SIEM : Praktisk implementation av ett säkerhetssystem

Sammanfattning: In a large computer system or in a single personal computer, there are both internal and external threats to the system. For a seasoned user who knows what is important to monitor and which files are sensitive, it is possible to have control over the system. If, on the other hand, it is an inexperienced user or a larger system of several computers, networks, routers, switches and maybe services that are wholly or partly located on the Internet, it is very difficult to monitor the whole system. Where do infringement attempts occur? Did it just happen, or was it a couple of weeks ago? Are repeated login attempts by a specific user to be considered an intrusion? What has happened to the firewall and to the network? Who has queried the database? To monitor the whole system and get answers to these questions, you can use a SIEM system. It is designed to collect data, process and analyze it and present it in a way that is clear to the user. Today, there are SIEM systems on the market with parts of or complete solutions. Depending on what is needed or requested, the cost of these also varies. The report describes how the project is planned and goes through how a SIEM system is constructed and what parts are included. In the project, a SIEM system has been built up with some of the parts found in ready-made solutions today. The focus has been on retrieving data and systematically storing them in a PostgreSQL database. With so many different modules that will interact and work together, most of the time and energy has been spent on the design part of the SIEM system. The programming code is made in Python and Node JS.