My name is Furkan Kizilbayir, a fourth-year student at Hogeschool Utrecht where I am pursuing a degree in ‘HBO-ICT – Cyber Security & Cloud’. Currently, I am actively engaged as an intern at LinProfs, where I am involved in a challenging project focused on enhancing the Security Information and Event Management (SIEM).
The assignment entrusted to me involved expanding the set of security rules (Sigma rules) for the SIEM. Initially, the SIEM primarily utilized standard rules that came bundled with the ElasticSIEM product. My task was to explore internet sources (preferably open source) for obtaining Sigma rules in YAML format. Additionally, I was expected to investigate how these rules could be converted into the appropriate format for the SIEM and how they could be kept automatically up-to-date. The ultimate goal was to elevate the security scanning level.
This challenge demanded a thorough analysis of the implementation of Sigma rules, including aspects such as keeping them up-to-date, processing and storage. This article below provides an in-depth insight into my research and strategies to assist LinProfs in achieving enhanced cybersecurity using Sigma rules.
Sigma Rules - Project
Current State of Security Monitoring at LinProfs
To establish a solid foundation for understanding the existing security infrastructure at LinProfs, the research began with a thorough analysis of the current state of security monitoring. This involved a detailed examination of the applied techniques and tools for client management. These in-depth insights not only provide a comprehensive understanding of the existing infrastructure but also serve as a basis for further strategic decision making.
The analysis of the current state enabled LinProfs to identify not only the strengths in their security approach but also pinpoint any areas for improvement. This proactive insight into the current situation constituted the first step toward defining an effective strategy for automating Sigma rules.
Keeping Sigma Rules Up-to-date: A Thoughtful Approach
The key to effective security management lies in the regular updating of security rules, especially in an ever-changing cyber landscape. Strategies for keeping Sigma rules up-to-date were carefully scrutinized and analyzed to ensure a thoughtful approach.
An essential aspect of this approach is the implementation of a bi-weekly cron job based on GitHub update frequency. By regularly running the ‘sigma_tool.py’ script, Sigma rules are automatically synchronized with the weekly updates on the GitHub page. This frequency is precisely chosen to strike an optimal balance between regular updates and minimizing unnecessary executions.
A thorough analysis of encryption usage revealed the thoughtful approach to secure password management within the ‘sigma_tool.py’ script. This includes not only protecting passwords but also minimizing potential security risks. Additional layers of security were added, including extra file protections, to ensure a robust security level.
Processing and Storage of Sigma Rules: Flexibility and Overview
The processing and storage of security rules underwent a detailed analysis to formulate an optimal strategy. Instead of opting for a separate database, an approach promoting flexibility and clarity was chosen.
During the installation process, managed by the ‘sigma_install.py’ script, the user has the option to specify the name and location of the folder where Sigma rules will be stored. This approach not only provides flexibility but also clarity in the management of security rules. The generated folder structure follows a logical path, with clearly visible and converted Sigma rules in NDJSON format.
The decision to avoid direct storage in a database was justified by the more efficient utilization of Elastic as a comprehensive NoSQL database. This contributes to a structured and optimized storage of security rules without the need for a separate database.
Conclusion: A Resilient IT Infrastructure for LinProfs and Their Clients
The proposed automation strategies significantly contribute to strengthening the IT infrastructure for LinProfs and provide a valuable boost to the security of their clients. The automated approach not only alleviates operational burdens but also enhances the proactive response to potential threats. The synergy of regular updates of Sigma rules and structured processing and storage results in an optimized and resilient IT infrastructure.