Home Blog Page 3

Achieving Log Centralization and Analysis with Open Source SIEM and XDR: UTMStack

Log centralization and analysis are crucial for organizations in troubleshooting system errors, identifying cybersecurity threats, and adhering to various regulations such as The Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), Payment Card Industry Data Security Standards (PCI), Cybersecurity Maturity Model Certification (CMMC), and more. While contemporary SIEM solutions have simplified log management, features like threat intelligence and advanced event correlation are often restricted to paid, closed-code systems. This article will walk you through deploying log collectors, a comprehensive log management solution, and correlation rules using UTMStack, an open source and free SIEM and XDR solution, for effective threat detection, system error identification, and automated remediation.

Technology and Architecture Overview

Deploying UTMStack for log centralization and analysis involves three main components: log collectors aka agents, a central server for log centralization, and correlation rules for detection and incident response.

Agents: These collect logs from systems and execute local and remote incident response commands. Agents can also function as proxies for collecting syslog and netflow logs from network devices.

Central Server: This server stores and correlates logs from various assets like other servers and firewalls to identify potential threats and orchestrates incident responses across the IT ecosystem.

Correlation rules and Incident Response: These detect possible threats to system security and availability by correlating logs from multiple systems with threat intelligence and predefined malicious sequences of behaviors and compromise indicators. Once a correlation rule evaluates a group of logs as potentially malicious, an alert triggers the incident response command.

Deploying the Open Source Security Stack

Log Centralization Server

The log centralization server can be deployed using an ISO image from the utmstack website for simplicity. For advanced installation options, please visit the official GitHub repository https://github.com/utmstack/UTMStack

Here are the instructions for installing without the ISO on Ubuntu Linux 22.04 LTS.

After installation, access the server via a browser using the server’s IP address or DNS name and the random secure password provided by the installer.

Deploying Log Collectors

Navigate to the “Integrations” section and select the appropriate agent for your operating system. Additional integrations can be configured as needed.

Defining Correlation Rules and Incident Response

Correlation rules form the core of a log management system, defining which logs or combinations thereof should trigger an alert or incident. UTMStack uses these rules as a basis for Incident Response playbooks.

Let’s take, for instance, a brute-force attack. This type of cybersecurity threat attempts to guess a user’s password by trying massive random combinations of characters until the correct sequence matches the user’s credentials. These types of attacks usually leave behind a trail of logs that indicate a user has failed to log into a system several times in a short period of time.

You can access the complete list of prebuilt correlation rules and the guide to creating new ones from the official UTMStack repository. For this guide, we’ll create a sample correlation rule to detect brute-force attacks.

UTMStack correlation rules are written in plain YAML and have three main components. Threat documentation that describes the rule, defines a tactic category of attack, severity and name of the rule. The second component is the logic and frequency block, where the rules for triggering this alert are defined. Finally, the alert information block, where the information is extracted from the logs and saved into the alert item.

These YAML rules can be saved as text files and copied into the correlation rules folder via the Web User interface. Any rules uploaded there will be processed by the correlation engine automatically.

All logs the system receives are aggregated and correlated for indicators of compromise (IOCs) using several open threat intelligence feeds. This feature is enabled by default, and there is no need for custom correlation rules or configurations.

Finally, to deploy the incident response playbooks, navigate to the incident response automation section and drop a command to disable future login attempts from the offender host. This can be done by blocking its IP in the firewall or disabling the victim user until further investigation can be done.

UTMStack’s Incident response commands use dynamic variables to handle the execution of commands with different targets. Here are some examples.

Command to block a user:
usermod -L ${source.user}

Command to block an IP
iptables -A INPUT -s ${source.ip} -j DROP

Summary

Log centralization and analysis are essential for security, availability, and compliance. Open source tools can deliver advanced flexibility and rich feature sets to meet complex use cases and deliver an enterprise-ready experience. The UTMStack open source project is a powerful SIEM and XDR system that can deliver log management, threat detection and incident response by correlating and aggregating logs in real-time. Advanced features such as IOC detection, threat intelligence, and compliance are built-in features of the security stack.

Join Our Community and Contribute

We’re always looking for passionate individuals to contribute to our project. Whether you’re a developer, security expert, or just enthusiastic about cybersecurity, your input is valuable. Here’s how you can get involved:

GitHub Repository: Visit our GitHub repository to explore our code, submit issues, or contribute enhancements. Your code contributions can help us improve and expand UTMStack’s capabilities.

Discord Channel: Join our Discord community to discuss with fellow contributors, share ideas, and collaborate on projects. It’s a great place to learn from others and contribute your expertise.

Online Chat and Forums: For quick questions or discussions, use the online chat feature on our official website or the forums. It’s a direct line to our team and community for real-time interactions.

Your contributions, big or small, play a crucial part in the development and improvement of UTMStack. Together, we can build a stronger, more secure open-source SIEM & XDR solution. Join us today and help shape the future of cybersecurity!

Author


Rick Valdes
Founder, UTMStack

Linux 6.8 Brings More Sound Hardware Support For Intel & AMD, Including The Steam Deck

Waiting for pulling into the mainline kernel once Linus Torvalds is back online following Portland’s winter storms is the sound subsystem updates for Linux 6.8, which include a lot of new sound hardware support.

Linux sound subsystem maintainer Takashi Iwai at SUSE describes the new sound hardware support for Linux 6.8 as:

“Support for more AMD and Intel systems, NXP i.MX8m MICFIL, Qualcomm SM8250, SM8550, SM8650 and X1E80100”

Read more at Phoronix

Learn More in ’24 & Save up to 35%

Get Started on Your 2024 Career Resolutions with Savings up to 35%

*Offer ends January 23, 2024

Learn more at training.linuxfoundation.org

OpenTofu is going GA

Today is a big day for OpenTofu! After four months of work, we’re releasing the first stable release of OpenTofu, a community-driven open source fork of Terraform. OpenTofu, a Linux Foundation project, is now production-ready. It’s a drop-in replacement for Terraform, and you can easily migrate to it by following our migration guide.

Read more at opentofu.org

Linux Foundation Newsletter: December 2023

Welcome to the Linux Foundation’s December newsletter! In this edition, we cover the many gatherings that took place across the globe, notably at Open Source Summit Japan, AI.dev in San Jose, CA., and for several Linux Foundation project teams, at COP28 in Dubai. This month also saw the publication of our 2023 Annual Report, “Rising Tides of Open Source,” our most comprehensive publication of the year, as well as the launch of the LF Management and Best Practices initiative, new research reports and surveys, and the announcement of new projects.  We’re also excited to share our final Training & Certification deals of the year! 

Read more at linuxfoundation.org

Give the Gift of Learning With 35% Discount on all Training & Certification

35% Discount on Training & Certification Ad

Online Courses, Certifications, Bundles & IT Professional Programs

Offer ends December 21, 2023

Read More at Linux Foundation Training

Linux 6.8 To Drop The SLAB Allocator, SLUB Optimizations Coming Too

Following the SLOB allocator removal earlier this year, the Linux 6.8 kernel in the new year is now positioned to remove the SLAB allocator. Additionally, the lone good-for-everything SLUB allocator is set to receive further optimizations.

Read more at phoronix

Critical Bluetooth Flaw Exposes Android, Apple & Linux Devices to Takeover

Attackers can exploit a critical Bluetooth security vulnerability that’s been lurking largely unnoticed for years on macOS, iOS, Android, and Linux device platforms. The keystroke injection vulnerability allows an attacker to control the targeted device as if they were attached by a Bluetooth keyboard, performing various functions remotely depending on the endpoint.

Read more at darkreading.com

Linux Foundation Projects Unite at COP28 to Showcase Open Source Action on U.N. Sustainable Development Goals

The Linux Foundation, the nonprofit organization enabling mass innovation through open source, is excited to announce a one-hour live-stream presentation at COP28, Dubai that will explore the transformative power of open source and how it is being used to advance the United Nations Sustainable Development Goals (SDGs). Featuring speakers from Linux Foundation Research, Linux Foundation Europe, OS-Climate, Hyperledger Foundation, AgStack Foundation, Fintech in Open Source Foundation (FINOS), Sustainable & Scalable Infrastructure Alliance, and the ELISA and Zephyr projects, the presentation will take place on December 6th from 15:00 – 16:00 GST in the COP28 Blue Zone. 

Read more at linuxfoundation.org

Cyber Monday Deals Extended Until Dec. 6th!

Last Chance CyberMonday Deals

Elevate your profile. Improve your skills. Showcase your badges. Get significant deals on open source training and certification from Linux Foundation. Deals end December 6, so start saving now!

  • Save 65% on IT Professional Programs, Power Bundles & Bundles
  • Save 50% on e-Learning & ILT Courses, Certifications & SkillCreds
  • Save 10% on THRIVE-ONE Annual Subscriptions
    Get a FREE gift with purchase.

SAVE NOW