Security information and event management (SIEM)

Cyber threats are nowadays a major danger to critical infrastructures and to homeland security. For several years now, the focus was on the physical protection of critical infrastructures. Currently, experts realize that the critical infrastructure can be also attacked via the application layer of computer networks. In order to efficiently protect such critical systems, the huge amount of data has to be efficiently analysed and correlated.
To tackle such a complex problem, within the frame of the Energy Shield project, Konnektable will develop an open source SIEM tool. The aim of this SIEM will be to provide an open source host-based security monitoring service, which will be centralized with a cross-platform architecture. The benefit of the SIEM’s design, is also the capability it provides to easily integrate other tools and analytical services such as Elastic Stack and its components (Elasticsearch, Kibana), effectively upgrading and fine-tuning its efficiency and scope.
The developed SIEM solution collects and monitors the data from the other tools of the EnergyShield project such as Anomaly Detection tool (provided by SIGA), Vulnerability Assessment tool (provided by Foreseeti), DDos Mitigation tool (provided by L7 Defense) and additionally it is linked to the forensic module for enriching detected security events from extracting knowledge from external databases. Moreover, EnergyShield’s SIEM will be able to visualize the gathered data in the main dashboard, with the aid of Kibana.
Amongst the basic functions and goals of the project’s SIEM tool are the following:

  • Event Logging and Data Management
  • Secure Authorization with role-based access
  • Monitoring
  • Alerting
  • Visualization,
  • System
  • Diagnostics

SIEM tool homepage

As the picture above demonstrates, this dashboard portrays all the features that can that SIEM can provide. The users can choose to visualize the data or to see what happen to monitored system. They can see visualizations of the data and create their own plots. Moreover, they can apply multiple filters in order to discover vulnerabilities of the system.
EnergyShield’s SIEM provides secure authorization through the configuration of X-Pack security. As a result, users, roles and permissions can be defined. The SIEM allows for the capability to create new user and adjust their profile with specific role and permissions. This way there is both a more flexible and secure way to manage the system.

Log data overview panel

The above depicted figure presents an overview of log data. In this dashboard, the users can monitor all the systems where an agent has been installed and see if there is any suspicious behavior in the form of graphs. There are plenty visualization diagrams like line plots, bar charts, pie charts, etc.

Metrics and Data panel

This figure provides metrics about the data in order for the users to have an overview about of data and take appropriate actions. Also, with the right adjustments the user can thereafter proceed to event logging.