th\u1ea5t b\u1ea1i th\u00ec m\u1edbi c\u00f3 th\u1ec3 c\u00f3 th\u00e0nh c\u00f4ng to l\u1edbn.<\/p>\n\n\n\n

6. Hi\u1ec3u s\u00e2u h\u01a1n v\u1ec1 d\u1eef li\u1ec7u<\/span><\/strong><\/h4>\n\n\n\n

V\u1edbi m\u1ed7i case security th\u00ec s\u1ebd d\u00f9ng \u0111\u1ebfn c\u00e1c d\u1eef li\u1ec7u log kh\u00e1c nhau, vi\u1ec7c quan tr\u1ecdng nh\u1ea5t \u0111\u1ec3 c\u00f3 th\u1ec3 ph\u00e1t hi\u1ec7n c\u00e1c h\u00e0nh vi b\u1ea5t th\u01b0\u1eddng, s\u1ef1 ki\u1ec7n t\u1ea5n c\u00f4ng v\u00e0o h\u1ec7 th\u1ed1ng th\u00ec b\u1ea1n ph\u1ea3i l\u00e0m ch\u1ee7 \u0111\u01b0\u1ee3c c\u00e1c d\u1eef li\u1ec7u log n\u00e0y.<\/p>\n\n\n\n

Th\u01b0\u1eddng \u1edf c\u00e1c h\u1ec7 th\u1ed1ng th\u00ec d\u1eef li\u1ec7u log s\u1ebd d\u1ea1ng default, c\u1ea7n ph\u1ea3i n\u1eafm \u0111\u01b0\u1ee3c:<\/strong><\/p>\n\n\n\n

– \u00a0 \u00a0 Thu th\u1eadp c\u00e1c d\u1eef li\u1ec7u log g\u00ec?<\/strong><\/p>\n\n\n\n

– \u00a0 \u00a0 V\u1edbi d\u1eef li\u1ec7u log \u0111\u00f3, c\u1ea7n ph\u1ea3i c\u00f3 th\u00f4ng tin g\u00ec?<\/strong><\/p>\n\n\n\n

Khi \u0111\u00e3 tr\u1ea3 l\u1eddi \u0111\u01b0\u1ee3c 2 c\u00e2u h\u1ecfi tr\u00ean, b\u1ea1n s\u1ebd c\u00f3 \u0111\u01b0\u1ee3c m\u1ed9t t\u1eadp d\u1eef li\u1ec7u log \u1ed5n, \u0111\u1ee7 \u0111\u1ea3m b\u1ea3o cho vi\u1ec7c t\u00ecm ki\u1ebfm m\u1ed7i khi c\u00f3 s\u1ef1 c\u1ed1, c\u1ea7n \u0111i\u1ec1u tra. Nh\u01b0ng \u0111\u1ec3 c\u00f3 th\u1ec3 gi\u00e1m s\u00e1t, ph\u00e1t hi\u1ec7n nhanh v\u00e0 chu\u1ea9n x\u00e1c th\u00ec c\u00e1c b\u1ea1n c\u1ea7n th\u00eam m\u1ed9t v\u00e0i y\u1ebfu t\u1ed1 nh\u01b0:<\/strong><\/p>\n\n\n\n

–     T\u1ed1i gi\u1ea3n d\u1eef li\u1ec7u log, lo\u1ea1i b\u1ecf nhi\u1ec5u, r\u00e1c<\/p>\n\n\n\n

–     Chu\u1ea9n h\u00f3a v\u1ec1 c\u00e1c \u0111\u1ecbnh d\u1ea1ng d\u1eef li\u1ec7u ph\u00f9 h\u1ee3p<\/p>\n\n\n\n

–     Hi\u1ec3u r\u00f5 \u0111\u01b0\u1ee3c c\u00e1c field, th\u00f4ng tin trong d\u1eef li\u1ec7u log<\/p>\n\n\n\n

–     S\u1eed d\u1ee5ng t\u1eeb kh\u00f3a chu\u1ea9n, ch\u00ednh x\u00e1c cho t\u1eebng case<\/p>\n\n\n\n

–     Th\u01b0\u1eddng xuy\u00ean c\u1eadp nh\u1eadt, t\u1ed1i \u01b0u h\u01a1n d\u1eef li\u1ec7u log trong su\u1ed1t qu\u00e1 tr\u00ecnh ph\u00e2n t\u00edch, gi\u00e1m s\u00e1t.<\/p>\n\n\n\n

V\u00ed d\u1ee5 v\u1edbi h\u1ec7 th\u1ed1ng m\u00e1y ch\u1ee7 Linux, m\u1eb7c \u0111\u1ecbnh s\u1ebd c\u00f3 m\u1ed9t v\u00e0i log c\u01a1 b\u1ea3n, h\u1ec7 th\u1ed1ng auditd c\u0169ng ch\u1ec9 audit m\u1ed9t s\u1ed1 h\u00e0nh vi c\u01a1 b\u1ea3n \u0111\u1ec3 \u0111\u1ea3m b\u1ea3o hi\u1ec7u su\u1ea5t h\u1ec7 th\u1ed1ng, tr\u1ea3i nghi\u1ec7m ng\u01b0\u1eddi d\u00f9ng. <\/p>\n\n\n\n

V\u00ec v\u1eady \u0111\u1ec3 n\u00e2ng cao b\u1ea3o m\u1eadt, ch\u00fang ta c\u1ea7n ph\u1ea3i thu th\u1eadp th\u00eam c\u00e1c d\u1eef li\u1ec7u log kh\u00e1c nh\u01b0 log command line, hay auditd c\u1ea7n audit nhi\u1ec1u h\u00e0nh vi s\u1ef1 ki\u00ean h\u01a1n ngo\u00e0i vi\u1ec7c authen, author,\u2026 V\u1edbi c\u00e1c d\u1eef li\u1ec7u log n\u00e0y, c\u0169ng c\u1ea7n ph\u1ea3i hi\u1ec3u r\u00f5 c\u00e1c field trong log \u0111\u00f3, v\u00e0 \u00fd ngh\u0129a c\u1ee7a c\u00e1c gi\u00e1 tr\u1ecb trong field \u0111\u00f3. Xuy\u00ean su\u1ed1t qu\u00e1 tr\u00ecnh sinh d\u1eef li\u1ec7u log, chu\u1ea9n h\u00f3a d\u1eef li\u1ec7u log, s\u1eed d\u1ee5ng d\u1eef li\u1ec7u log th\u00ec c\u1ea7n ph\u1ea3i \u0111\u00e1nh gi\u00e1 \u0111\u01b0\u1ee3c c\u00e1c c\u00e1c log tr\u00f9ng \u00fd ngh\u0129a hay kh\u00f4ng s\u1eed d\u1ee5ng t\u1edbi th\u00ec c\u1ea7n c\u1ea5u h\u00ecnh lo\u1ea1i b\u1ecf \u0111\u1ec3 gi\u1ea3m nhi\u1ec5u trong qu\u00e1 tr\u00ecnh x\u1eed l\u00fd v\u00e0 gi\u1ea3i t\u1ea3i cho h\u1ec7 th\u1ed1ng l\u01b0u tr\u1eef.<\/p>\n\n\n\n

V\u1edbi m\u1ed7i lo\u1ea1i d\u1eef li\u1ec7u log c\u1ee7a t\u1eebng ph\u1ea7n m\u1ec1m, m\u00f4i tr\u01b0\u1eddng, th\u00ec b\u1ea1n c\u1ea7n hi\u1ec3u r\u00f5 v\u1ec1 ho\u1ea1t \u0111\u1ed9ng c\u1ee7a ph\u1ea7n m\u1ec1m, m\u00f4i tr\u01b0\u1eddng \u0111\u00f3 tr\u01b0\u1edbc, xong t\u1ef1 \u0111\u01b0a ra c\u00e1c \u0111\u00e1nh gi\u00e1 v\u1ec1 d\u1eef li\u1ec7u log, \u0111\u1ea3m b\u1ea3o \u0111\u1ee7 th\u00f4ng tin \u0111\u1ec3 khai th\u00e1c, \u0111\u00e1p \u1ee9ng cho c\u00e1c k\u1ecbch b\u1ea3n theo d\u00f5i v\u00e0 t\u1eeb \u0111\u00f3 t\u1ed1i \u01b0u d\u1ea7n. N\u1ebfu c\u00f3 nh\u1eefng s\u1ef1 c\u1ed1 ph\u00e1t sinh m\u00e0 ph\u00e1t hi\u1ec7n nh\u1eefng c\u1ea3nh b\u00e1o kh\u00f4ng c\u00f3, thi\u1ebfu d\u1eef li\u1ec7u log th\u00ec c\u1ea7n t\u00ecm hi\u1ec3u r\u00f5 r\u00e0ng \u0111\u1ec3 c\u1ea5u h\u00ecnh v\u00e0 x\u1eed l\u00fd l\u1ea1i d\u1eef li\u1ec7u log.<\/p>\n\n\n\n

7. H\u1ecdc h\u1ecfi th\u00eam v\u1ec1 quy tr\u00ecnh, c\u00e1c chu\u1ea9n<\/span><\/strong><\/em><\/h4>\n\n\n\n

Sau khi nh\u1ea3y vi\u1ec7c \u1edf m\u1ed9t v\u00e0i c\u00f4ng ty v\u00e0 \u0111\u1ec1u \u0111\u00e3 l\u00e0m v\u1ec1 SIEM, th\u00ec m\u00ecnh nh\u1eadn th\u1ea5y l\u00e0 quy m\u00f4 v\u00e0 y\u00eau c\u1ea7u c\u1ee7a t\u1eebng c\u00f4ng ty \u0111\u1ed1i v\u1edbi h\u1ec7 th\u1ed1ng SIEM v\u00e0 c\u00f4ng vi\u1ec7c ph\u00e2n t\u00edch d\u1eef li\u1ec7u log c\u0169ng s\u1ebd kh\u00e1c nhau. Nh\u01b0ng \u0111\u1ec3 c\u00f3 th\u1ec3 th\u00edch nghi v\u00e0 l\u00e0m ch\u1ee7 \u0111\u01b0\u1ee3c quan \u0111i\u1ec3m c\u1ee7a m\u00ecnh th\u00ec c\u00e1c b\u1ea1n n\u00ean suy ngh\u0129 v\u00e0 h\u1ecdc h\u1ecfi nh\u1eefng ki\u1ebfn th\u1ee9c v\u1ec1 quy tr\u00ecnh v\u00e0 chu\u1ea9n trong x\u1eed l\u00fd s\u1ef1 c\u1ed1, tri\u1ec3n khai v\u1eadn h\u00e0nh SIEM nh\u01b0 NIST, Mitre ATT&CK framework, quy tr\u00ecnh ph\u00e1t tri\u1ec3n s\u1ea3n ph\u1ea9m,\u2026<\/p>\n\n\n\n

V\u00ed d\u1ee5 khi b\u1ea1n l\u00e0m \u1edf c\u00e1c c\u00f4ng ty l\u1edbn, b\u1ea1n c\u1ea7n n\u1eafm \u0111\u01b0\u1ee3c c\u00e1c b\u01b0\u1edbc trong quy tr\u00ecnh ph\u00e1t tri\u1ec3n s\u1ea3n ph\u1ea9m \u0111\u1ec3 hi\u1ec3u v\u00e0 \u0111\u1ed1i chi\u1ebfu v\u1edbi quy tr\u00ecnh c\u00f4ng ty \u0111ang s\u1eed d\u1ee5ng. Sau \u0111\u00f3 l\u00e0 \u00e1p d\u1ee5ng security v\u00e0o quy tr\u00ecnh \u0111\u00f3, v\u1edbi \u201cShift left\u201d, \u1ee9ng d\u1ee5ng c\u00e1c chu\u1ea9n NIST trong c\u00e1c b\u01b0\u1edbc tri\u1ec3n khai security.<\/p>\n\n\n\n

8. Nghi\u00ean c\u1ee9u h\u1ec7 th\u1ed1ng<\/span><\/strong><\/h4>\n\n\n\n

\u0110\u1ed1i v\u1edbi vi\u1ec7c ph\u00e2n t\u00edch d\u1eef li\u1ec7u log, hay c\u1ea3 tri\u1ec3n khai v\u1eadn h\u00e0nh SIEM th\u00ec \u0111\u1ec1u quan tr\u1ecdng vi\u1ec7c hi\u1ec3u \u0111\u01b0\u1ee3c t\u1ed5ng quan v\u00e0 chi ti\u1ebft h\u1ec7 th\u1ed1ng. B\u1ea1n ch\u1ec9 c\u00f3 th\u1ec3 ph\u00e2n t\u00edch \u0111\u01b0\u1ee3c t\u1ed1t v\u1ec1 nh\u1eefng th\u1ee9 b\u1ea1n hi\u1ec3u v\u00e0 b\u1ea1n c\u0169ng s\u1ebd s\u1eed d\u1ee5ng t\u1ed1t nh\u1eefng th\u1ee9 b\u1ea1n hi\u1ec3u \u0111\u1ec3 \u0111i ph\u00e2n t\u00edch ho\u1eb7c l\u00e0m g\u00ec kh\u00e1c. V\u00ec v\u1eady theo m\u00ecnh th\u00ec c\u00e1c b\u1ea1n n\u00ean n\u1eafm \u0111\u01b0\u1ee3c:<\/p>\n\n\n\n

– \u00a0 \u00a0 Hi\u1ec3u \u0111\u01b0\u1ee3c s\u00e2u v\u1ec1 h\u1ec7 th\u1ed1ng SIEM (vi\u1ec7c n\u00e0y s\u1ebd c\u00e0ng kh\u00f3 h\u01a1n khi m\u00f4 h\u00ecnh l\u1edbn d\u1ea7n, ph\u00e1t sinh nhi\u1ec1u b\u00e0i to\u00e1n m\u1edbi)<\/p>\n\n\n\n

– \u00a0 \u00a0 Hi\u1ec3u \u0111\u01b0\u1ee3c v\u1ec1 c\u00e1ch v\u1eadn h\u00e0nh c\u1ee7a h\u1ec7 th\u1ed1ng m\u00e0 b\u1ea1n \u0111ang theo d\u00f5i, ph\u00e2n t\u00edch.<\/p>\n\n\n\n

Ph\u1ea7n 1 m\u00ecnh c\u00f3 n\u00f3i v\u1ec1 vi\u1ec7c ph\u1ea3i h\u1ecdc v\u1ec1 h\u1ec7 th\u1ed1ng, m\u1ea1ng, \u0111\u00f3 ch\u00ednh l\u00e0 n\u1ec1n t\u1ea3ng \u0111\u1ec3 b\u1ea1n nghi\u00ean c\u1ee9u, hi\u1ec3u s\u00e2u h\u01a1n v\u1ec1 h\u1ec7 th\u1ed1ng c\u1ee7a t\u1eebng c\u00f4ng ty khi b\u1ea1n l\u00e0m vi\u1ec7c. V\u1edbi m\u1ed7i v\u1ea5n \u0111\u1ec1 c\u00f3 nhi\u1ec1u c\u00e1ch gi\u1ea3i quy\u1ebft, v\u00e0 vi\u1ec7c l\u1ef1a ch\u1ecdn \u0111\u00e1nh gi\u00e1 s\u1ebd d\u1ef1a tr\u00ean nhi\u1ec1u ti\u00eau ch\u00ed nh\u01b0 chi ph\u00ed, ti\u1ec7n l\u1ee3i, hi\u1ec7u qu\u1ea3, tr\u1ea3i nghi\u1ec7m,\u2026 V\u00e0 mu\u1ed1n \u0111\u00e1nh gi\u00e1 \u0111\u01b0\u1ee3c th\u00ec b\u1ea1n ph\u1ea3i hi\u1ec3u v\u00e0 l\u00e0m \u0111\u01b0\u1ee3c n\u00f3 tr\u01b0\u1edbc. Vi\u1ec7c hi\u1ec3u s\u00e2u h\u1ec7 th\u1ed1ng SIEM c\u0169ng r\u1ea5t quan tr\u1ecdng, khi c\u00f3 v\u1ea5n \u0111\u1ec1 v\u1edbi d\u1eef li\u1ec7u log (nhi\u1ec1u r\u00e1c, nhi\u1ec5u, b\u1ecb l\u1ed7i m\u1ea5t log,\u2026) th\u00ec b\u1ea1n c\u1ea7n ph\u1ea3i c\u00f3 ki\u1ebfn th\u1ee9c \u0111\u1ee7 s\u00e2u \u0111\u1ec3 n\u1eafm \u0111\u01b0\u1ee3c v\u1ea5n \u0111\u1ec1 g\u1ed1c r\u1ec5, t\u00ecm ra c\u00e1c gi\u1ea3i ph\u00e1p t\u1ea1m th\u1eddi v\u00e0 d\u1ee9t \u0111i\u1ec3m \u0111\u1ec3 gi\u1ea3i quy\u1ebft v\u1ea5n \u0111\u1ec1 tr\u00ean.<\/p>\n\n\n\n

N\u1ec1n t\u1ea3ng c\u00f4ng ngh\u1ec7 ng\u00e0y c\u00e0ng ph\u00e1t tri\u1ec3n, DevOps ng\u00e0y c\u00e0ng m\u1ea1nh, n\u1ebfu b\u1ea1n l\u00e0m Security m\u00e0 kh\u00f4ng hi\u1ec3u bi\u1ebft v\u1ec1 n\u00f3 th\u00ec s\u1ebd lu\u00f4n b\u1ecb \u0111\u1ed9ng.<\/p>\n\n\n\n

9. Follow Twitter<\/span><\/strong><\/h4>\n\n\n\n

Tr\u00ean twitter c\u00f3 r\u1ea5t nhi\u1ec1u th\u00f4ng tin quan tr\u1ecdng, hay v\u00e0 free m\u00e0 ch\u00fang ta c\u00f3 th\u1ec3 h\u1ecdc h\u1ecfi v\u00e0 chia s\u1ebb. C\u00f3 nhi\u1ec1u idol chia s\u1ebb th\u00f4ng tin v\u1ec1 bug, xu h\u01b0\u1edbng security,… Ngo\u00e0i ra c\u0169ng c\u00f3 nhi\u1ec1u idol chia s\u1ebb v\u1ec1 c\u00e1c d\u1ef1 \u00e1n outsource cho blue team, cho siem hay c\u00e1c ph\u00e2n t\u00edch \u0111\u1ed1i v\u1edbi d\u1eef li\u1ec7u log. V\u00ed d\u1ee5 nh\u01b0: cyb3rops, Bakk3rM, olafhartong, KyleHaxWhy, rimpq, SBousseaden,\u2026<\/p>\n\n\n\n

10. \u0110\u1ecdc s\u00e1ch, slide, t\u00e0i li\u1ec7u v\u1ec1 SIEM & Security<\/span><\/strong><\/h4>\n\n\n\n

\u0110\u1ec3 h\u1ecdc h\u1ecfi ho\u00e0n thi\u1ec7n h\u01a1n t\u01b0 duy v\u1ec1 security v\u00e0 SIEM th\u00ec vi\u1ec7c nhanh v\u00e0 \u0111\u01a1n gi\u1ea3n nh\u1ea5t l\u00e0 \u0111\u1ecdc s\u00e1ch, slide v\u00e0 nghi\u00ean c\u1ee9u c\u00e1c outsource. D\u01b0\u1edbi \u0111\u00e2y l\u00e0 m\u1ed9t s\u1ed1 t\u00e0i li\u1ec7u m\u00ecnh ngh\u0129 c\u00e1c b\u1ea1n n\u00ean \u0111\u1ecdc: (ch\u1ec9 v\u1edbi Blue team v\u00e0 SIEM, c\u00f2n pentest, Redteam kh\u00e1c th\u00ec c\u00e1c b\u1ea1n \u0111\u1ecdc th\u00eam \u1edf b\u00e0i vi\u1ebft kh\u00e1c tr\u00ean Hackemall nha):<\/p>\n\n\n\n

–    Blue Team Handbook: SOC, SIEM, and Threat Hunting Use Cases: A condensed field guide for the Security Operations team<\/em>. (Cu\u1ed1n n\u00e0y kh\u00e1 hay, t\u00f3m t\u1eaft \u0111\u01b0\u1ee3c c\u00e1c \u00fd ch\u00ednh v\u1ec1 SIEM, tr\u00ecnh b\u00e0y c\u00e1c use cases logs v\u1edbi Windows v\u00e0 c\u00e1c v\u1ea5n \u0111\u1ec1 kh\u00e1c v\u1edbi SIEM.)<\/p>\n\n\n\n

–     Security Operations Center: Building, Operating and Maintaining Your SOC<\/em>. (Cu\u1ed1n s\u00e1ch hay v\u1ec1 l\u00fd thuy\u1ebft cho SIEM, g\u1ea7n nh\u01b0 ch\u1eafc ch\u1eafn ph\u1ea3i \u0111\u1ecdc khi mu\u1ed1n l\u00e0m SIEM t\u1ed1t.)<\/p>\n\n\n\n

–     Security Operation Center Concepts & Implementation<\/em> (Cu\u1ed1n s\u00e1ch tr\u00ecnh b\u00e0y v\u1ec1 c\u00e1c th\u00e0nh ph\u1ea7n c\u1ee7a SIEM kh\u00e1 hay)<\/p>\n\n\n\n

–     Sans SEC555 SIEM with Tactical Analytics<\/em><\/p>\n\n\n\n

–     Series s\u00e1ch v\u1ec1 Splunk:<\/em> <\/em>https:\/\/www.splunk.com\/en_us\/training.html<\/em><\/a><\/p>\n\n\n\n

–     C\u00e1c slide Splunk:<\/em> https:\/\/conf.splunk.com\/watch\/conf-online.html<\/a><\/p>\n\n\n\n

Khi b\u1ea1n \u0111\u1ecdc xong m\u1ea5y cu\u1ed1n tr\u00ean th\u00ec ch\u1eafc c\u0169ng \u0111\u1ee7 kh\u1ea3 n\u0103ng \u0111\u1ec3 bi\u1ebft m\u00ecnh c\u1ea7n h\u1ecdc s\u00e2u, t\u00ecm hi\u1ec3u v\u1ec1 c\u00e1c l\u0129nh v\u1ef1c trong SIEM, v\u00e0 s\u1ebd t\u1ef1 t\u00ecm \u0111\u01b0\u1ee3c c\u00e1c t\u00e0i li\u1ec7u SIEM s\u00e2u h\u01a1n.<\/p>\n\n\n\n

11. Dev everything for SIEM<\/span><\/strong><\/h4>\n\n\n\n

Khi l\u00e0m vi\u1ec7c v\u1edbi SIEM th\u00ec s\u1ebd g\u1eb7p ph\u1ea3i c\u00e1c b\u00e0i to\u00e1n v\u1ec1 d\u1eef li\u1ec7u l\u1edbn hay c\u00e1c c\u00f4ng vi\u1ec7c l\u1eb7p \u0111i l\u1eb7p l\u1ea1i v\u00e0 m\u1ea5t nhi\u1ec1u b\u01b0\u1edbc, th\u1eddi gian \u0111\u1ec3 remote v\u00e0o m\u00e1y ch\u1ee7 \u0111\u1ec3 th\u1ef1c hi\u1ec7n,\u2026 C\u00e1c b\u1ea1n h\u00e3y th\u1eed suy ngh\u0129 xem li\u1ec7u c\u00f3 th\u1ec3 \u201cl\u01b0\u1eddi\u201d \u0111\u01b0\u1ee3c kh\u00f4ng? Vi\u1ebft c\u00e1c script, vi\u1ebft c\u00e1c apps, hay th\u1eadm ch\u00ed l\u00e0 th\u1eed n\u00e2ng c\u1ea5p t\u00ednh n\u0103ng n\u00e0o \u0111\u00f3 cho h\u1ec7 th\u1ed1ng SIEM c\u1ee7a m\u00ecnh. D\u00f9 k\u1ebft qu\u1ea3 c\u00f3 nh\u01b0 n\u00e0o th\u00ec m\u00ecnh tin, c\u00e1c b\u1ea1n s\u1ebd hi\u1ec3u r\u00f5 h\u01a1n v\u1ec1 h\u1ec7 th\u1ed1ng SIEM c\u1ee7a m\u00ecnh v\u00e0 c\u00f3 nh\u1eefng b\u00e0i h\u1ecdc qu\u00fd gi\u00e1.<\/p>\n\n\n\n

Ngo\u00e0i ra \u1edf tr\u00ean m\u1ea1ng v\u1edbi t\u1eebng gi\u1ea3i ph\u00e1p SIEM c\u0169ng s\u1ebd c\u00f3 m\u1ed9t v\u00e0i outsource h\u1ed7 tr\u1ee3, h\u00e3y th\u1eed ng\u00e2m c\u1ee9u nh\u00e9. V\u00e0 c\u0169ng c\u00f3 th\u1ec3 ng\u00e2m c\u1ee9u c\u1ea3 m\u1ed9t gi\u1ea3i ph\u00e1p outsource SIEM, bi\u1ebft \u0111\u00e2u v\u00e0i n\u0103m n\u1eefa n\u00f3 s\u1ebd l\u00e0 b\u1ea3n Enterprise.<\/p>\n\n\n\n

Khi b\u1ea1n hi\u1ec3u s\u00e2u v\u1ec1 SIEM hay c\u00e1c gi\u1ea3i ph\u00e1p b\u1ea3o m\u1eadt, b\u1ea1n s\u1ebd th\u1ea5y c\u00e1c \u00fd t\u01b0\u1edfng c\u1ee7a n\u00f3 r\u1ea5t ch\u00ednh x\u00e1c v\u00e0 d\u1ec5 hi\u1ec3u. V\u00e0 SIEM hay c\u00e1c gi\u1ea3i ph\u00e1p b\u1ea3o m\u1eadt gi\u00e1 tr\u1ecb \u1edf \u00fd t\u01b0\u1edfng v\u00e0 s\u1ef1 ti\u1ec7n l\u1ee3i trong tr\u1ea3i nghi\u1ec7m ng\u01b0\u1eddi d\u00f9ng \u0111\u1ec3 tri\u1ec3n khai c\u00e1c \u00fd t\u01b0\u1edfng \u0111\u00f3.<\/p>\n\n\n\n

<\/p>\n\n\n\n

Ph\u1ea3n ph\u00e1c quy ch\u00e2n<\/span><\/strong><\/h1>\n\n\n\n
\"\"<\/figure>\n\n\n\n

<\/p>\n\n\n\n

Khi \u1edf m\u1ee9c n\u00e0y r\u1ed3i th\u00ec b\u1ea1n \u0111\u00e3 c\u00f3 th\u1ec3 hi\u1ec3u \u0111\u01b0\u1ee3c ph\u1ea7n n\u00e0o v\u1ec1 SIEM v\u00e0 vi\u1ec7c ph\u1ea3i l\u00e0m ti\u1ebfp theo r\u1ed3i. H\u00e3y v\u1eefng tin v\u00e0 trau d\u1ed3i h\u01a1n n\u1eefa, \u0111i t\u00ecm v\u1ec1 ngu\u1ed3n c\u1ed9i, b\u1ea3n ch\u1ea5t c\u1ee7a v\u1ea5n \u0111\u1ec1, \u0111\u1ec3 c\u00f3 th\u1ec3 h\u1ecdc h\u1ecfi nhi\u1ec1u h\u01a1n v\u00e0 n\u00e2ng t\u1ea7m b\u1ea3n th\u00e2n.<\/p>\n\n\n\n

12. \u201cC\u00f4ng ngh\u1ec7 h\u00f3a\u201d – T\u1ef1 \u0111\u1ed9ng h\u00f3a<\/em><\/span><\/strong><\/h4>\n\n\n\n

C\u00f3 r\u1ea5t nhi\u1ec1u gi\u1ea3i ph\u00e1p, \u1ee9ng d\u1ee5ng \u0111\u01b0\u1ee3c ph\u00e1t tri\u1ec3n \u0111\u1ec3 h\u1ed7 tr\u1ee3 cho vi\u1ec7c t\u1ef1 \u0111\u1ed9ng h\u00f3a c\u00e1c quy tr\u00ecnh x\u1eed l\u00fd c\u1ee7a c\u00e1c h\u1ec7 th\u1ed1ng. V\u00e0 h\u1ec7 th\u1ed1ng SIEM c\u0169ng kh\u00f4ng ngo\u1ea1i l\u1ec7, h\u00e3y h\u1ecdc h\u1ecfi v\u00e0 tri\u1ec3n khai c\u00e1c \u1ee9ng d\u1ee5ng \u0111\u00f3 \u0111\u1ec3 th\u1ef1c hi\u1ec7n t\u1ef1 \u0111\u1ed9ng \u0111\u1ed1i v\u1edbi kh\u1ed1i l\u01b0\u1ee3ng l\u1edbn c\u00e1c c\u00f4ng vi\u1ec7c. V\u00ed d\u1ee5 nh\u01b0: ansible chef puppet saltstack,\u2026 Khi l\u00e0m ch\u1ee7 \u0111\u01b0\u1ee3c c\u00f4ng ngh\u1ec7, t\u1ef1 \u0111\u1ed9ng h\u00f3a nhi\u1ec1u h\u01a1n th\u00ec b\u1ea1n c\u0169ng s\u1ebd c\u00f3 nhi\u1ec1u th\u1eddi gian \u0111\u1ec3 h\u1ecdc h\u1ecfi v\u00e0 c\u1eadp nh\u1eadt nhi\u1ec1u th\u1ee9 h\u01a1n n\u1eefa.<\/p>\n\n\n\n

N\u00ean ph\u00e1t tri\u1ec3n m\u1ea1nh c\u00e1c \u1ee9ng d\u1ee5ng t\u00edch h\u1ee3p \u0111\u1ec3 x\u1eed l\u00fd s\u1ef1 c\u1ed1, \u0111\u1ec3 \u0111em l\u1ea1i hi\u1ec7u qu\u1ea3 cao h\u01a1n nhi\u1ec1u cho h\u1ec7 th\u1ed1ng SIEM.<\/p>\n\n\n\n

13. Thi\u1ebft k\u1ebf & qu\u1ea3n l\u00fd h\u1ec7 th\u1ed1ng SIEM<\/span><\/strong><\/h4>\n\n\n\n

C\u00f3 th\u1ec3 vi\u1ec7c thi\u1ebft k\u1ebf & qu\u1ea3n l\u00fd h\u1ec7 th\u1ed1ng SIEM b\u1ea1n \u0111\u00e3 l\u00e0m xuy\u00ean su\u1ed1t trong c\u00e1c th\u1eddi gian tr\u01b0\u1edbc, l\u00e0m nhi\u1ec1u l\u1ea7n. Nh\u01b0ng th\u1ef1c s\u1ef1 \u0111\u1ec3 thi\u1ebft k\u1ebf m\u1ed9t h\u1ec7 th\u1ed1ng SIEM t\u1ed1t s\u1ebd c\u1ea7n quan t\u00e2m \u0111\u1ebfn r\u1ea5t nhi\u1ec1u y\u1ebfu t\u1ed1, gi\u1ea3i quy\u1ebft nhi\u1ec1u b\u00e0i to\u00e1n kh\u00f3 kh\u0103n, v\u00e0 quan tr\u1ecdng h\u01a1n c\u1ea3 l\u00e0 ph\u1ea3i t\u00ednh \u0111\u1ebfn vi\u1ec7c m\u1edf r\u1ed9ng h\u1ec7 th\u1ed1ng, chu\u1ea9n b\u1ecb s\u1eb5n c\u00e1c k\u1ebf ho\u1ea1ch, t\u00ednh n\u0103ng s\u1ebd s\u1eed d\u1ee5ng khi h\u1ec7 th\u1ed1ng \u0111\u01b0\u1ee3c m\u1edf r\u1ed9ng, tr\u00e1nh vi\u1ec7c ph\u1ea3i \u0111\u1eadp \u0111i x\u00e2y l\u1ea1i to\u00e0n b\u1ed9 hay ph\u1ea7n l\u1edbn h\u1ec7 th\u1ed1ng. Th\u1ef1c s\u1ef1 \u0111i\u1ec1u \u0111\u00f3 r\u1ea5t quan tr\u1ecdng v\u00e0 c\u1ea7n kinh nghi\u1ec7m \u0111\u1ee7 nhi\u1ec1u \u0111\u1ec3 c\u00f3 k\u1ebf ho\u1ea1ch c\u1ee5 th\u1ec3.<\/p>\n\n\n\n

14. T\u00edch h\u1ee3p c\u00e1c c\u00f4ng ngh\u1ec7 m\u1edbi<\/span><\/strong><\/h4>\n\n\n\n

Vi\u1ec7c t\u00ecm ki\u1ebfm c\u00e1c l\u1ed7 h\u1ed5ng, ph\u00e1t hi\u1ec7n c\u00e1c r\u1ee7i ro, h\u00e0nh vi b\u1ea5t th\u01b0\u1eddng b\u1eb1ng lu\u1eadt \u0111\u00e3 tr\u1edf n\u00ean kh\u00f3 kh\u0103n h\u01a1n v\u1edbi c\u00e1c v\u1ea5n \u0111\u1ec1 v\u1ec1 d\u1eef li\u1ec7u l\u1edbn, realtime hay \u0111\u1ed9 ch\u00ednh x\u00e1c,\u2026 V\u00e0 \u0111\u1ec3 kh\u00f4ng l\u1ea1c h\u1eadu, h\u00e3y h\u1ecdc h\u1ecfi th\u00eam c\u00e1c ki\u1ebfn th\u1ee9c v\u1ec1 Big Data, Machine Learning, Deep learning \u0111\u1ec3 x\u1eed l\u00fd c\u00e1c b\u00e0i to\u00e1n n\u00e0y.<\/strong> Vi\u1ec7c quan tr\u1ecdng l\u00e0 ph\u1ea3i hi\u1ec3u v\u1ec1 c\u00f4ng ngh\u1ec7, thu\u1eadt to\u00e1n v\u00e0 gi\u1ea3i ph\u00e1p SIEM \u0111ang d\u00f9ng c\u00f3 h\u1ed7 tr\u1ee3, l\u00e0m \u0111\u01b0\u1ee3c nh\u1eefng \u0111i\u1ec1u \u0111\u00f3 kh\u00f4ng? V\u00e0 s\u1ebd l\u00e0m nh\u01b0 th\u1ebf n\u00e0o? K\u1ebft qu\u1ea3 s\u1ebd t\u1edbi \u0111\u00e2u?<\/p>\n\n\n\n

Ngo\u00e0i ra c\u0169ng n\u00ean h\u1ecdc h\u1ecfi c\u00e1c c\u00f4ng ngh\u1ec7, gi\u1ea3i ph\u00e1p kh\u00e1c nh\u01b0 Firewall, IDPS, Anti Virus, Threat Intelligence,\u2026 \u0110\u1ec3 xem th\u1ef1c s\u1ef1 c\u00e1c gi\u1ea3i ph\u00e1p n\u00e0y \u0111ang x\u1eed l\u00fd d\u1eef li\u1ec7u nh\u01b0 n\u00e0o? S\u1eed d\u1ee5ng nh\u1eefng ngu\u1ed3n d\u1eef li\u1ec7u b\u00ean ngo\u00e0i nh\u01b0 n\u00e0o? T\u1eeb \u0111\u00f3 s\u1ebd \u0111\u01b0a t\u1edbi c\u00e1c bi\u1ec7n ph\u00e1p c\u1ea3i ti\u1ebfn trong vi\u1ec7c v\u1eadn h\u00e0nh lu\u1ed3ng ph\u00e2n t\u00edch d\u1eef li\u1ec7u log trong SIEM.<\/p>\n\n\n\n

15. Thi c\u00e1c ch\u1ee9ng ch\u1ec9<\/span><\/strong><\/h4>\n\n\n\n

Khi \u0111\u00e3 t\u00edch l\u0169y \u0111\u1ee7 nhi\u1ec1u, n\u00ean \u0111i h\u1ecdc th\u00eam c\u00e1c ch\u1ee9ng ch\u1ec9, n\u00f3 s\u1ebd gi\u00fap b\u1ea1n con \u0111\u01b0\u1eddng s\u1ef1 nghi\u1ec7p thu\u1eadn l\u1ee3i h\u01a1n v\u00e0 c\u00f3 th\u1ec3 b\u1ea1n s\u1ebd ho\u00e0n thi\u1ec7n h\u01a1n, b\u1ed5 sung m\u1ed9t s\u1ed1 thi\u1ebfu s\u00f3t v\u1ec1 c\u00e1c v\u1ea5n \u0111\u1ec1 Security, SIEM. <\/p>\n\n\n\n

M\u1ed9t s\u1ed1 ch\u1ee9ng ch\u1ec9 cho SIEM nh\u01b0 SANS SEC555, c\u00e1c ch\u1ee9ng ch\u1ec9 c\u1ee7a t\u1eebng gi\u1ea3i ph\u00e1p.<\/p>\n\n\n\n

16. C\u01a1 h\u1ed9i ngh\u1ec1 nghi\u1ec7p<\/span><\/strong><\/h4>\n\n\n\n

C\u00f4ng vi\u1ec7c v\u1ec1 SIEM th\u00ec c\u00f3 r\u1ea5t nhi\u1ec1u, ng\u00e0y c\u00e0ng \u0111\u01b0\u1ee3c quan t\u00e2m v\u00e0 tuy\u1ec3n d\u1ee5ng nhi\u1ec1u h\u01a1n v\u1edbi c\u00e1c v\u1ecb tr\u00ed, m\u1ee5c \u0111\u00edch kh\u00e1c nhau. <\/strong><\/p>\n\n\n\n

T\u1ed5ng th\u1ec3 c\u00f4ng vi\u1ec7c v\u1edbi SIEM th\u00ec g\u1ed3m c\u00e1c vi\u1ec7c nh\u01b0 sau:<\/strong><\/p>\n\n\n\n

–         X\u00e2y d\u1ef1ng c\u01a1 b\u1ea3n h\u1ec7 th\u1ed1ng SIEM<\/p>\n\n\n\n

–         \u0110\u1ecbnh ngh\u0129a, x\u1eed l\u00fd v\u00e0 qu\u1ea3n l\u00fd d\u1eef li\u1ec7u log<\/p>\n\n\n\n

–         Ph\u00e2n t\u00edch & th\u1ed1ng k\u00ea & c\u1ea3nh b\u00e1o \u0111\u1ed1i v\u1edbi d\u1eef li\u1ec7u log<\/p>\n\n\n\n

–         X\u00e2y d\u1ef1ng c\u00e1c plugin, \u1ee9ng d\u1ee5ng h\u1ed7 tr\u1ee3 cho vi\u1ec7c v\u1eadn h\u00e0nh h\u1ec7 th\u1ed1ng SIEM nh\u01b0 authen ng\u01b0\u1eddi d\u00f9ng, c\u1ea3nh b\u00e1o t\u1edbi c\u00e1c m\u1ea1ng x\u00e3 h\u1ed9i, call g\u1ecdi t\u1edbi webhook x\u1eed l\u00fd s\u1ef1 c\u1ed1,\u2026<\/p>\n\n\n\n

–         \u1ee8ng d\u1ee5ng c\u00e1c c\u00f4ng ngh\u1ec7 \u0111\u1ec3 n\u00e2ng cao hi\u1ec7u qu\u1ea3 ph\u00e2n t\u00edch d\u1eef li\u1ec7u log nh\u01b0 Data model, workflow, machine learning,\u2026<\/p>\n\n\n\n

–         X\u00e2y d\u1ef1ng s\u01a1 \u0111\u1ed3 h\u1ec7 th\u1ed1ng SIEM theo c\u00e1c m\u00f4 h\u00ecnh standalone, cluster v\u1edbi SIEM, gi\u1ea3i quy\u1ebft c\u00e1c b\u00e0i to\u00e1n nh\u01b0 storage, cloud, authen, role, routing data, k\u1ebft h\u1ee3p v\u1edbi c\u00e1c gi\u1ea3i ph\u00e1p b\u1ea3o m\u1eadt kh\u00e1c,\u2026<\/p>\n\n\n\n

T\u01b0\u01a1ng \u1ee9ng v\u1edbi n\u00f3 c\u0169ng c\u00f3 c\u00e1c v\u1ecb tr\u00ed v\u1edbi nhi\u1ec1u c\u01a1 h\u1ed9i nh\u01b0 SIEM engineer, admin, developer, analyst, manager, architect. V\u00e0 xa h\u01a1n s\u1ebd kh\u00f4ng ch\u1ec9 SIEM m\u00e0 c\u1ea3 Security v\u00e0 Technical. <\/p>\n\n\n\n

L\u1eddi khuy\u00ean c\u1ee7a m\u00ecnh l\u00e0 c\u00e1c b\u1ea1n n\u00ean ch\u1ecdn c\u00e1c c\u00f4ng ty v\u1eeba v\u00e0 l\u1edbn, c\u00f3 h\u1ec7 th\u1ed1ng l\u1edbn \u0111\u1ec3 th\u1ef1c t\u1eadp v\u00e0 l\u00e0m vi\u1ec7c,  v\u00ec nh\u1eefng c\u00f4ng ty n\u00e0y m\u1edbi c\u00f3 \u0111\u1ee7 d\u1eef li\u1ec7u log l\u1edbn cho c\u00e1c b\u1ea1n h\u1ecdc h\u1ecfi. Th\u00eam n\u1eefa, c\u00e1c c\u00f4ng ty l\u1edbn s\u1ebd quan t\u00e2m t\u1edbi tr\u1ea3i nghi\u1ec7m ng\u01b0\u1eddi d\u00f9ng nhi\u1ec1u, n\u00ean th\u01b0\u1eddng s\u1ebd \u00edt s\u1eed d\u1ee5ng c\u00e1c gi\u1ea3i ph\u00e1p b\u1ea3o m\u1eadt c\u1ee9ng nh\u1eafc nh\u01b0 firewall,…m\u00e0 s\u1ebd ph\u00e1t tri\u1ec3n v\u1ec1 vi\u1ec7c gi\u00e1m s\u00e1t h\u1ec7 th\u1ed1ng log \u0111\u1ec3 v\u1eeba \u0111\u1ea3m b\u1ea3o tr\u1ea3i nghi\u1ec7m ng\u01b0\u1eddi d\u00f9ng, v\u1eeba ki\u1ec3m so\u00e1t \u0111\u01b0\u1ee3c c\u00e1c r\u1ee7i ro trong h\u1ec7 th\u1ed1ng. Khi \u0111\u00f3 c\u00e1c b\u1ea1n s\u1ebd c\u00f3 m\u00f4i tr\u01b0\u1eddng v\u1edbi nhi\u1ec1u b\u00e0i to\u00e1n kh\u00f3 d\u01b0\u1edbi nhi\u1ec1u g\u00f3c \u0111\u1ed9 kh\u00e1c nhau \u0111\u1ec3 c\u00f3 th\u1ec3 th\u1eed nghi\u1ec7m v\u00e0 t\u00ecm t\u00f2i c\u00e1c gi\u1ea3i ph\u00e1p, \u1ee9ng d\u1ee5ng hay c\u00f4ng ngh\u1ec7 m\u1edbi.<\/p>\n\n\n\n

H\u00e3y c\u1ee9 h\u1ecdc h\u1ecfi, l\u00e0 h\u1ecdc v\u00e0 h\u1ecfi th\u1eadt nhi\u1ec1u, r\u1ed3i b\u1ea1n s\u1ebd nh\u00ecn ra \u0111\u01b0\u1ee3c con \u0111\u01b0\u1eddng c\u1ee7a b\u1ea3n th\u00e2n b\u1ea1n.<\/p>\n\n\n\n

C\u00f3 th\u1eafc m\u1eafc g\u00ec th\u00ec vui l\u00f2ng li\u00ean h\u1ec7 page Hackemall.<\/p>\n\n\n\n

Longnh.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

SIEM? N\u1ebfu c\u00e1c b\u1ea1n l\u00e0m an to\u00e0n v\u1eadn h\u00e0nh th\u00ec SIEM l\u00e0 gi\u1ea3i ph\u00e1p kh\u00f4ng th\u1ec3 thi\u1ebfu v\u00e0 b\u00e0i vi\u1ebft h\u00f4m nay m\u00ecnh s\u1ebd chia s\u1ebb c\u00f4ng vi\u1ec7c li\u00ean quan \u0111\u1ebfn n\u00f3,\u00a0 hi v\u1ecdng nh\u1eefng chia s\u1ebb c\u00f3 th\u1ec3 gi\u00fap \u0111\u01b0\u1ee3c c\u00e1c b\u1ea1n ph\u1ea7n n\u00e0o khi l\u00e0m An to\u00e0n v\u1eadn n\u00f3i chung v\u00e0 SIEM n\u00f3i […]<\/p>\n","protected":false},"author":1,"featured_media":918,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[19,20],"tags":[],"_links":{"self":[{"href":"https:\/\/hackemall.live\/index.php\/wp-json\/wp\/v2\/posts\/910"}],"collection":[{"href":"https:\/\/hackemall.live\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackemall.live\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackemall.live\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hackemall.live\/index.php\/wp-json\/wp\/v2\/comments?post=910"}],"version-history":[{"count":9,"href":"https:\/\/hackemall.live\/index.php\/wp-json\/wp\/v2\/posts\/910\/revisions"}],"predecessor-version":[{"id":922,"href":"https:\/\/hackemall.live\/index.php\/wp-json\/wp\/v2\/posts\/910\/revisions\/922"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hackemall.live\/index.php\/wp-json\/wp\/v2\/media\/918"}],"wp:attachment":[{"href":"https:\/\/hackemall.live\/index.php\/wp-json\/wp\/v2\/media?parent=910"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackemall.live\/index.php\/wp-json\/wp\/v2\/categories?post=910"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackemall.live\/index.php\/wp-json\/wp\/v2\/tags?post=910"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}