Configuration of a small network that simulates the network of a company that will be internally made up of three subnets divided through a Firewall and an IDS. The first subnet is an External DMZ that has an FTP server and an Apache webserver with SQL and PHP. The second subnet is called the Internal Server Network, which is made up of an Active Directory of a Windows Server, a Server with a shared resource, and a Squirt proxy that generates a subnet called the User Network, which is through which all the company equipment. In the Internal Server Network, for the detection of security events, a SIEM will be implemented, configured, and managed, the choice is AlientVault.
The motivation that has led me to carry out this work is that I consider that having a SIEM tool is very important for the detection of security events since with this system we can know the security status of our network we have events in real-time and all the activity that arises in the network. Not only does it help us in detention, but it is also a great help in the event of an information security incident since it provides a lot of value in forensic analysis. It provides us with very useful information for continuous learning and that if it is complemented with the use of threat intelligence, it is possible to have more knowledgeable learning given that with this we have the ability to share data that allows us to reach preventive measures in advance.
From my point of view, the use of SIEM tools is of vital importance, which, after having implemented security by levels, provides us with a halt to security events and knowledge of the security status of our very valuable network. The next steps would be to carry out ethical hacking audits on a regular basis to check vulnerabilities and the security status of systems and infrastructure in order to continuously improve the security of our network.
This work is made up of nine sections that make up six large blocks, which are: the company´s IT infrastructure, analysis of the company´s key information assets and the information they , implementation of the monitoring system (SIEM), configuration of the monitoring system, and view of the security status of the elements, response to security incidents and security status reports.
With this organization we are going to see how, starting from the technological infrastructure of the company, it is possible to know the key information assets, after knowing the business model of the company (Chapter 1: Company Network Map). After knowing the key assets, it s which are all the devices that support them and act for their protection, to monitor them through the SIEM. (Chapter 2: Identification and deion of the devices to be monitored). Subsequently, the devices to be monitored are d to know how this can be done (Chapter 3: Deion of the events and logs to be collected). The next chapter (Chapter 4: Log collection systems) s which systems can be monitored. And then, the implementation of the SIEM system is n in detail to centralize the monitoring of all these devices (Chapter 5: Implementation of the SIEM system) and how to define rules that will help us to be alert based on activity within the network (Chapter 6: Correlation rules). Finally, we will see a table that will help us to see the security status (Chapter 7: Dashboard), how to manage security incidents (Chapter 8: Alarm system and ticketing), and ending with a report tailored to the Incident situation and security status (Chapter 9: Reporting).