April 23rd, 2020
Deploying a Simple Open Source SIEM
Introduction
There is a lot going on today in a modern network. The ability to visualize, search, and react to security events is critical. A SIEM (Security Information and Event Management) is typically used to meet these needs. There are a lot of SIEM solutions out there and it can be a very complex topic. However, there are some open-source solutions that can meet your needs. This blog will walk your though the process of deploying and some basic usage of an open source solution called the Elastic Stack. The Elastic stack is a great platform used for many different needs. Today we will focus on a simple SIEM implementation.
Virtual Machine Setup
Our LAB SIEM deployment will be installed onto a VMWare environment on a single virtual machine. For a production environment be sure to properly size your virtual machines or hosts to meet your needs. In addition, since this is a LAB environment, we will not attempt to secure the host. In production you would want to harder your host deploy SSL/TLS and require authentication.
Let’s get started by creating a new virtual machine. For our LAB needs we will configure
an Ubuntu 18.04 server virtual machine with 4 vCPUs, 2 gigs of RAM, a 300 gig disk, and
a single ethernet port.
Make sure to mount your Ubuntu ISO for your CD and click the attach check box.
Figure 1: Virtual Machine Parameters
Click finish and power on your new virtual machine. Connect to the console and start a standard installation selecting your keyboard map and other host information. For your network connection you can either assign a static IP address or leave it as DHCP depending on your requirements. In our case we will use a static IP address.
Figure 2: Static IP Address Configuration
You will also need to setup a user that will later be used to access the command line of the virtual machine. Make sure you remember the credentials as you will need them later.
Figure 3: Initial User Creation
Continue through the standard setup. Towards the end of the setup make sure to enable OpenSSH server. This is how we will access the new virtual machine when the installation is complete.
Figure 4: Enable OpenSSH Server
Finish going through the install wizard and reboot your virtual machine. We are now ready to install and configure our services.
Elasticsearch Install
Our first service to install is Elasticsearch. This is a core component required to allow us to search our collected data. To begin our installation, we need to access the new virtual machines command line. We will use SSH (Secure Shell) for this. There are many SSH clients out there. We will use Putty (https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) for Windows. Open your SSH client and connect to the new virtual machine you just created.
Figure 5: Use SSH Client to Connect to Virtual Machine
Once connected the first step is to install the APT key and APT repository.
Command: wget -qO – https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key
add –
Figure 6: Install APT key
Next step is to install the APT software repository. This will enable access to the
required software components for the SIEM installation.
Command: sudo apt update
sudo apt install apt-transport-https
sudo echo “deb https://artifacts.elastic.co/packages/7.x/apt stable main” | sudo tee -a
/etc/apt/sources.list.d/elastic-7.x.list
sudo apt update
sudo apt install elasticsearch
Figure 7: Elasticsearch Software Install
Now that the software is installed, we need to do a little bit of configuration. There
are many options available in the configuration file. We will only configure the minimum
required to enable the service to start and be available to any host.
To access the configuration file, we will use the nano text editor. Make sure the
following configuration options are set.
Command: sudo nano /etc/elasticsearch/elasticsearch.yml
node.name: node-1
network.host: 0.0.0.0
http.port: 9200
cluster.initial_master_nodes: [“node-1”]
Figure 8: Elasticsearch Partial Configuration
Now that Elasticsearch is configured for our needs we need to start the service and make
sure it is accessible from a browser.
Command: sudo service elasticsearch start
Figure 9: Elasticsearch Access Validation
Set elasticsearch to start at boot time.
Command: sudo systemctl enable elasticsearch
If you see a similar reply, then you are ready to move on to the next step.
Kibana Install
The next component is Kibana. This is basically the web interface you will use to access
the data collected. All this data would not be much good without a way to view it.
Installation is easy since we have already added the APT repository.
Command: sudo apt install kibana
Figure 10: Kibana Software Installation
Once the software is installed, we again need to edit the configuration to suite our
needs. We are just configuring the minimum for our LAB needs. Using nano open the
configuration file and make sure the following configuration options are set.
Command: sudo nano /etc/kibana/kibana.yml
server.port: 5601
server.host: “0.0.0.0”
elasticsearch.hosts: [“http://localhost:9200”]
Figure 11: Kibana Partial Configuration
Once you have saved your configuration changes, we need to start the service and validate
access with a browser. Also set the service to start at boot time.
Command: sudo service kibana start
Command: sudo systemctl enable kibana
Figure 12: Validate Kibana Access
Once you have validated access it’s time to move on to Beats.
Beats Install
Now the fun part begins. Beats are basically agents that capture data and send the information to Elasticsearch for processing. There are many flavors of Beats each with a different purpose. For example, Packetbeat is used to collect network traffic, Filebeat is used to ingest files, and Winlogbeat is used to collect Windows host logs. Additional information on Beats is available on the Elastic Beats website (https://www.elastic.co/downloads/beats).
For our lab setup we will only be installing Winlogbeat on a Windows 10 host. We will do the installation manually. This installation could be automated using group policy or many other software deployment/management applications in a production environment.
To begin our installation, we log into a Windows 10 host and download the winlogbeat application from the following link. https://www.elastic.co/downloads/beats/winlogbeat
Uncompress the file, rename the folder to winlogbeat and copy it to c:\Program
Files\.
Now as with all other components we need to edit the configuration file to suite our
needs. Open the file winlogbeat.yml with your favorite text editor and change the 2 host
items to point to your virtual machine created earlier.
Figure 13: Winlogbeat.yml Host Changes
Once the configuration changes are saved, it’s time to install the winlogbeat service.
Open a PowerShell prompt as administrator and change to your winlogbeat directory. Once
you have opened an administrator PowerShell prompt make sure script execution is
enabled.
Command: powershell -ep bypass
Now run the service installation PowerShell script to install the service.
Command: .\install-service-winlogbeat.ps1
Figure 14: Winlogbeat Service Install
Once installed start the service. This will enable winlogbeat to collect Windows logs and
send them to Elasticsearch for processing.
Command: start-service winlogbeat
Validate the service is running using the Windows services plugin.
Figure 15: Winlogbeat Service Running
Sample Usage
Now that we have all required components in place lets access Kibana and do a little testing. Open a web browser and access your virtual machine’s IP address on port 5601 to display the Kibana portal and select the SIEM icon on the left near the bottom.
Figure 16: Kibana SIEM Access
Now click on hosts, you should see a host count of 1 and some user authentication graph data. The Windows 10 host that the winlogbeats agent was installed on will be displayed under all hosts.
Figure 17: Kibana SIEM Hosts
Now that everything appears to be working. Let’s add a local user to our Windows 10 host and add that user to the local administrator’s group. This is a task that is often performed by malicious users.
Figure 18: Create Local User and Add to Administrators
Now back to the Kibana SIEM to see if we have seen the potentially malicious activity. We
will search for the specific event to see if it was detected by using the search box
near the top of the web page.
Search: event.action : “added-group-account-to”
Figure 19: Search for Potentially Malicious Event
As you can see from the image, we were able to pick up these events with a good amount of detail. This is just a small example of the information that can be obtained. Many additional add-ons and agents are available to collect additional information and create alerts based on specific events.
Conclusion
The more information you can collect and process from your environment the more insight you will have into misconfigurations, errors, performance, and malicious events. A small budget, a little elbow grease, and open source tools is all that’s required to get you started. This should get you up and running and give you the ability to expand over time adding additional hosts, agents, and add-ons.
Blog References:
https://logz.io/learn/complete-guide-elk-stack/#intro
https://www.elastic.co/docs
Blog By: Brian Hitchcock CISSP, OSCP