N o o f ordre: ........

People’s Democratic Republic of Algeria

Ministry of Higher Education and Scientific Research
Djillali Liabès University of Sidi Bel Abbès
Faculty of Exact Sciences
Department of Computer Science

Master’s Thesis

Field : Mathematics-Computer Science

Major : Computer Science
Specialization : Networks, systems, and information security

By

Mr Ahmed Mouad MERIOUA

Mr Mohamed HADJ MIMOUNE

Implementing a Next-Gen SIEM using

open-source tools

Graduated on 0-2024 the jury :

Dr. khobzaoui abdelkader University Jury President of the Jury

Dr. taieb brahim mohammed University Jury Examiner
Pr. boukli hacen sofiane University Jury Thesis Supervisor

Academic Year: 2023 - 2024

 Abstract

In recent years, the field of cybersecurity has undergone significant ad-

vancements, driven by the continuous threat of cyber attacks, which have
increased in both frequency and sophistication. This surge in cyber threats
has necessitated the development of more robust and effective security so-
lutions to ensure the continuous protection of corporate information and
the stable operation of business processes.
One promising approach to addressing these challenges is the imple-
mentation of next-generation Security Information and Event Management
(SIEM) systems using open-source tools. This thesis aims to explore the
design and implementation of a next-gen SIEM, focusing on its ability
to provide comprehensive, real-time security monitoring and incident res-
ponse capabilities. By leveraging open-source technologies, organizations
can achieve a cost-effective and customizable solution tailored to their spe-
cific security needs.
The research presented in this thesis includes an in-depth analysis of
current SIEM systems, the benefits and limitations of using open-source
tools. Through this study, we aim to develop an open-source SIEM that
enhances the effectiveness and efficiency of Security Operations Centers
(SOCs).

Keywords : SIEM, Security Information and Event Management, Open-

source tools, Cybersecurity, SOC, Security Operations Center, Next-generation
SIEM, Incident response.

i
 Acknowledgment

First and foremost, we want to extend our thanks to ALLAH for providing
us with the strength, courage, and determination to achieve this modest
effort.
We express our gratitude to Professor Sofiane Boukli Hacene and
Dr.Oussama SERHANE for directing this project and providing us with
excellent guidance, support, and encouragement.
Thanks to the jury members for accepting to evaluate this work, as well
as all of our school’s teachers.
We thank our wonderful parents for their commitment and gratitude,
as well as our brothers and sisters for their selfless sacrifices and boundless
generosity.
We appreciate our friends for all the time we spent together.
Finally, we want to express our heartfelt gratitude to everyone who
helped make this project a reality, no matter how small or large their
contribution was.

ii
Contents

General Introduction 1

I Theoretical Part 5

1 Theoretical background 6
1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2 Security Principles and Terminologies . . . . . . . . . . . . 6
1.2.1 The Security Controls . . . . . . . . . . . . . . . . 7
1.2.2 Terms and Definitions . . . . . . . . . . . . . . . . 8
1.3 Cybersecurity Overview and Aspects . . . . . . . . . . . . 9
1.3.1 Definition and Scope . . . . . . . . . . . . . . . . . 9
1.3.2 Different Types of Cybersecurity . . . . . . . . . . 9
1.4 Importance of Cybersecurity . . . . . . . . . . . . . . . . . 11
1.5 Types of Most Common Cybersecurity Threats . . . . . . 11
1.6 What is a Cyber Security Framework? . . . . . . . . . . . 11
1.7 What are the types of Cybersecurity Frameworks? . . . . . 12
1.7.1 Control Frameworks . . . . . . . . . . . . . . . . . 12
1.7.2 Program Frameworks . . . . . . . . . . . . . . . . . 12
1.7.3 Risk Frameworks . . . . . . . . . . . . . . . . . . . 12
1.8 Top Cyber Security Frameworks . . . . . . . . . . . . . . . 13
1.8.1 The NIST Cyber Security Framework . . . . . . . . 13

iii
CONTENTS

1.8.2 The Center for Internet Security Critical Security

Controls (CIS) . . . . . . . . . . . . . . . . . . . . 14
1.8.3 The International Standards Organization (ISO) frame-
works ISO/IEC 27001 and 27002 . . . . . . . . . . 15
1.8.4 The Health Insurance Portability and Accountabil-
ity Act (HIPAA) . . . . . . . . . . . . . . . . . . . 16
1.9 Why Do We Need Cyber Security Frameworks? . . . . . . 16
1.10 GRC (Governance, Risk Management, and Compliance) . . 17
1.10.1 The Importance of GRC in Cyber Security . . . . . 18
1.11 Red Teaming Techniques and Applications . . . . . . . . . 19
1.11.1 The Role of the Red Team . . . . . . . . . . . . . . 20
1.11.2 Common Red Team Tasks . . . . . . . . . . . . . . 20
1.11.3 Penetration Testing . . . . . . . . . . . . . . . . . . 21
1.11.4 The Penetration Testing Process . . . . . . . . . . 22
1.12 Blue Team: Cyber Defense . . . . . . . . . . . . . . . . . . 24
1.12.1 General Information on Security Operations Centers
(SOCs) . . . . . . . . . . . . . . . . . . . . . . . . . 25
1.12.2 Importance of SOCs . . . . . . . . . . . . . . . . . 26
1.12.3 Components of a SOC . . . . . . . . . . . . . . . . 27
1.12.4 People Involved . . . . . . . . . . . . . . . . . . . . 28
1.12.5 Technologies and Tools Adopted . . . . . . . . . . . 29
1.12.6 SOC Generations . . . . . . . . . . . . . . . . . . . 32
1.12.7 First-Generation SOC . . . . . . . . . . . . . . . . 33
1.12.8 Second-Generation SOC . . . . . . . . . . . . . . . 34
1.12.9 Third-Generation SOC . . . . . . . . . . . . . . . . 35
1.12.10 Fourth-Generation SOC . . . . . . . . . . . . . . . 36
1.13 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

2 Open-source and its application in cybersecurity 40

2.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.2 Evolution and Impact . . . . . . . . . . . . . . . . . . . . . 41
2.3 Advantages of Open-Source in Cybersecurity . . . . . . . . 42

iv
CONTENTS

2.4 Use Cases and Applications . . . . . . . . . . . . . . . . . 43

2.4.1 Network Security . . . . . . . . . . . . . . . . . . . 43
2.4.2 Vulnerability Assessment . . . . . . . . . . . . . . . 44
2.4.3 Penetration Testing . . . . . . . . . . . . . . . . . . 45
2.5 Best Practices for Using OSS in Cybersecurity . . . . . . . 45
2.6 Challenges and Considerations . . . . . . . . . . . . . . . . 46
2.7 The Future of OSS in Cybersecurity . . . . . . . . . . . . . 47
2.8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

3 Security information and event management (SIEM) 49

3.1 SIEM Definition . . . . . . . . . . . . . . . . . . . . . . . . 49
3.2 History and Evolution of SIEM . . . . . . . . . . . . . . . 50
3.3 Theory and Process Flow of SIEM . . . . . . . . . . . . . 50
3.3.1 Data Collection . . . . . . . . . . . . . . . . . . . . 51
3.3.2 Data Normalization . . . . . . . . . . . . . . . . . . 52
3.3.3 Aggregation . . . . . . . . . . . . . . . . . . . . . . 53
3.3.4 Correlation . . . . . . . . . . . . . . . . . . . . . . 54
3.3.5 Alerting and Automatic Response . . . . . . . . . . 55
3.3.6 Archiving . . . . . . . . . . . . . . . . . . . . . . . 55
3.4 Benefits of SIEM . . . . . . . . . . . . . . . . . . . . . . . 55
3.5 SIEM Solutions Types . . . . . . . . . . . . . . . . . . . . 56
3.6 Commercialized Solutions . . . . . . . . . . . . . . . . . . 57
3.7 Open-source Solutions . . . . . . . . . . . . . . . . . . . . 58
3.7.1 Elasticsearch . . . . . . . . . . . . . . . . . . . . . 59
3.7.2 OSSIM . . . . . . . . . . . . . . . . . . . . . . . . . 60
3.7.3 Wazuh . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.7.4 Quadrant Sagan . . . . . . . . . . . . . . . . . . . . 62
3.7.5 Comparative Table . . . . . . . . . . . . . . . . . . 63
3.8 Limitations of Traditional SIEM . . . . . . . . . . . . . . . 63
3.9 Features of Next-Gen SIEM . . . . . . . . . . . . . . . . . 65
3.10 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

v
CONTENTS

II Practical Part 69

4 Design and implementation 70

4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 70
4.2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . 70
4.2.1 Infrastructure . . . . . . . . . . . . . . . . . . . . . 71
4.2.2 SOC Environment . . . . . . . . . . . . . . . . . . 71
4.2.3 Attacker Machine . . . . . . . . . . . . . . . . . . . 71
4.3 Infrastructure Components . . . . . . . . . . . . . . . . . . 72
4.4 SIEM Architecture . . . . . . . . . . . . . . . . . . . . . . 73
4.4.1 Log Collection Module . . . . . . . . . . . . . . . . 73
4.4.2 Log Normalization Module . . . . . . . . . . . . . . 74
4.4.3 Log Consolidation Module . . . . . . . . . . . . . . 74
4.4.4 Event Analysis Module . . . . . . . . . . . . . . . . 75
4.4.5 Incident Management Module . . . . . . . . . . . . 76
4.4.6 Alert Management Module . . . . . . . . . . . . . . 77
4.4.7 Dashboard Module . . . . . . . . . . . . . . . . . . 77
4.5 Wazuh tool . . . . . . . . . . . . . . . . . . . . . . . . . . 78
4.5.1 Wazuh Definition . . . . . . . . . . . . . . . . . . . 78
4.5.2 Wazuh Features . . . . . . . . . . . . . . . . . . . . 78
4.5.3 Wazuh Components . . . . . . . . . . . . . . . . . 80
4.5.4 Wazuh Indexer . . . . . . . . . . . . . . . . . . . . 81
4.5.5 Wazuh Server . . . . . . . . . . . . . . . . . . . . . 82
4.5.6 Wazuh Dashboard . . . . . . . . . . . . . . . . . . 85
4.5.7 Wazuh Agent . . . . . . . . . . . . . . . . . . . . . 86
4.6 Suricata . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
4.6.1 A Detection Engine . . . . . . . . . . . . . . . . . . 90
4.6.2 How Suricata Works . . . . . . . . . . . . . . . . . 94
4.6.3 Suricata Features . . . . . . . . . . . . . . . . . . . 94
4.6.4 Suricata Benefits . . . . . . . . . . . . . . . . . . . 94
4.6.5 Suricata Deployment Options . . . . . . . . . . . . 95
4.7 VirusTotal . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

vi
CONTENTS

4.7.1 Definition . . . . . . . . . . . . . . . . . . . . . . . 95
4.7.2 Background and Development . . . . . . . . . . . . 96
4.7.3 How It Works . . . . . . . . . . . . . . . . . . . . . 96
4.7.4 Advanced Features . . . . . . . . . . . . . . . . . . 97
4.7.5 Collaboration and Community . . . . . . . . . . . . 98
4.8 IMPLEMENTATION . . . . . . . . . . . . . . . . . . . . . 98
4.8.1 Lab Environment . . . . . . . . . . . . . . . . . . . 98
4.8.2 Lab Environment Architecture . . . . . . . . . . . . 102
4.9 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . 103
4.9.1 Wazuh Installation . . . . . . . . . . . . . . . . . . 103
4.9.2 Suricata Installation . . . . . . . . . . . . . . . . . 107
4.9.3 VirusTotal Integration . . . . . . . . . . . . . . . . 110
4.10 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

5 Tests and Results 112

5.1 Introduction: . . . . . . . . . . . . . . . . . . . . . . . . . 112
5.2 Scenario 1: Vulnerability detection . . . . . . . . . . . . . 112
5.2.1 Overview: . . . . . . . . . . . . . . . . . . . . . . . 112
5.2.2 Prerequisites: . . . . . . . . . . . . . . . . . . . . . 112
5.2.3 Attack emulation: . . . . . . . . . . . . . . . . . . . 113
5.2.4 Results and generated alerts: . . . . . . . . . . . . . 113
5.3 Scenario 2: File integrity monitoring . . . . . . . . . . . . 115
5.3.1 Overview: . . . . . . . . . . . . . . . . . . . . . . . 115
5.3.2 Prerequisites: . . . . . . . . . . . . . . . . . . . . . 115
5.3.3 Attack emulation . . . . . . . . . . . . . . . . . . . 116
5.3.4 Results and generated alerts: . . . . . . . . . . . . . 116
5.4 Scenario 3: Detecting an SQL injection attack . . . . . . . 117
5.4.1 Overview: . . . . . . . . . . . . . . . . . . . . . . . 117
5.4.2 Prerequisites: . . . . . . . . . . . . . . . . . . . . . 118
5.4.3 Attack emulation: . . . . . . . . . . . . . . . . . . . 118
5.4.4 Results and generated alerts: . . . . . . . . . . . . . 118
5.5 Scenario 4: Detecting DHCP starvation attack . . . . . . 119

vii
CONTENTS

5.5.1 Overview: . . . . . . . . . . . . . . . . . . . . . . . 119

5.5.2 Prerequisites: . . . . . . . . . . . . . . . . . . . . . 119
5.5.3 Attack emulation: . . . . . . . . . . . . . . . . . . . 120
5.5.4 Results and generated alerts: . . . . . . . . . . . . . 120
5.6 Scenario 5: Responding to port scanning attack . . . . . . 121
5.6.1 Overview: . . . . . . . . . . . . . . . . . . . . . . . 121
5.6.2 Prerequisites: . . . . . . . . . . . . . . . . . . . . . 121
5.6.3 Attack emulation: . . . . . . . . . . . . . . . . . . . 122
5.6.4 Results and generated alerts: . . . . . . . . . . . . . 122
5.7 Scenario 6: Responding to DOS attack . . . . . . . . . . . 123
5.7.1 Overview: . . . . . . . . . . . . . . . . . . . . . . . 123
5.7.2 Prerequisites: . . . . . . . . . . . . . . . . . . . . . 123
5.7.3 Attack emulation: . . . . . . . . . . . . . . . . . . . 124
5.7.4 Results and generated alerts: . . . . . . . . . . . . . 124
5.8 Scenario 7: Detecting and removing malware . . . . . . . . 124
5.8.1 Overview: . . . . . . . . . . . . . . . . . . . . . . . 124
5.8.2 Prerequisites: . . . . . . . . . . . . . . . . . . . . . 125
5.8.3 Attack emulation: . . . . . . . . . . . . . . . . . . . 125
5.8.4 Results and generated alerts: . . . . . . . . . . . . . 125
5.9 Scenario 8: Blocking SSH brute-force attack . . . . . . . . 126
5.9.1 Overview: . . . . . . . . . . . . . . . . . . . . . . . 126
5.9.2 Prerequisites: . . . . . . . . . . . . . . . . . . . . . 126
5.9.3 Attack emulation: . . . . . . . . . . . . . . . . . . . 126
5.9.4 Results and generated alerts: . . . . . . . . . . . . . 127
5.10 Scenario 9: Mitigating Cross-Site Scripting (XSS) Attack . 127
5.10.1 Overview: . . . . . . . . . . . . . . . . . . . . . . . 127
5.10.2 Prerequisites: . . . . . . . . . . . . . . . . . . . . . 128
5.10.3 Attack emulation: . . . . . . . . . . . . . . . . . . . 128
5.10.4 Results and generated alerts: . . . . . . . . . . . . . 128

Bibliography 131

viii
List of Figures

1.1 National Institute of Standards and Technology (NIST) Cy-

bersecurity Framework . . . . . . . . . . . . . . . . . . . . 14
1.2 CIS Controls . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.3 Fundamentals of People, Process, and Technology . . . . . 28
1.4 SOC Responsibilities, Skills, and Certifications . . . . . . . 29
1.5 Opening a New Incident Ticket in Cisco SecureX . . . . . 32
1.6 soc-generations . . . . . . . . . . . . . . . . . . . . . . . . 32

2.1 Expected Change in Software . . . . . . . . . . . . . . . . 42

2.2 Top Open-source network monitoring tools . . . . . . . . . 43
2.3 open-source firewalls . . . . . . . . . . . . . . . . . . . . . 44
2.4 open-source Vulnerability Assessment tools . . . . . . . . 44

3.1 SIEM steps . . . . . . . . . . . . . . . . . . . . . . . . . . 51

3.2 Event normalization example . . . . . . . . . . . . . . . . 53
3.3 Event aggregation example . . . . . . . . . . . . . . . . . . 54
3.4 Most populare SIEM tools . . . . . . . . . . . . . . . . . . 58
3.5 Elasticsearch logo . . . . . . . . . . . . . . . . . . . . . . . 59
3.6 OSSIM logo . . . . . . . . . . . . . . . . . . . . . . . . . . 60
3.7 Wazuh logo . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.8 Quadrant Sagan Logo . . . . . . . . . . . . . . . . . . . . . 62
3.9 NG-SIEM Data collection . . . . . . . . . . . . . . . . . . 65
3.10 Incident prioritization . . . . . . . . . . . . . . . . . . . . 66

ix
LIST OF FIGURES

4.1 Log collection module . . . . . . . . . . . . . . . . . . . . . 73

4.2 Log normalization module . . . . . . . . . . . . . . . . . . 74
4.3 Log consolidation module . . . . . . . . . . . . . . . . . . 75
4.4 Event Analysis Module . . . . . . . . . . . . . . . . . . . . 75
4.5 Incident Management Module . . . . . . . . . . . . . . . . 76
4.6 Alert Management Module . . . . . . . . . . . . . . . . . . 77
4.7 Class diagram of the log normalization module . . . . . . . 77
4.8 the Wazuh components and data flow. . . . . . . . . . . . 81
4.9 Server Architecture Diagram . . . . . . . . . . . . . . . . . 83
4.10 Wazuh out-of-the-box dashboards . . . . . . . . . . . . . . 86
4.11 agent monitoring dashboard . . . . . . . . . . . . . . . . . 86
4.12 Agent Architecture Diagram . . . . . . . . . . . . . . . . . 87
4.13 suricata-ecosystem . . . . . . . . . . . . . . . . . . . . . . 91
4.14 Suricata System . . . . . . . . . . . . . . . . . . . . . . . . 92
4.15 Virustotal working system . . . . . . . . . . . . . . . . . . 96
4.16 Hardware resources . . . . . . . . . . . . . . . . . . . . . . 99
4.17 Vmware logo . . . . . . . . . . . . . . . . . . . . . . . . . . 99
4.18 ubuntu logo . . . . . . . . . . . . . . . . . . . . . . . . . . 100
4.19 kali linux logo . . . . . . . . . . . . . . . . . . . . . . . . . 100
4.20 windows 10 logo . . . . . . . . . . . . . . . . . . . . . . . . 101
4.21 Windows server logo . . . . . . . . . . . . . . . . . . . . . 101
4.22 Red hat logo . . . . . . . . . . . . . . . . . . . . . . . . . . 102
4.23 Lab architecture . . . . . . . . . . . . . . . . . . . . . . . . 102
4.24 Wazuh installation command . . . . . . . . . . . . . . . . 103
4.25 access credential . . . . . . . . . . . . . . . . . . . . . . . . 103
4.26 Wazuh login interface . . . . . . . . . . . . . . . . . . . . . 104
4.27 Wazuh home page . . . . . . . . . . . . . . . . . . . . . . . 104
4.28 windows adding agent . . . . . . . . . . . . . . . . . . . . 105
4.29 windows adding agent . . . . . . . . . . . . . . . . . . . . 105
4.30 windows adding agent . . . . . . . . . . . . . . . . . . . . 106
4.31 linux adding agent steps . . . . . . . . . . . . . . . . . . . 106

x
LIST OF FIGURES

4.32 linux adding agent steps . . . . . . . . . . . . . . . . . . . 106

4.33 linux adding agent steps . . . . . . . . . . . . . . . . . . . 107
4.34 Agent Dashboard . . . . . . . . . . . . . . . . . . . . . . . 107
4.35 installation command . . . . . . . . . . . . . . . . . . . . . 108
4.36 downloading and extracting command . . . . . . . . . . . 108
4.37 suricata.yaml file . . . . . . . . . . . . . . . . . . . . . . . 109
4.38 suricata logs configuration . . . . . . . . . . . . . . . . . . 109
4.39 restarting command . . . . . . . . . . . . . . . . . . . . . . 109
4.40 VirtusTotal sign up page . . . . . . . . . . . . . . . . . . . 110
4.41 VirusTotal API key . . . . . . . . . . . . . . . . . . . . . . 110
4.42 virustotal integration configuration . . . . . . . . . . . . . 111

5.1 Red Hat agent vulnerabilities . . . . . . . . . . . . . . . . 113

5.2 Windows 10 agent vulnerabilities . . . . . . . . . . . . . . 114
5.3 Windows server 2016 agent vulnerabilities . . . . . . . . . 114
5.4 Ubuntu agent vulnerabilities . . . . . . . . . . . . . . . . . 115
5.5 the monitored directories in ubuntu . . . . . . . . . . . . . 116
5.6 the monitored directories in windows . . . . . . . . . . . . 116
5.7 Visualize FIM alerts from Ubuntu . . . . . . . . . . . . . . 117
5.8 Visualize FIM alerts from windows . . . . . . . . . . . . . 117
5.9 lines added to the Wazuh agent to monitor the access logs
of Apache server . . . . . . . . . . . . . . . . . . . . . . . 118
5.10 sql injection command . . . . . . . . . . . . . . . . . . . . 118
5.11 SQL injection rule alert . . . . . . . . . . . . . . . . . . . . 119
5.12 yersinia GUI . . . . . . . . . . . . . . . . . . . . . . . . . 120
5.13 Visualize DHCP rule alert . . . . . . . . . . . . . . . . . . 120
5.14 Nmap custom rule . . . . . . . . . . . . . . . . . . . . . . 121
5.15 firewall-active-response . . . . . . . . . . . . . . . . . . . . 122
5.16 nmap scan command . . . . . . . . . . . . . . . . . . . . . 122
5.17 nmap rule alert . . . . . . . . . . . . . . . . . . . . . . . . 123
5.18 clone command . . . . . . . . . . . . . . . . . . . . . . . . 123
5.19 GoldenEye command in kali . . . . . . . . . . . . . . . . . 124

xi
LIST OF FIGURES

5.20 Visualize DOS alert . . . . . . . . . . . . . . . . . . . . . . 124

5.21 powershell command . . . . . . . . . . . . . . . . . . . . . 125
5.22 Remove malware from Windows alert . . . . . . . . . . . . 126
5.23 hydra command . . . . . . . . . . . . . . . . . . . . . . . . 127
5.24 ssh-brute-force alerts . . . . . . . . . . . . . . . . . . . . . 127
5.25 xss injection payload . . . . . . . . . . . . . . . . . . . . . 128
5.26 xss attack alerts . . . . . . . . . . . . . . . . . . . . . . . . 128

xii
List of Tables

1.1 Comparison between Traditional and Next-Generation SOCs 38

3.1 Pros and Cons of Elasticsearch . . . . . . . . . . . . . . . 60

3.2 Pros and Cons of OSSIM . . . . . . . . . . . . . . . . . . . 61
3.3 Pros and Cons of Wazuh . . . . . . . . . . . . . . . . . . . 62
3.4 Pros and Cons of Quadrant Sagan . . . . . . . . . . . . . . 63
3.5 Comparative Table of Wazuh, ELK Stack, Quadrant Sagan,
and OSSIM . . . . . . . . . . . . . . . . . . . . . . . . . . 63

4.1 Wazuh Indices and their Descriptions . . . . . . . . . . . . 82

xiii
General Introduction

Context

In our rapidly evolving technological landscape, securing personal and

organizational information has become a paramount concern. The spec-
trum of sensitive data extends beyond personal identifiers to encompass
trade secrets, product designs, and customer information, all of which
must be protected from unauthorized access and theft. With the relentless
pace of technological advancement, the cyber threat landscape has evolved
concurrently, presenting increasingly sophisticated challenges. Traditional
security measures, including firewalls, intrusion protection systems (IPS),
intrusion detection systems (IDS), antimalware, and antivirus solutions,
are no longer sufficient to safeguard against these advanced threats.
The increasing complexity and scale of cyber threats are exacerbated
by vulnerabilities in network configurations and security policies. These
vulnerabilities provide cybercriminals with avenues to exploit network re-
sources using varied penetration strategies. Consequently, the protection
of information systems, which are critical assets for any organization, de-
mands robust threat detection and response capabilities. This includes
real-time event monitoring and long-term data retention to detect abnor-
mal usage patterns and trigger alerts when necessary.
The complexity of managing network security necessitates the develop-
ment of powerful automated security analysis tools. A Security Informa-
tion and Event Management (SIEM) system is a pivotal component in this

1
General Introduction

regard. SIEM systems aggregate and analyze events from various network
devices and security tools, enabling the identification and rectification of
network configuration errors, detection of security threats, identification
of critical network resources, and the implementation of effective security
policies and mechanisms.

Problematic

In today’s digital landscape, the security of organizational infrastruc-

ture is of utmost importance to guard against increasingly frequent, so-
phisticated, and varied cyberattacks. As networks expand and security de-
mands escalate, the challenge of managing and responding to these threats
intensifies. One of the primary challenges in network security is the im-
plementation of a next-generation Security Information and Event Man-
agement (SIEM) system that provides advanced capabilities for effective
threat detection and response. This thesis aims to address the following
research question: How can open-source tools be integrated and customized
to create a next-generation SIEM that provides advanced capabilities that
go beyond traditional methods?

Motivation

Choosing open-source tools for creating Security Information and Event

Management (SIEM) systems is all about finding budget-friendly and flex-
ible solutions in cybersecurity. Using open-source tools offers a more cost-
effective option. By going for open-source tools, the aim is to make ad-
vanced cybersecurity features accessible to more organizations, helping
them strengthen their defenses in a way that suits their unique require-
ments. This motivation reflects a commitment to making cybersecurity
strategies more inclusive and adaptable using accessible technology.

2
General Introduction

Objective

The objective of this master thesis is to design, develop, and implement

a Next-Gen SIEM system platform built entirely on open-source tools.
The thesis aims to:

• Conduct an evaluation of existing traditional SIEM solutions. This

involves analyzing their features, capabilities, and limitations in ad-
dressing modern cyber threats.
• Identify the specific security requirements that are essential for com-
bating next-generation cyber threats. This involves researching emerg-
ing attack vectors, advanced persistent threats, and vulnerabilities
that traditional SIEM solutions may struggle to mitigate.
• Explore various open-source tools and integrate them seamlessly.
• Evaluate and validate the performance and effectiveness of the devel-
oped Next-Gen SIEM system using various metrics and criteria.
• Test and simulate real-world use cases. This will involve assessing
its effectiveness in detecting and responding to sophisticated cyber
attacks and its scalability in large-scale enterprise environments.

The result of this study is expected to contribute to the advancement

of SIEM technology, offering organizations a cost-effective and reliable
solution.

Plan

This thesis is divided into two main parts, each of which is divided into
a set of chapters, as indicated below:
Part I: Theoretical part

• Chapter I: This chapter covers the basic concepts and principles

of cybersecurity. We show the importance of cybersecurity in the
digital age. We also describe the role of defensive and offensive teams

3
General Introduction

in cybersecurity and how they perform various tasks. Finally, we

explain how governance, risk management, and compliance (GRC)
principles help organizations manage cybersecurity risks and follow
regulations, standards, and best practices.
• Chapter II: This chapter presents open-source and its role in cy-
bersecurity. We discuss the advantages and benefits of integrating
open-source approaches in cybersecurity including being free or low-
cost, collaboration, innovation, and allowing for customization. We
also show how open-source tools can be used in cybersecurity, to pro-
tect computer systems, networks, applications, and data from cyber-
attacks.
• Chapter III: This chapter presents the fundamental aspects of Se-
curity Information and Event Management (SIEM) and its core func-
tionalities. We explain the limitations of traditional SIEMs and the
need for next-gen features.

Part II: Practical part

• Chapter IV: In this chapter, we present the details of the project

design and implementation, from the selection of the open-source tools
to the configuration and integration of the Next-Gen SIEM solution.
We also describe the main features and functionalities of our solution.
We then conclude the chapter with a demonstration of the solution
in a simulated environment.
• Chapter V: In this chapter, we evaluate and test the performance
and effectiveness of our Next-Gen SIEM solution, using various sce-
narios and use cases.

Finally, we summarize the main contributions, identify potential areas

for future research and development based on the project’s findings, and
end our work with a conclusion.

4
 Part I

Theoretical Part

5
Chapter 1
Theoretical background

1.1 Introduction

Nowadays, most transactions and communication take place through

computer networks. Therefore, we must protect the networks against any
attempt of theft or unauthorized access to information. In this chapter,
we will present the basic principles of security and justify its importance.
We will also explain its distinction from cybersecurity. Subsequently, it
outlines its main objectives and components, not forgetting its necessary
terminology. Finally, it elucidates the three pillars of implementing effec-
tive security.

1.2 Security Principles and Terminologies

Confidentiality, integrity, and availability are three essential security

concepts vital for information on the internet. Authentication, authoriza-
tion, and non-repudiation are terms that refer to the individuals using the
information.

Confidentiality: The principle of confidentiality ensures that only autho-

rized users have access to the information. If an unauthorized person
has access to the information, confidentiality is compromised.[1]
Authentication: The principle of authentication requires proof of iden-
tity, ensuring that the origin of the information and the various actors

6
Chapter 1 : Theoretical background

are correctly identified. This can be explicit (e.g., password, finger-

prints, etc.) or implicit (e.g., behavior, etc.).[2]
Integrity: The principle of integrity ensures that information is altered
(modified) only by authorized actors. For example, electronic signa-
tures can be used to verify the existence of an alteration.[3]
Availability: The principle of availability ensures that resources are avail-
able at all times for authorized individuals.[4]
Non-repudiation: The principle of non-repudiation does not allow the
owner of information (e.g., a message) to deny possession of that
information. There are situations, for example, where a user sends a
message and later denies sending it.[5]
Traceability: Ensure that access and attempts to access relevant ele-
ments are tracked, and these traces are maintained and used.[6]

1.2.1 The Security Controls

Computer security is often divided into three distinct categories: ad-

ministrative control, physical control, and technical control.

Administrative Control: Defines the human factors of security. It in-

volves all levels of personnel within a company and determines which
users have access to which resources and information based on the
following elements:
• Training and awareness
• Disaster preparedness and recovery plans
• Personnel recruitment and separation strategies
• Personnel enrollment and accounting[7]
Physical Control: Physical security is often defined as the protection of
personnel, hardware, software, networks, and data against physical
actions and events that could cause significant losses or damages to
an organization.[7]

7
Chapter 1 : Theoretical background

Technical Control: Security controls implemented and executed by in-

formation systems, primarily through security mechanisms found in
hardware, software, firmware components, and through employees
and experts in the field.[7]

1.2.2 Terms and Definitions

The field of computer security contains several terms and definitions.

We will define certain terms:

Vulnerability: In cybersecurity, a vulnerability is a system weakness that

could be exploited by a threat actor, leading to unauthorized actions
or access within the system.
Security Threat: A security threat is a potential danger that can harm
or compromise the data and integrity of a whole computer system, or
network.[8]
Risk: In computer security, risk refers to the likelihood and impact of
potential threats exploiting vulnerabilities in an information system
or organization. It involves assessing the probability of an adverse
event occurring and the potential consequences or harm it may cause
to the confidentiality, integrity, or availability of data and resources.
Risk management strategies aim to identify, analyze, and mitigate
these risks to ensure the security and continuity of IT operations.[8]
Risk Analysis: This process involves identifying potential cybersecurity
issues that could impact business initiatives or projects negatively.
It helps organizations anticipate and mitigate risks, ensuring smooth
operations.[8]
Malware: Also known as malicious software, malware includes programs
or files harmful to users. Types include viruses, ransomware, spyware,
and more, all threatening data security and system performance.[8]
Keylogger: A keylogger is a surveillance tool that records each keystroke
on a computer’s keyboard. It’s often used by cybercriminals to cap-

8
Chapter 1 : Theoretical background

ture passwords, credit card numbers, and other sensitive informa-

tion.[8]
Firewall: This network security system monitors and regulates network
traffic based on predefined rules. It acts as a barrier between trusted
and untrusted networks, preventing unauthorized access and potential
threats.[8]

1.3 Cybersecurity Overview and Aspects

1.3.1 Definition and Scope

Cybersecurity is popularly defined as the practice of implementing tools,

processes, and technology to protect computers, networks, electronic de-
vices, systems, and data against cyberattacks. It is adopted by individuals
and enterprises to limit the risks of theft, attack, damage, and unautho-
rized access to computer systems, networks, and sensitive user data. Since
its inception in the 1970s, cybersecurity has undergone constant evolu-
tion. Today, cybersecurity is no longer restricted to the practice of only
protecting computers but also individuals against malicious cyberattacks.
The main purpose of cybersecurity is to prevent the leak of sensitive data
while simultaneously ensuring cyber resilience to respond and recover from
cyberattacks with lesser damage.

1.3.2 Different Types of Cybersecurity

As cyberattacks become more innovative and complex, the scope and

domains expand to encompass several disciplines. Based on its application
areas, cybersecurity can be broadly classified into six distinct types:

1. Network Security
2. Application Security
3. Information Security
4. Cloud Security

9
Chapter 1 : Theoretical background

5. Internet of Things (IoT) Security

6. Operational Technology (OT) Security

Application Security: While app integration into business models has

streamlined operations, they have also created potential for new secu-
rity vulnerabilities. Application security is the process of integrating
security mechanisms into web applications and programs to protect
data against theft, unauthorized access, and damage.[9]
Network Security: Network security refers to the process of safeguard-
ing internal computer networks and network components against cy-
berattacks by employing strong network security solutions like fire-
walls, anti-virus, anti-malware programs, data loss prevention (DLP)s,
and other multi-layered threat prevention technologies.[9]
Infrastructure Security: This is the practice of safeguarding an orga-
nization’s critical infrastructure against cyberattacks. Unlike tra-
ditional perimeter-focused security models, organizations that rely
on critical infrastructure must implement best practices and adopt
"zero-trust" to protect their critical infrastructure against evolving
cyberthreats.[9]
Cloud Security: Cloud security is the discipline of implementing security
measures, policies, and technologies to protect cloud data and cloud
computing systems from cyberthreats.[9]
Mobile Security: This is a security strategy implemented to protect sen-
sitive information stored on mobile devices such as laptops, smart-
phones, and tablets from unauthorized access and data theft.[9]
IoT Security: While IoT solutions ensure operational efficiency and con-
venience, they create possibilities for new security vulnerabilities too.
IoT security is the act of employing tools and techniques to protect
internet-connected devices from security risks.[9]

10
Chapter 1 : Theoretical background

1.4 Importance of Cybersecurity

Cybersecurity is crucial for protecting individuals and businesses against

various cyber threats. It strengthens an organization’s defense posture and
plays an essential role in mitigation and response. The benefits of cyberse-
curity go beyond data protection, extending to the use of cyber-resilience
approaches to help organizations recover as quickly as possible from a cy-
berattack.

1.5 Types of Most Common Cybersecurity Threats

• Malware: Malicious software, or malware, includes viruses, Trojans,

ransomware, spyware, etc., designed to gain unauthorized access to
computer systems, servers, or networks. Malware can steal, delete,
and encrypt data, disrupt business operations, and destroy computer
systems.[10]
• Password Attacks: Password attacks are among the most widespread
cyberattacks, where attackers use special techniques and software to
hack into files, folders, accounts, and password-protected comput-
ers.[10]
• Phishing: Phishing, the most common form of password attack, in-
volves sending fraudulent communications to targets via email, SMS,
and calls, while pretending to come from reputable and legitimate
institutions. Phishing attacks typically aim to steal users personal
data, login credentials, credit card numbers, etc.[10]

1.6 What is a Cyber Security Framework?

Cyber security frameworks are sets of documents describing guidelines,

standards, and best practices designed for cyber security risk management.
The frameworks exist to reduce an organization’s exposure to weaknesses
and vulnerabilities that hackers and other cyber criminals may exploit.

11
Chapter 1 : Theoretical background

The word ”framework” makes it sound like the term refers to hardware,
but that’s not the case. It does not help that the word mainframe exists,
and its existence may imply that we’re dealing with a tangible infrastruc-
ture of servers, data storage, etc.
But much like a framework in the real world consists of a structure that
supports a building or other large object, the cyber security framework
provides foundation, structure, and support to an organization’s security
methodologies and efforts.[11] As we are about to see, these frameworks
come in many types.

1.7 What are the types of Cybersecurity Frameworks?

Frameworks break down into three types based on the needed function.

1.7.1 Control Frameworks

• Develops a basic strategy for the organization’s cyber security depart-

ment
• Provides a baseline group of security controls
• Assesses the present state of the infrastructure and technology
• Prioritizes implementation of security controls

1.7.2 Program Frameworks

• Assesses the current state of the organization’s security program

• Constructs a complete cybersecurity program
• Measures the program’s security and competitive analysis
• Facilitates and simplifies communications between the cyber security
team and the managers/executives

1.7.3 Risk Frameworks

• Defines the necessary processes for risk assessment and management

12
Chapter 1 : Theoretical background

• Structures a security program for risk management

• Identifies, measures, and quantifies the organization’s security risks
• Prioritizes appropriate security measures and activities

1.8 Top Cyber Security Frameworks

When it comes to picking a cyber security framework, you have an

ample selection to choose from. Naturally, your choice depends on your
organization’s security needs. Companies turn to cyber security frame-
works for guidance. The right framework, instituted correctly, lets IT
security teams intelligently manage their companies cyber risks. Compa-
nies can either customize an existing framework or develop one in-house.
Some businesses must employ specific information security frameworks to
follow industry or government regulations. For example, if your business
handles purchases by credit card, it must comply with the Payment Card
Industry Data Security Standards (PCI-DSS) framework. In this instance,
your company must pass an audit that shows they comply with PCI-DSS
framework standards.[11]
Here are the frameworks recognized today as some of the better ones
in the industry :

1.8.1 The NIST Cyber Security Framework

The NIST Framework for Improving Critical Infrastructure Cyberse-

curity, or the ”NIST cybersecurity framework” for brevity’s sake, was es-
tablished during the Obama Administration in response to presidential
Executive Order 13636. The NIST was designed to protect America’s
critical infrastructure (e.g., dams, power plants) from cyberattacks.
NIST is a set of voluntary security standards that private sector compa-
nies can use to find, identify, and respond to cyberattacks. The framework
also features guidelines to help organizations prevent and recover from cy-
berattacks.[12]

13
Chapter 1 : Theoretical background

There are five functions or best practices associated with NIST:

• Identify
• Protect
• Detect
• Respond
• Recover

Figure 1.1 – National Institute of Standards and Technology (NIST) Cybersecurity

Framework

1.8.2 The Center for Internet Security Critical Security Con-

trols (CIS)

If you want your company to start small and gradually work its way up,
you must go with CIS. This framework was developed in the late 2000s
to protect companies from cyber threats. It’s made up of 20 controls
regularly updated by security professionals from many fields (academia,
government, industrial). The framework begins with basics, moves on to
foundational, then finishes with organizational.
CIS uses benchmarks based on common standards like HIPAA or NIST
that map security standards and offer alternative configurations for orga-

14
Chapter 1 : Theoretical background

nizations not subject to mandatory security protocols but want to improve

cyber security anyway.[11]

Figure 1.2 – CIS Controls

1.8.3 The International Standards Organization (ISO) frame-

works ISO/IEC 27001 and 27002

This framework is also called ISO 270K. It is considered the interna-

tionally recognized cyber security validation standard for both internal sit-
uations and across third parties. ISO 270K operates under the assumption
that the organization has an Information Security Management System.
ISO/IEC 27001 requires management to exhaustively manage their organi-
zation’s information security risks, focusing on threats and vulnerabilities.

15
Chapter 1 : Theoretical background

ISO 270K is very demanding. The framework recommends 114 differ-

ent controls, broken into 14 categories. As a result, ISO 270K may not
be for everyone, considering the amount of work involved in maintaining
the standards. However, if implementing ISO 270K is a selling point for
attracting new customers, it’s worth it.[13]

1.8.4 The Health Insurance Portability and Accountability Act

(HIPAA)

Better known as HIPAA, it provides a framework for managing con-

fidential patient and consumer data, particularly privacy issues. This
legislation protects electronic healthcare information and is essential for
healthcare providers, insurers, and clearinghouses.[14]
There are many other frameworks to choose from, including:
• SOC2 (Service Organization Control)
• NERC-CIP (North American Electric Reliability Corporation Critical
Infrastructure Protection)
• GDPR (General Data Protection Regulation)
• FISMA (Federal Information Systems Management Act)
• HITRUST CSF (Health Information Trust Alliance)
• PCI-DSS (Payment Card Industry Data Security Standards)
• COBIT (Control Objectives for Information and Related Technolo-
gies)
• COSO (Committee of Sponsoring Organizations)

1.9 Why Do We Need Cyber Security Frameworks?

Cyber security frameworks remove some of the guesswork in securing

digital assets. Frameworks give cyber security managers a reliable, stan-
dardized, systematic way to mitigate cyber risk, regardless of the environ-
ment’s complexity.

16
Chapter 1 : Theoretical background

Cyber security frameworks help teams address cyber security challenges,

providing a strategic, well-thought plan to protect its data, infrastructure,
and information systems. The frameworks offer guidance, helping IT se-
curity leaders manage their organization’s cyber risks more intelligently.
Companies can adapt and adjust an existing framework to meet their
own needs or create one internally. However, the latter option could pose
challenges since some businesses must adopt security frameworks that com-
ply with commercial or government regulations. Home-grown frameworks
may prove insufficient to meet those standards.
Bottom line, businesses are increasingly expected to abide by standard
cyber security practices, and using these frameworks makes compliance
easier and smarter. The proper framework will suit the needs of many
different-sized businesses regardless of which of the countless industries
they are part of.
Frameworks help companies follow the correct security procedures, which
not only keeps the organization safe but fosters consumer trust. Customers
have fewer reservations about doing business online with companies that
follow established security protocols, keeping their financial information
safe.

1.10 GRC (Governance, Risk Management, and Com-

pliance)

In the context of cyber security, GRC is about ensuring that an organi-

zation’s IT systems and processes are aligned with its business objectives,
managing cyber risks, and meeting all relevant industry and government
regulations. It involves setting up appropriate governance structures, im-
plementing effective cyber risk management strategies, and ensuring com-
pliance with applicable laws and standards.

17
Chapter 1 : Theoretical background

The Role of GRC in Cyber Security

GRC plays a pivotal role in cyber security by providing a framework

for organizations to define their successful security strategy, implement
effective processes, leverage technology, and manage people to achieve their
security objectives.

1. Governance in Cyber Security

Governance refers to the establishment of policies, procedures, and
structures that guide and oversee an organization’s cybersecurity ef-
forts. It involves defining roles and responsibilities, setting objectives,
and aligning cybersecurity initiatives with the overall business strat-
egy. Effective governance ensures accountability, transparency, and
consistency in cybersecurity practices across the organization.[15]
2. Risk Management in Cyber Security
Risk management is the process of identifying, assessing, and miti-
gating potential threats and vulnerabilities to the organization’s dig-
ital assets. It involves conducting risk assessments, prioritizing risks
based on their likelihood and impact, and implementing controls to re-
duce or eliminate those risks. By proactively managing cybersecurity
risks, organizations can minimize the likelihood of security breaches
and mitigate their potential impact on operations and reputation.[16]
3. Compliance in Cyber Security
Compliance programs are the rules of the market, government, or
industry in which the organization operates. They are designed to
ensure that organizations meet specific standards and regulations re-
lated to the general data protection regulation, privacy and security,
among other things.[17]

1.10.1 The Importance of GRC in Cyber Security

GRC is crucial in cyber security for several reasons. Firstly, it helps or-
ganizations align their IT systems and processes with their business objec-

18
Chapter 1 : Theoretical background

tives, thereby enhancing their ability to achieve those strategic objectives

while maintaining a secure environment. Secondly, it facilitates effective
enterprise risk management by providing a structured approach to identi-
fying, assessing, and mitigating cyber risks. Lastly, through compliance,
GRC ensures that organizations meet all applicable legal and regulatory
requirements, thereby avoiding penalties and protecting their reputation.

• Enhancing Security Measures: GRC enhances security measures

by providing a framework for defining and implementing appropri-
ate policies, procedures, and controls. By establishing clear gover-
nance structures, GRC ensures that security measures are aligned
with business objectives and are effectively communicated and en-
forced throughout the organization.
• Managing Cyber Risks: GRC aids in managing cyber risks by
providing a systematic approach to the risk management process. It
helps organizations identify potential vulnerabilities and threats, as-
sess their impact and likelihood, and implement effective controls to
mitigate them. By doing so, GRC significantly reduces the likelihood
of a successful cyber attack and minimizes the potential damage in
case of a breach.
• Ensuring Compliance with Regulations: Compliance is a criti-
cal aspect of GRC in cyber security. With increasing scrutiny from
regulators and the public, organizations are under immense pressure
to comply with a myriad of laws and regulations related to data pri-
vacy and data security themselves. GRC ensures that organizations
are aware of all applicable requirements and have measures in place
to meet them.

1.11 Red Teaming Techniques and Applications

Red teaming can be defined as the process of testing your cybersecurity

effectiveness through the removal of defender bias by applying an adver-

19
Chapter 1 : Theoretical background

sarial lens to your organization. Red teaming occurs when ethical hackers
are authorized by your organization to emulate real attackers tactics, tech-
niques, and procedures (TTPs) against your own systems. It is a security
risk assessment service that your organization can use to proactively iden-
tify and remediate IT security gaps and weaknesses.
A red team leverages attack simulation methodology. They simulate
the actions of sophisticated attackers (or advanced persistent threats) to
determine how well your organization’s people, processes, and technologies
could resist an attack that aims to achieve a specific objective. Vulnera-
bility assessments and penetration testing are two other security testing
services designed to look into all known vulnerabilities within your network
and test for ways to exploit them. In short, vulnerability assessments and
penetration tests are useful for identifying technical flaws, while red team
exercises provide actionable insights into the state of your overall IT secu-
rity posture.[18]

1.11.1 The Role of the Red Team

The role of the red team is multifaceted and can vary depending on
the specific goals of an organization. However, the main objective of the
red team is to provide a comprehensive assessment of an organization’s
security posture. This can include testing security controls, identifying
vulnerabilities and weaknesses, and providing recommendations for im-
provement.

1.11.2 Common Red Team Tasks

Some common tasks that the red team may handle include the following:
• Penetration testing: Attempting to exploit vulnerabilities in a system
to gain unauthorized access or extract sensitive information.
• Social engineering: Testing an organization’s ability to detect and
prevent phishing attacks, pretexting, or other forms of social engi-
neering.

20
Chapter 1 : Theoretical background

• Physical security testing: Assessing an organization’s physical secu-

rity controls, such as access controls, alarms, and surveillance systems.
• Wireless network testing: Testing an organization’s wireless network
security to identify vulnerabilities or unauthorized access points.
• Application security testing: Testing an organization’s applications
for vulnerabilities, such as injection attacks or authentication bypass.
• Red team exercises: Conducting simulated attacks on an organiza-
tion to test its incident response capabilities and identify areas for
improvement.
• Threat intelligence: Providing information on emerging threats or
vulnerabilities that may pose a risk to the organization.
• Vulnerability management: Helping an organization prioritize and
remediate vulnerabilities identified through testing and assessment.
• Security awareness training: Providing education and training to em-
ployees on security best practices and how to detect and prevent at-
tacks.
• Compliance testing: Ensuring that an organization is meeting regu-
latory or compliance requirements for security and data protection.

1.11.3 Penetration Testing

A penetration test, or "pen test," is a security test that launches a

mock cyberattack to find vulnerabilities in a computer system. Penetration
testers are security professionals skilled in the art of ethical hacking, which
is the use of hacking tools and techniques to fix security weaknesses rather
than cause harm. Companies hire pen testers to launch simulated attacks
against their apps, networks, and other assets. By staging fake attacks,
pen testers help security teams uncover critical security vulnerabilities and
improve overall security posture.[19]

21
Chapter 1 : Theoretical background

1.11.4 The Penetration Testing Process

Before a pen test begins, the testing team and the company set a scope
for the test. The scope outlines which systems will be tested, when the
testing will happen, and the methods pen testers can use. The scope also
determines how much information the pen testers will have ahead of time:
• In a black-box test, pen testers have no information about the target
system. They must rely on their own research to develop an attack
plan, as a real-world hacker would.
• In a white-box test, pen testers have total transparency into the target
system. The company shares details like network diagrams, source
codes, credentials, and more.
• In a gray-box test, pen testers get some information but not much. For
example, the company might share IP ranges for network devices, but
the pen testers will have to probe those IP ranges for vulnerabilities
on their own.
Regardless of which methodology a testing team uses, the process usu-
ally follows the same overall steps:
1. Reconnaissance
The testing team gathers information on the target system. Pen
testers use different recon methods depending on the target. For
example, if the target is an app, pen testers might study its source
code. If the target is an entire network, pen testers might use a
packet analyzer to inspect network traffic flows. Pen testers often
draw on open-source intelligence (OSINT) as well. By reading public
documentation, news articles, and even employees’ social media and
GitHub accounts, pen testers can glean valuable information about
their targets.
2. Target Discovery and Development
Pen testers use the knowledge they gained in the recon step to identify
exploitable vulnerabilities in the system. For example, pen testers

22
Chapter 1 : Theoretical background

might use a port scanner like Nmap to look for open ports where they
can send malware. For a social engineering pen test, the testing team
might develop a fake story, or "pretext," they’ll use in a phishing email
to steal employee credentials. As part of this step, pen testers may
check how security features react to intrusions. For example, they
might send suspicious traffic to the company’s firewall to see what
happens. Pen testers will use what they learn to avoid detection
during the rest of the test.
3. Exploitation
The testing team begins the actual attack. Pen testers may try a
variety of attacks depending on the target system, the vulnerabilities
they found, and the scope of the test. Some of the most commonly
tested attacks include:
• SQL injections: Pen testers try to get a webpage or app to disclose
sensitive data by entering malicious code into input fields.
• Cross-site scripting: Pen testers try planting malicious code in a
company’s website.
• Denial-of-service attacks: Pen testers try to take servers, apps,
and other network resources offline by flooding them with traffic.
• Social engineering: Pen testers use phishing, baiting, pretexting,
or other tactics to trick employees into compromising network
security.
• Brute force attacks: Pen testers try to break into a system by
running scripts that generate and test potential passwords until
one works.
• Man-in-the-middle attacks: Pen testers intercept traffic between
two devices or users to steal sensitive information or plant mal-
ware.
4. Escalation
Once pen testers have exploited a vulnerability to get a foothold in
the system, they try to move around and access even more of it.

23
Chapter 1 : Theoretical background

This phase is sometimes called "vulnerability chaining" because pen

testers move from vulnerability to vulnerability to get deeper into
the network. For example, they might start by planting a keylogger
on an employee’s computer. Using that keylogger, they can capture
the employee’s credentials. Using those credentials, they can access
a sensitive database. At this stage, the pen tester’s goal is main-
taining access and escalating their privileges while evading security
measures. Pen testers do all of this to imitate advanced persistent
threats (APTs), which can lurk in a system for weeks, months, or
years before they’re caught.
5. Cleanup and Reporting
At the end of the simulated attack, pen testers clean up any traces
they’ve left behind, like backdoor trojans they planted or configura-
tions they changed. That way, real-world hackers can’t use the pen
testers’ exploits to breach the network. Then, the pen testers prepare
a report on the attack. The report typically outlines vulnerabilities
they found, exploits they used, details on how they avoided security
features, and descriptions of what they did while inside the system.
The report may also include specific recommendations on vulnerabil-
ity remediation. The in-house security team can use this information
to strengthen defenses against real-world attacks.

1.12 Blue Team: Cyber Defense

A blue team is the cybersecurity personnel of a company, typically

within a Security Operations Center (SOC). The SOC consists of highly
skilled analysts working around the clock to defend and enhance the de-
fenses of their organization. The blue team is tasked with detecting, op-
posing, and weakening the red team. The simulated attack scenario is
designed to enhance their skills by preparing them for real-world, danger-
ous attacks. Many current threats, such as malware and phishing emails,

24
Chapter 1 : Theoretical background

are automatically halted by automated tools on the network perimeter.

For instance, endpoint security products and threat detection platforms.
The SOC or the blue team adds vital human intelligence to tools and
technologies, being both proactive and reactive.[20]
The objectives and tasks of the blue team include:
• Understanding each phase of an incident and responding appropri-
ately.
• Noticing suspicious traffic patterns and identifying indicators of com-
promise.
• Swiftly terminating any form of compromise.
• Identifying the command-and-control servers of the red team/threat
actors and blocking their connectivity to the target.
• Conducting forensic analyses and tests on various operating systems
used by their organization, including the use of third-party systems.
The methods of the blue team include:
• Reviewing and analyzing log data.
• Using a Security Information and Event Management (SIEM) plat-
form for visibility and real-time intrusion detection and for triggering
alarms.
• Collecting new threat information and prioritizing appropriate actions
based on risks.
• Analyzing traffic and data flows.

1.12.1 General Information on Security Operations Centers (SOCs)

As we mentioned before, blue teams in organizations are typically within

a SOC. The security operation center is a center that runs 24/7 to ensure
a rapid response to any emerging threats, usually functioning around the
clock in shifts.

25
Chapter 1 : Theoretical background

1.12.2 Importance of SOCs

The cyberthreat landscape is evolving rapidly, and protection against

potential cyberattacks requires rapid monitoring and response. The longer
a cybersecurity incident goes on before it is corrected, the greater the
potential damage and expense to the organization. Indeed, mature SOCs
around the world tend to have a common set of core security services.
These services can be internal, outsourced, or even on-demand, allowing
the SOC to obtain the desired services as needed. To summarize, these
common services can be defined as the following offerings:
• Risk Management: Identify and make decisions to manage organi-
zational risks. This involves managing all types of risk, from physical
asset security to patching digital vulnerabilities that exist in software.
It can also apply to correcting weak policies and a lack of security
awareness education among members of an organization.
• Vulnerability Management: Identify and manage risks associated
with technical vulnerabilities. This typically involves targeting vul-
nerabilities in software found on servers, laptops, and IoT devices.
Most SOCs use vulnerability scanners and external threat intelligence
to identify vulnerabilities.
• Incident Management: Respond to security events. This covers
the actions taken by the SOC when certain events occur, such as iso-
lating systems, alerting team members, and implementing corrective
measures to resolve the issue.
• Analysis: Analysis of various types of artifacts. This includes iden-
tification of characteristics, reverse engineering, vulnerability/exploit
analysis, root cause analysis, remediation, and mitigation analysis.
• Compliance: Assess and maintain organizational compliance re-
quirements. This may include legally binding requirements such as
HIPAA and PCI DSS compliance as well as organization-oriented
goals such as compliance with a NIST or ISO standard, which are

26
Chapter 1 : Theoretical background

not required by law but may be considered a policy required by the

organization or its customers.
• Digital Forensics: Collect evidence after the incident to determine
the cause of the incident and prepare for legal action. What distin-
guishes digital forensics from incident response and analysis is the
legal aspect of how the evidence is collected.
• Research and Development: Research the ever-changing threat
landscape, develop new tools and techniques, and modify existing
tools to improve effectiveness.

1.12.3 Components of a SOC

Some people believe that security is about having the latest or best-
in-class technology and that acquiring such technology should be the top
budget priority. Others believe that success depends on the quality of
the people in the security team and that it is therefore better to spend
money on highly qualified IT staff. A third idea is that the best security
comes from well-defined and executed policies that include how to restrict
risky behavior and respond to threats. The truth is that best practices are
a combination of these concepts representing investments in people, pro-
cesses, and technology. People, processes, and technologies can have their
own quality testing and upgrade processes, as illustrated in Figure 1.3,
representing different aspects of the SOC that are developed or acquired
independently.

27
Chapter 1 : Theoretical background

Figure 1.3 – Fundamentals of People, Process, and Technology

1.12.4 People Involved

A mature SOC needs highly qualified and certified personnel who are fa-
miliar with security-based alerts and scenarios. Given that security threats
and issues are constantly evolving, the company needs people who can
adapt and think outside the box when it comes to solving problems. At-
tacks can take different forms and types, so it is important to have people
who can learn on the fly. The company may also need to have people who
have security clearances, so it needs to vet its technicians extremely well.
The specifics of the work will depend on the type of service offered by
the SOC. In Figure 1.4, we will try to group similar positions and explain
the skills required based on what a large majority of SOCs require.

28
Chapter 1 : Theoretical background

Figure 1.4 – SOC Responsibilities, Skills, and Certifications

1.12.5 Technologies and Tools Adopted

With network, log, and endpoint data collected before and during the
incident, SOC analysts can immediately switch from using the security
monitoring system as a detective tool to using it as an investigative tool,
by examining suspicious activities that constitute the present incident, and
even as a tool to manage incident or breach response.
1. Vulnerability Scanners
We have shown how adversaries exploit vulnerabilities to exploit sys-
tems. This means that as a SOC, it is ideal to have a mature vulner-
ability management practice.
In fact, there are some tools that any organization should consider
devoting to its vulnerability management practice. The most obvi-
ous tool is something that can assess the network and endpoints for
vulnerabilities.
Vulnerability scanners serve this purpose by comparing the attributes
of the systems and software being scanned against known weaknesses.
For a vulnerability scanner to detect and classify system weaknesses
in computers, networks, and communications, it must have access

29
Chapter 1 : Theoretical background

to the target being scanned. Access can be from the network or

directly on the host. The level of access can be full read access, called
Authenticated Scanning, or the inability to connect to the system,
called Unauthenticated Scanning.[21]
Having full read access provides more details about the vulnerability
of systems, networks, and communications. Authenticated scan re-
sults provide a more accurate report, which leads to a better remedia-
tion response. While authenticated scanning gives better results than
unauthenticated scanning, it does not realistically represent what a
potential adversary will see.[22]
Unauthenticated scanning is considered the attacker’s point of view,
which means that tools such as firewalls will prevent some scanning
use cases from providing useful data. A SOC must use both au-
thenticated and unauthenticated scanning to identify all potential
vulnerabilities and understand how adversaries would see the com-
puters, networks, and communications they might target using the
unauthenticated scanning approach.
2. Incident Management Tools
Before a decision can be made on how to handle a vulnerability, the
SOC must properly identify the vulnerability. Most enterprise vul-
nerability detection tools will do this job. Now the SOC must plan a
response. According to ISO/IEC 27005:2018, there are four options
for responding to the risk associated with a vulnerability[21]:
• Risk retention: This option means that the incident manage-
ment team accepts that there is a risk but does not take any
action. This decision is usually based on the determination that
the level of risk is acceptable in terms of the organization’s risk
tolerance.
• Risk avoidance: Risk avoidance is similar to risk retention in
that no action is taken. The difference with risk avoidance is
that there is an unacceptable risk for the organization’s tolerance

30
Chapter 1 : Theoretical background

level. However, actions to address the risk are not taken due to
several factors such as cost or residual risk.
• Risk modification: Apply safeguards and patches, modify con-
trols, or make other efforts to address the risk until the residual
risk is acceptable.
• Risk transfer/sharing: Pushing the risk to another party. In
most cases, this occurs with insurance. Cyber insurance is an
insurance product used to protect businesses or users from risks
related to information technology. Assets could also have their
own insurance policy that could be used if an event occurs.
3. Ticketing Tools
Regardless of the size of the company, it will need effective ticket-
ing tools to help record, manage, and resolve customer issues, user
requests, or technical problems.
And in a mature security operations center (SOC), analysts tend to
spend the most time on several activities, including generating and
updating tickets, such as when an event warrants an investigation,
tickets must be opened and assigned to a member of the primary
response team, who then updates the case as additional details are
discovered and verified.[23]
Mature incident response teams use a ticket tracking system as part of
the communication process. This functionality is typically available in
case management software. One example is the use of Cisco SecureX
case management features. Regardless of the case management tool
used by the team, it must be able to create a traceable report for each
incident.
Figure 1.5 shows the creation of a new incident ticket for a potential
malware trigger and the new case created for it.
If an incident has potential legal implications, a different case man-
agement tool with forensic-focused tracking may be needed.
Once a case is opened, a documented response is followed, commonly

31
Chapter 1 : Theoretical background

Figure 1.5 – Opening a New Incident Ticket in Cisco SecureX

called a playbook.

1.12.6 SOC Generations

Our understanding of SOC components and expected services has changed

over time. This is a reflection to the adjustment in our perception of the
security operations. This transformation comes in response to the ever-
changing security threat landscape.
The SOC’s journey for the past 15 years can be broken to four incre-
mental generations, shown in Figure 1.6. Ideally, an organization that
uses technologies from the fourth generation, such as big data security an-
alytics, should have adopted most of the SOC services from the previous
generations. This might not always be the case in practice, though.

Figure 1.6 – soc-generations

The four generations reflect SOC capabilities in response to increas-

32
Chapter 1 : Theoretical background

ingly sophisticated attacks. Refer to the description of the generations to

identify which SOC generation service your organization might be offering.
Let’s look at the details of the services offered in each SOC generation.

1.12.7 First-Generation SOC

In this generation, the wider IT operations team delivered what would

be considered as SOC functions and services. This team was not necessar-
ily skilled or trained to handle information security events and incidents.
Security operations were not delivered by the establishment of a formal
SOC, but in many cases by an IT operations individual or a team who
focused on a blend of tasks. This could be responsibility for device and
network health monitoring, managing antivirus security across the organi-
zation, and log collection. Log collection for the first-generation SOC was
limited in the number of sources and types of devices capable of producing
logs, such as firewalls. In many cases, storing logging messages was done
locally. In other cases, a central logging facility was provisioned to re-
ceive log information, mainly in the form of unencrypted syslog or Simple
Management Network Protocol (SNMP) messages.
In this generation, logging messages were rarely proactively analyzed,
and were instead referred to if an incident was reported or some sort of
troubleshooting was required. In addition, the concept of information se-
curity incident response was not formally established or appreciated. The
process of identifying, communicating, and reacting to potential informa-
tion security incidents was generally slow.
Let’s look at an example of how a first-generation SOC would operate.
Consider, for instance, that a number of systems have reported a sub-
stantial and relatively abnormal number of failed login attempts for the
Microsoft Windows Active Directory domain administrator account within
what is considered to be a short period of time. No evidence indicates sus-
picious activity or that a system compromise has been reported.
In the first generation of SOC, logging messages would most likely be

33
Chapter 1 : Theoretical background

locally saved on each system rather than stored on a centralized collection

system such as a security information and event management (SIEM). The
unsuccessful login attempt events would be saved to the local Windows se-
curity log store and buried under a large number of events generated by
other various activities. Unless the Microsoft Active Directory system ad-
ministrator manually accessed and analyzed the logs, the events in this
example would have likely gone unnoticed, overlooking what could poten-
tially be an account compromise and leading to what could be considered
a major security incident.[24]

1.12.8 Second-Generation SOC

This is the generation in which SIEM tools started to emerge. Early

generations of SIEM providers such as netForensics, Network Intelligence
(later acquired by EMC), and Cisco Security Monitoring, Analysis, and
Response System (MARS) promised to detect network threats, releasing
administrators from the complex and in many cases impossible task of
manually analyzing huge amounts of log information. The early providers
of such tools focused on security threat management (STM), also referred
to as security event management (SEM), which delivers real-time log anal-
ysis for the purpose of threat detection. These tools accept log information
generated by various sources in different formats, speeding up the process
of detecting potential security incidents. The basic idea of SEM is to first
aggregate log information in the form of events from various sources such
as operating systems, security devices, and applications. Events are then
correlated so that possible relationships between them are identified, indi-
cating the potential occurrence of incidents. Incidents are then reported
in the form of a dashboard alert to the operator to investigate further.
This SEM function was eventually consolidated with the security infor-
mation management (SIM) function to produce what is known today as
SIEM. SIM tools focused on searching through large amounts of acquired
log data. This historical data could be then analyzed for different pur-

34
Chapter 1 : Theoretical background

poses, such as performing digital investigations or meeting a number of

compliance requirements related to log retention and compliancy report
generation.
Another important operational aspect introduced in the second-generation
SOC was security incidents case management. SIEM operators can create
and assign cases for security incidents reported by the tools. In some cases,
this is integrated with the organization’s service ticketing systems.
Taking the same multiple failed login attempts example used in the
discussion about first-generation SOC, the Microsoft Windows systems
would most likely be configured to forward logged events to a SIEM tool.
The SIEM tool should be capable of receiving, parsing, normalizing, and
correlating the different events and eventually alerting alerting a security
analyst that there have been multiple login failures for the account ”ad-
ministrator” on multiple systems. This behavior could indicate a possible
brute-force attack, assuming that the SIEM tool is configured with corre-
lation rules that can detect and assign a relevant and meaningful alert to
this suspicious activity.[24]

1.12.9 Third-Generation SOC

As SIEM tools further established their importance, other security ser-

vices started to find their way to the SOC. In this generation, the SOC
team would handle tasks related to vulnerability management, in addition
to being heavily involved in formalizing and executing tasks related to
incident response.
Vulnerability management refers to the practice in which vulnerabilities
are discovered and confirmed, their impact is evaluated, corrective mea-
sures are identified and executed, and their status is tracked and reported
until closure. This definition is similar to the one used in the NIST SP
800-40 standard.
It is critical that the impact evaluation phase for discovered vulnerabil-
ities be associated with the organization’s risk-assessment practice. This

35
Chapter 1 : Theoretical background

means referring to the whole process of managing vulnerabilities instead

of running vulnerability scanning tools against IT assets only. Vulner-
ability scanning is an activity that is part of vulnerability management
and is usually executed during the vulnerability discovery, confirmation,
and tracking phases. Some commercial products have evolved from be-
ing predominately vulnerability scanners to automating the vulnerability
management process. The SOC team would either operate the vulnerabil-
ity management process, working with other units, or would be assigned
some of its tasks.[24]

1.12.10 Fourth-Generation SOC

This generation of SOC introduces a number of advanced security ser-

vices that attempt to tackle new security threats. The first new concept
is expanding on the limited event correlation seen in previous generations
of SIEM to big data security. Big data security analytics can be defined
as ”the ability to analyze large amount of data over long periods of time
to discover threats and then present and visualize the results.” Big data
platforms are now being deployed to consume data from any source at
high speed and with high volume, while being able to perform real-time or
offline sophisticated security analytics. An example of using big data is in-
gesting large threat intelligence feeds about attacks seen all over the world
rather than limiting event correlation to internal threats. Attack data
could be website reputation data, malicious sources, volumetric trends for
identifying distributed denial-of-service (DDoS) attacks, and so on.
Another new fourth-generation SOC concept is data enrichment using
sources such as geo data, Domain Name System (DNS) data, network
access control integration, and IP and domain reputation service. Network
telemetry information is also being used for sophisticated network and
security monitoring, essentially turning common network equipment into
security sensor ports.
New technologies are being used by the SOC for forensics and identi-

36
Chapter 1 : Theoretical background

fying network breaches also known as breach-detection solutions. Cross-

product integration is being leveraged to automate remediation, such as an
intrusion detection product identifying a threat and leveraging a network
access control technology to automatically perform remediation.[24]
In summary, fourth-generation SOC is expanding threat data sources,
layering different security capabilities to battle more advanced threats, and
automating security to improve reaction time to incidents. This generation
of SOC also includes policies to evaluate their capabilities as a continuous
process for optimization and enhancement purposes.
To better understand the latest SOC generation, Table 1.1 summarizes
and shows some differences between traditional and next-generation SOCs.

Feature Traditional SOC Next-Generation

SOC
Goals Detect, react, remedi- Anticipate, automate,
ate prevent
Security architec- Based on disparate se- Based on a next-
ture curity products that generation security
are difficult to integrate platform with native
integration points
Scaling Scales with the number Scales with the number
of people of technologies
NOC and SOC Operate independently Collaborate
Threat intelli- Must be manually con- Automatically con-
gence verted into actionable verted into actionable
policies policies
Incident response Manual incident re- Automated incident re-
sponse procedures sponse with playbooks
Threat detection Signature-based threat Behavioral and
detection anomaly-based threat
detection

37
Chapter 1 : Theoretical background

Table 1.1 – continued from previous page

Feature Traditional SOC Next-Generation
SOC
Integration with Minimal integration Seamless integration
IT operations with IT operations with IT and DevOps
User experience Complex, less user- Intuitive, user-friendly
friendly interfaces interfaces
Response time Longer response times Faster response times
due to manual pro- due to automation and
cesses advanced tools
Collaboration Limited collaboration Advanced collabora-
tools tools tion and communica-
tion tools

Table 1.1 – Comparison between Traditional and Next-Generation SOCs

1.13 Conclusion

In this chapter we delved into the fundamental principles and practices

designed to protect systems, networks, and data from cyber threats.
GRC ensures that organizations align their cybersecurity efforts with
legal and regulatory requirements, while effectively managing risks and
establishing strong governance structures.
We then examined the proactive measures of red teaming and offen-
sive cybersecurity, where ethical hacking and simulated attacks are uti-
lized to identify and exploit vulnerabilities. This approach is essential for
understanding the mindset and tactics of potential adversaries, allowing
organizations to strengthen their defenses preemptively.
Conversely, blue teaming and cyber defense were discussed as the re-
active counterparts, focusing on protecting, monitoring, and responding
to threats in real time. Blue teams play a crucial role in maintaining the
integrity of systems by implementing defensive strategies and technologies

38
Chapter 1 : Theoretical background

designed to thwart attacks and mitigate damages.

Lastly, the Security Operations Center (SOC) was highlighted as the
nerve center of cybersecurity operations. The SOC integrates people, pro-
cesses, and technology to continuously monitor and improve an organiza-
tion’s security posture.
In conclusion, the dynamic interplay between offensive and defensive cy-
bersecurity strategies, governed by comprehensive GRC frameworks and
supported by dedicated SOC teams, forms the bedrock of a resilient cy-
bersecurity posture. As cyber threats continue to evolve, a balanced and
integrated approach to cybersecurity will be imperative for organizations
to protect their digital ecosystems and maintain trust in the digital age.

39
Chapter 2
Open-source and its application in
cybersecurity

2.1 Definition

Open source software is software with source code that anyone can in-
spect, modify, and enhance. The source code is the part of the software
that most computer users don’t see, but it’s the code that programmers
can manipulate to change how a program works. Open source software is
distributed with its source code, allowing users to use, study, modify, and
distribute the software and its source code for any purpose. It is typically
made available for use at little to no cost and is developed and main-
tained via open collaboration, often in a public repository. Open source
software is governed by licenses that define how it can be used, modi-
fied, and distributed, and it must comply with the Open Source Defini-
tion, which includes criteria such as free redistribution, inclusion of source
code, allowance for derived works, and no discrimination against persons
or groups.[25]
Generally, open source refers to a computer program in which the source
code is available to the general public for use or modification from its
original design. Code is released under the terms of a software license.
Depending on the license terms, others may then download, modify, and
publish their version (fork) back to the community. Many large formal

40
Chapter 2 : Open-source and its application in cybersecurity

institutions have sprung up to support the development of the open-source

movement, including the Apache Software Foundation, which supports
community projects such as the open-source framework Apache Hadoop
and the open-source HTTP server Apache HTTP.[26]

2.2 Evolution and Impact

The evolution of open-source software has revolutionized the technologi-

cal landscape, shaping industries ranging from cybersecurity to healthcare.
From its humble beginnings in the hacker culture of the 20th century to
its widespread adoption by governments, enterprises, and individual users,
open-source software has democratized access to technology and fostered
innovation on a global scale.
The impact of open-source software extends far beyond its technical
merits. It embodies principles of transparency, meritocracy, and commu-
nity engagement, driving social change and empowering individuals and
organizations to solve complex problems collaboratively.
According to a published Red Hat report on the state of open source,
proprietary software is quickly declining. It’s stated in the report that
last year their respondents indicated that about half (55%) of the software
they used was proprietary. This year the number is lower, it’s 45%. They
predict that two years from now proprietary software will be down to 37%
of their software stacks.[27]

41
Chapter 2 : Open-source and its application in cybersecurity

Figure 2.1 – Expected Change in Software

2.3 Advantages of Open-Source in Cybersecurity

1. Transparency and Auditability: Open-source software is transparent,

allowing anyone to access and inspect the source code. This promotes
honesty, integrity, and accountability within the development process.
It also enables users to audit the software for security vulnerabilities
and other issues.
2. Flexibility and Customization: Open-source software offers flexibility
and customization, allowing organizations to modify the source code
to meet their specific needs. This provides a high level of customiza-
tion and enables organizations to create a tailored cybersecurity so-
lution that meets their unique requirements.
3. Rapid Innovation: Open-source software fosters rapid innovation, as it
is developed and maintained via open collaboration. This leads to the
rapid evolution and improvement of open-source projects, ensuring
that they remain up-to-date and effective.
4. Cost-Effectiveness: Open-source software is typically available at lit-
tle to no cost, making it a cost-effective option for organizations seek-
ing cybersecurity solutions. This is due to the absence of licensing
fees and the ability to leverage community-driven development and

42
Chapter 2 : Open-source and its application in cybersecurity

support.
5. Scalability and Openness: Open-source software is scalable and open,
allowing organizations to easily integrate it with other systems and
technologies. It also promotes openness and inclusivity, as anyone can
contribute to the development of open-source projects.

These advantages make open-source software a compelling choice for

organizations seeking cost-effective, customizable, and innovative cyberse-
curity solutions.

2.4 Use Cases and Applications

Open source software has numerous use cases and applications in cy-
bersecurity. For example:

2.4.1 Network Security

• Network Monitoring: Open-source tools like Nmap and Wireshark

play a crucial role in network monitoring. Nmap scans networks to
identify hosts, services, and vulnerabilities. Wireshark captures and
analyzes network packets, aiding in debugging and identifying suspi-
cious traffic.

Figure 2.2 – Top Open-source network monitoring tools

• Intrusion Detection: Open-source intrusion detection systems (IDS)

such as Snort and Suricata provide real-time alerts for potential secu-

43
Chapter 2 : Open-source and its application in cybersecurity

rity breaches. They analyze network traffic patterns, detect anoma-

lies, and raise alarms when unauthorized activities occur.
• Firewall Management: Tools like iptables (for Linux) and pfSense
offer robust firewall capabilities. Administrators can define rules, filter
traffic, and protect network boundaries effectively.

Figure 2.3 – open-source firewalls

2.4.2 Vulnerability Assessment

• OpenVAS (Open Vulnerability Assessment System): Open-

VAS is a powerful open-source vulnerability scanner. It identifies
security flaws in software, operating systems, and network services.
Regular scans help organizations stay informed about potential weak-
nesses.
• Nikto and W3af : Nikto and W3af are other open-source tools that
focus on web application security. They scan web servers for vulner-
abilities, misconfigurations, and outdated software.

Figure 2.4 – open-source Vulnerability Assessment tools

44
Chapter 2 : Open-source and its application in cybersecurity

2.4.3 Penetration Testing

• Kali Linux: Kali Linux is a popular open-source distribution specifi-

cally designed for penetration testing and ethical hacking. It includes
a vast array of tools for vulnerability assessment, network reconnais-
sance, and exploitation.
• Metasploit: Metasploit is a powerful framework for developing, test-
ing, and executing exploits. Security professionals use it to simulate
attacks, assess defenses, and validate security measures.

2.5 Best Practices for Using OSS in Cybersecurity

To maximize the benefits and mitigate the challenges of using OSS in

cybersecurity, organizations should follow these best practices:
• Conduct a thorough security review: Before deploying any OSS
tool, carefully evaluate its security posture. This includes review-
ing the source code for vulnerabilities, checking the project’s security
track record, and understanding the licensing implications.
• Stay updated: Regularly update OSS tools to benefit from the latest
security patches and functionality enhancements. Organizations can
leverage community resources and automated update mechanisms to
ensure their OSS tools remain current.
• Build internal expertise: Invest in training or hire personnel with
the skills and knowledge necessary to manage, maintain, and trou-
bleshoot OSS security tools.
• Contribute to the community: Organizations can benefit from
the open-source community by actively participating in discussions,
reporting bugs, and contributing code improvements. This fosters
a collaborative environment and ensures the continued development
and improvement of OSS security tools.
• Maintain a diverse security toolkit: Don’t rely solely on OSS

45
Chapter 2 : Open-source and its application in cybersecurity

solutions. Combine OSS tools with commercially supported security

software to create a layered and robust security posture.

2.6 Challenges and Considerations

While open-source software presents numerous opportunities for en-

hancing cybersecurity, there are certain challenges and considerations as-
sociated with its adoption. One significant aspect is the variety of licensing
models employed in open source projects. Licenses such as GNU General
Public License (GPL) and Apache License promote freedom and flexibility,
but they may impose restrictions on commercial usage or require contribu-
tors to release modifications under the same license terms. Understanding
these licensing implications is crucial when integrating open source tools
into an organization’s cybersecurity ecosystem.[28]
Another challenge relates to maintenance and updates. Open-source
projects depend heavily on community involvement and support. With-
out consistent community contribution, maintaining and updating open-
source tools becomes challenging. To address this concern, organizations
must actively engage with the open-source community, participate in dis-
cussions, report bugs, and submit patches. Regular updates ensure that
open-source tools remain secure and effective against evolving threats.[29]
When considering the integration of open-source tools into existing se-
curity infrastructure, compatibility and interoperability emerge as criti-
cal factors. Open-source tools must seamlessly interact with legacy sys-
tems and third-party products without compromising performance or func-
tionality. Additionally, organizations must evaluate whether open-source
tools align with their broader IT strategy and technical architecture before
adopting them. Careful planning and strategic implementation help min-
imize disruptions during the transition period and maximize the benefits
of open-source tools.

46
Chapter 2 : Open-source and its application in cybersecurity

2.7 The Future of OSS in Cybersecurity

The future of OSS in cybersecurity is bright and evolving. Here are

some key trends to consider:
• Increased Adoption: As organizations become more aware of the
benefits of OSS, its adoption in cybersecurity is expected to continue
to grow. This will lead to a wider range of mature and feature-rich
OSS security tools available.
• Focus on Security: The open-source community is increasingly fo-
cusing on security. We can expect to see more emphasis on secure
coding practices, vulnerability management, and collaboration with
security researchers to identify and address security issues in OSS
projects.
• Integration and Automation: There will be a growing focus on
integrating OSS tools with other security solutions and automating
security workflows. This will streamline security operations and im-
prove overall efficiency.
• Cloud-Native Security: With the increasing adoption of cloud
computing, there will be a demand for cloud-native OSS security tools
that are designed to secure cloud environments and applications.
• Evolving Threats: As cyberattacks become more sophisticated,
OSS security tools will need to evolve to keep pace. We can expect to
see the development of new tools and techniques for threat detection,
prevention, and response.

2.8 Conclusion

In summary, Open-source software (OSS) plays a crucial role in cyber-

security. Organizations must consider licensing models, maintenance, and
integration with existing security infrastructure when using open-source
tools. Overcoming challenges proactively allows organizations to harness

47
Chapter 2 : Open-source and its application in cybersecurity

the full potential of open-source tools in protecting digital assets. Open-

source emphasizes transparency, adaptability, and community-driven de-
velopment, redefining the cybersecurity landscape and enabling resilient
and innovative solutions. As the digital landscape evolves, Open-source
remains indispensable in securing digital domains against emerging cyber
threats.

48
Chapter 3
Security information and event management
(SIEM)

3.1 SIEM Definition

SIEM, Security information and event management, is a security solu-

tion that assists organizations with perceiving potential security dangers
and vulnerabilities before they get an opportunity to upset business tasks.
It surfaces user behavior anomalies and utilizes artificial intelligence to
computerize many manual processes. As a result, it has become a sta-
ple in advanced security operation centers (SOCs) for security and the
consistency of management use cases.[30]
SIEM systems are broadly used to perform real-time monitoring and
control of foundation resources. A SIEM system incorporates two previ-
ously heterogeneous systems - a security information management (SIM)
system that focuses on the analysis of historical data to improve the long-
term effectiveness and efficiency of cyber security mechanisms and a secu-
rity event management (SEM) system that aggregates data into a man-
ageable amount of information to enable the rapid handling of the security
incident.[31]

49
Chapter 3 : Security information and event management (SIEM)

3.2 History and Evolution of SIEM

The first notion of Security Information and Event Management is at-

tributed to a report by Gartner Inc.[32]
The analysts have distinguished three generations during the evolution
of SIEM systems

• The first generation of SIEMs, presented in 2005, provides primary

log aggregation for different systems and basic event correlation tech-
niques. This generation consolidates log management and event man-
agement, which were already isolated; SEM analyzes log and event
data in real-time, providing threat monitoring, event correlation, and
incident response, with SIM, which collects, analyzes, and generates
log data reports.
They are restricted in the size of data they can process and in refining
alerts and visualizations they generate.
• The second generation of SIEM solutions was better equipped to han-
dle big data. For example, these SIEMs can correlate historical log
data with real-time events and data from threat intelligence sources.
• Gartner proposed a new generation of SIEM, called ”SIEM Analytics”
in 2017. The latter integrates advanced techniques such as user and
entity behavior analytics ”UEBA” based on machine learning to es-
tablish behavioral baselines of users or computer systems and identify
anomalies. This includes security automation, orchestration, and re-
sponse ”SOAR”, which can help analysts quickly investigate incidents
and activate security tools to respond to an incident automatically.

3.3 Theory and Process Flow of SIEM

According to the previous research, SIEM collects data from different IT

equipment such as servers, network devices, etc. Then, SIEM stores, nor-
malizes, aggregates, and analyzes this data to discover anomalies, detect

50
Chapter 3 : Security information and event management (SIEM)

threats and allow organizations to investigate alerts.

The figure below displays the entire process flow of the SIEM system :

Figure 3.1 – SIEM steps

To allow security managers to monitor events, the SIEM system needs

much data to begin its process; the data required is the logs, so the SIEM
starts by collecting logs from various sources of information.
Information sources refer to all devices (router, switch, server, etc.) and
applications that can generate logs that the SIEM system can subsequently
collect and process. Operating systems are also sources of information, as
they generate logs. These logs display all the statistics of your system: who
logged in, who did what on the system, and everything users are doing or
what the operating system itself is doing.

3.3.1 Data Collection

Data collection in a SIEM system relies on logs and events from hun-
dreds of organizational log source systems. Each system generates an event
with every new action that happens. The first step is for the SIEM system

51
Chapter 3 : Security information and event management (SIEM)

to collect the logs generated by the above sources. In general, there are
two methods of collecting logs (the Push method and the Pull method),
although the actual mechanisms for retrieving logs vary depending on the
specific SIEM used.
The push method can facilitate installation and configuration at the
SIEM level. Usually, a SIEM solution that uses this method sets up a
receiver and then points the source device to that receiver.
Example with Syslog: When setting up the source device using Syslog,
set the IP address or DNS name of a Syslog server on the network, and
the device will automatically start sending its logs via Syslog to the Syslog
receiver.
Unlike the push method, in which the source device sends logs to the
SIEM without any SIEM interaction, the pull method requires the SIEM
to initiate a connection to the source device and actively retrieve the logs
from the source device.
For example: if the logs are stored in flat text files on a network share,
SIEM must first establish a connection to the network shares using the
stored credentials before it can read the flat text file for the source device
logs.
Because each time the SIEM system has to establish a connection, which
is not the case with the push method, the pull method has the advantage
of being more secure.

3.3.2 Data Normalization

At this stage, logs from the various sources of information are already
transmitted to the SIEM system. However, they are still in their native
format and therefore unusable for the SIEM system.
For these logs to be helpful, they must first be reformatted into a single
standard format that SIEM can use. Standardization is turning all these
different log files into a single format. Every kind of SIEM will handle
the standardization act in different ways, but the result is that all logs,

52
Chapter 3 : Security information and event management (SIEM)

regardless of device type or manufacturer, look the same in SIEM.

The following figure shows an example of an event ”Connection rejec-
tion”, the log source is a firewall:

1. Raw event stream received log by a collector.

2. Collector finds which log source type besides event and load parser or
take it from the cache.
3. For each event, applied parser. A parser is a set of regex. Each regex
is used to find the event’s field(source IP, destination port, username,
etc.).
4. Event normalized and categorized.

Figure 3.2 – Event normalization example

3.3.3 Aggregation

Data aggregation is a handy feature that reduces the amount of redun-

dant information collected in logs. It means that several similar events
may be reduced to one based on conditions; these conditions are simple
rules based on normalized events.

Aggregation Types

• Simple aggregation: When two events are identical, they are aggre-
gated.
• Field-based aggregation: When selected event fields are similar in
defined threshold and time interval.

53
Chapter 3 : Security information and event management (SIEM)

The figure below shows an example of an event ’Connection rejection’,

but this time two servers access requests from the same IP address within
10 seconds detected by the firewall would generally create two lines in a
log; event aggregation will make it only one line:

1. Event stream of raw events coming for normalization and categoriza-

tion.
2. Normalization parsers are applied to raw events.
3. Normalized event processed by aggregation engine.
4. Aggregated event coming to next step.

Figure 3.3 – Event aggregation example

3.3.4 Correlation

The correlation of formal events to a correlated event is performed to

simplify incident response procedures in real-time on incoming normalized
log data taken from log sources and then analyzes the data to identify
relationships by displaying a single event triggered by multiple events from
various sources.
The correlation types are resumed into two categories:

• Incident detection: contains detection conditions;

• Auxiliary: routine with lists for incident detection rules, reports, and
dashboards.

Using event correlation tools can perform actions based on user-defined

rules, such as sending alerts for hardware or application failures.

54
Chapter 3 : Security information and event management (SIEM)

3.3.5 Alerting and Automatic Response

The SIEM solution must also be able to respond to a given event or

set of circumstances automatically. For example, responses may include
alerting by sending an email or a network modification directive, such as
adjusting a firewall or setting up a switch.
SIEM platforms associate alerts with rules, even integrating alert defi-
nitions into the policy management system. This way, when the rules are
created, their criticality and the appropriate response are defined at the
same time.

3.3.6 Archiving

SIEM solutions are also used for legal and regulatory reasons. Probative
archiving ensures the integrity of the traces. Solutions can use RAID disks,
calculate the footprint, and use encryption or other means to ensure the
integrity of the traces.

3.4 Benefits of SIEM

The implementation of a security control within an organization is nec-

essary for the IT equipment protection; SIEM system benefits are resuming
in The SIEM Advantage:

• Data aggregation and visibility: Logs are normalization and cor-

relation in a SIEM system, providing good IT visibility. A massive
amount of data must be supervised; that is why the SIEM capabilities
related to data aggregation and normalization are so beneficial. The
tool also analyzes and correlates this data, finding connections that
can quickly help IT staff detect security incidents.
• Streamline compliance reporting: SIEM server receives log data
from many hosts and can generate one report that addresses all of
the relevant logged security events among these hosts.

55
Chapter 3 : Security information and event management (SIEM)

• Increased efficiency: Due to the ability of SIEM to collect event

logs from multiple devices, IT staff can quickly identify potential is-
sues, as well; as a quick check on activities and analysis files; SIEM
systems can also improve reporting processes across the business.
• Threat Detection: SIEMs have an assortment of features and func-
tionality that incorporates security monitoring: the entire collection,
normalization, correlation, and analysis of logs. SIEM also alerts se-
curity analysts when specious events are detected.
• Better overall handling of security breaches and events: SIEM
software can reduce the impact of a security breach by providing a
fast response to the detected events, such as the financial cost of a
breach and the damage caused to the business and any IT systems in
place.

3.5 SIEM Solutions Types

In the category of SIEM (Security Information and Event Management),

we can roughly distinguish three types of solutions:

• The ”blank” products of any original configuration for which every-

thing must be put in place. This is the case of Splunk, which relies
on adaptability and flexibility to ensure an effective solution whatever
the need.
• Solutions based on existing and scalable bases to ensure correlation,
alerting, reporting, and offer parsers adapted to the majority of the
equipment on the market.
• Ready-to-use solutions that are easy to use and spontaneously meet
a specific need. These, if they can give satisfaction at the moment,
generally fish in terms of scalability and functionality.

SIEM solutions aim to respond to companies’ real-time needs to ana-

lyze security events concerning internal and external threat management.

56
Chapter 3 : Security information and event management (SIEM)

This solution allows monitoring applications, user behaviors, and data

access. Through the functionalities provided by the solution, it is, there-
fore, possible to collect, standardize, aggregate, correlate and analyze data
from events from machines, systems, and applications (firewall, IDS/ISP,
Network Machines, Security Machines, Applications, Databases, Servers,
Directories).

3.6 Commercialized Solutions

The SIEM solutions used by large companies are generally commercial-

ized and built according to their needs; however, it costs fortunes, making
it impractical for some companies due to financial issues. Enlisted below
are the trending Security Information and Event Management commer-
cialized tools available in the market.
All the solutions are compatible with the width of the business, small,
medium, and large; however, not all the solutions are adapted to the op-
erating systems; according to the table, ArcSight is adaptable only with
Windows OS. Moreover, SIEM solutions deployment varies from one sys-
tem to another, like SolarWinds is used on-premise and cloud. Finally, not
all the solutions offer a free trial, but the price varies depending on the
functionalities offered. We will not go into more detail and make compar-
isons because the purpose of our project is not to make a demonstration
about the commercialized solutions or define any of these.

57
Chapter 3 : Security information and event management (SIEM)

Figure 3.4 – Most populare SIEM tools

3.7 Open-source Solutions

Several open-source SIEM solutions have become robust and competi-

tive. As a result, there are many benefits to using an open-source SIEM
solution, and not just for small businesses. Unfortunately, existing so-
lutions either lack core SIEM capabilities, such as event correlation and
reporting or require combining with other tools. As always, though, there
are some excellent contenders. We define the four most famous open-source
SIEM solutions:

58
Chapter 3 : Security information and event management (SIEM)

3.7.1 Elasticsearch

Figure 3.5 – Elasticsearch logo

Elasticsearch, formerly ELK Search, is a distributed open-source data

search and analysis engine based on Apache Lucene and developed in Java.
The project began as an extensible version of the Lucene open-source
search framework. It is a comprehensive ecosystem of open-source tools
for data ingestion, enrichment, storage, analysis, and visualization (ELK
stands for Elasticsearch, Logstash, and Kibana components). Logstash
and Beats provide the logs. Beats bring together senders and data collec-
tors, while Logstash filters this data and activates many custom plug-ins.
Elasticsearch is the engine that feeds data mining, and Kibana provides
visualization.[33]
Elasticsearch is a powerful and versatile suite, but it lacks some essen-
tial features; with some additional important features, Elasticsearch would
be a complete SIEM tool. In particular, it is insufficient in correlation and
does not provide ready-to-use alerts or autonomous incident management.
However, with its robust architecture, customization, and open-source na-
ture, Elasticsearch is unsurprisingly very powerful and provides the basics
for many other choices in this list. The following table demonstrates the
pros and cons of Elasticsearch:

59
Chapter 3 : Security information and event management (SIEM)

Pros of Elasticsearch Cons of Elasticsearch

Compatible to run on every platform be- Sometimes, the problem of split-brain
cause it is developed in Java. situations occurs.
Real-time indexing: Any added docu- Lack of multi-language support for re-
ment is searchable immediately. quest and response data; only supports
JSON format.
Offers a gateway concept, facilitating Not as suitable a data store as alterna-
quick full backups. tives like MongoDB or Hadoop; better
for smaller use cases.
Distributed document-oriented architec- Steeper learning curve compared to sim-
ture, facilitating scalability in large or- pler search solutions, particularly for en-
ganizations. terprise use.
Supports all document types except
those not compatible with text render-
ing.
Most effective full-text search: Searches
based on language, returning matching
documents.
High productivity with parallel process-
ing, distributing primary and replica
shards across nodes.

Table 3.1 – Pros and Cons of Elasticsearch

3.7.2 OSSIM

Figure 3.6 – OSSIM logo

OSSIM is one of the most powerful open-source options developed by

AlienVault within infrastructure with complete security supervision. The
framework in the sense of OSSIM aims to centralize, organize and improve
the detection and display for monitoring system security events informa-
tion from a company. OSSIM performs event collection and normalization.
It has short-term logging and monitoring capabilities, long-term threat as-
sessment, and built-in automated responses.[34]

60
Chapter 3 : Security information and event management (SIEM)

However, OSSIM is neither flexible nor manageable. System admin-

istrators complain about the cumbersome configurations, especially on
Windows, and the time-consuming investments needed to customize the
software.
The following table demonstrates the pros and cons of OSSIM:
Pros of OSSIM Cons of OSSIM
It can be operated on-premise and Limited flexibility makes its cus-
virtually. tomization a long process.
Requires only a single server. Implementing a complex solution
requires a relevant audit and risk as-
sessment process in configuring the
desired security policy.
There is community support via its
product forum.
Developers provide ongoing devel-
opment, increasing its value to
users.
Learning function that allows the
solution to increase the reliability of
its feedback.
Intuitive interface because of the
modularity of the control panel that
adapts to the customer’s needs.

Table 3.2 – Pros and Cons of OSSIM

3.7.3 Wazuh

Figure 3.7 – Wazuh logo

Wazuh is an open-source based on OSSEC and a common choice among

organizations because of its capabilities in threat detection, integrity mon-
itoring, and compliance as an incident management tool. Wazuh collects,
aggregates, indexes, and analyzes security data, enabling organizations to
detect intrusions and identify threats and behavioral anomalies.[35]

61
Chapter 3 : Security information and event management (SIEM)

The following table demonstrates the pros and cons of Wazuh:

Pros of Wazuh Cons of Wazuh
Based on (and compatible with) Complicated architecture: requires
OSSEC. a full Elastic Stack deployment in
addition to the Wazuh server com-
ponents.
Supports the cloud infrastructure
monitoring, including AWS (Ama-
zon Web Services) and Microsoft
Azure (Cloud computing services).
Integrates with Splunk to visualize
alerts and API data.

Table 3.3 – Pros and Cons of Wazuh

3.7.4 Quadrant Sagan

Figure 3.8 – Quadrant Sagan Logo

Quadrant Sagan is an open-source real-time log analysis and corre-

lation engine with high performance; it runs under *nix operating sys-
tems, written in C, and uses a multi-threaded architecture to deliver high-
performance log and event analysis.
Sagan is compatible with Snort; it detects the threat, and Snort is used
to prevent threat damage. Sagan was designed to be lightweight, so it is
also beneficial for companies that do not require several features and focus
only on their application’s performance. It is perfect for businesses that
use Snort or plan to implement an IPS in addition to a SIEM.[36]
The following table demonstrates the pros and cons of Quadrant Sagan:

62
Chapter 3 : Security information and event management (SIEM)

Pros of Sagan Cons of Sagan

Fully compatible with Snort databases, Relatively young project with a small
rules, and user interfaces. community.
Multi-threaded architecture is designed The difficult installation process can in-
for high performance. volve building the entire SIEM from the
source.

Table 3.4 – Pros and Cons of Quadrant Sagan

3.7.5 Comparative Table

To aid in the decision-making process, the following table provides a

comparative overview of the key features and capabilities of Wazuh, ELK
Stack, Quadrant Sagan, and OSSIM:
ELK Quadrant
Feature/Aspect Wazuh OSSIM
Stack Sagan
Log Management ✓ ✓ ✓ ✓
Threat Detection ✓ ✗ ✓ ✓
Compliance ✓ ✗ ✗ ✓
Scalability ✓ ✓ ✓ ✓
Ease of Use ✓ ✗ ✗ ✗
Integration ✓ ✗ ✓ ✗
Community Support ✓ ✓ ✓ ✓
Cost ✓ ✗ ✓ ✓
Host-based Intrusion Detec-
✓ ✗ ✓ ✓
tion
Real-time Threat Detection ✓ ✗ ✓ ✓
Agent-based Architecture ✓ ✗ ✓ ✓
Advanced Data Visualiza-
✗ ✓ ✗ ✗
tion

Table 3.5 – Comparative Table of Wazuh, ELK Stack, Quadrant Sagan, and OSSIM

3.8 Limitations of Traditional SIEM

Traditional Security Information and Event Management (SIEM) sys-

tems, while valuable tools, face limitations that hinder their effectiveness
in today’s dynamic cybersecurity landscape. Let’s explore some key limi-
tations:

• Complex Deployment and Management: Traditional SIEM sys-

63
Chapter 3 : Security information and event management (SIEM)

tems can be complex to deploy, configure, and manage. They may

require extensive manual configuration, integration with various data
sources, and ongoing maintenance, which can be time-consuming and
resource-intensive. This complexity can also lead to higher costs in
terms of staffing, training, and ongoing operational expenses.
• Outdated Detection Methods: Traditional SIEMs primarily rely
on signature-based detection. While this approach can be effective
in detecting known threats, it is not capable of detecting unknown
attacks or zero-day vulnerabilities.
• Limited Real-time Response: Traditional SIEM systems may
have limitations in real-time response capabilities. They may provide
alerts and notifications for security events, but the actual response
may require manual intervention and coordination across different se-
curity tools and systems, leading to delays in taking action against
threats. This can impact the timeliness and effectiveness of incident
response efforts.
• Manual Updates: Frequent updates for rules and signatures are
necessary, introducing delays in detecting and responding to emerging
threats, leaving systems vulnerable.
• Limited Scope and Visibility: Designed for traditional networks,
these systems struggle to monitor the growing number of endpoints
and devices outside the network perimeter.
• Data Overload: Another significant limitation is the inability of
traditional SIEMs to effectively handle the vast amounts of data gen-
erated by modern IT environments. As data volumes continue to
grow exponentially, traditional SIEMs struggle to scale and process
this data in a timely manner, resulting in missed threats and delayed
insights.
• Limited Analytics: Traditional SIEMs often lack advanced analyt-
ics capabilities, such as machine learning and behavioral analytics,
which are essential for detecting sophisticated and evolving threats.

64
Chapter 3 : Security information and event management (SIEM)

In light of these limitations, organizations are increasingly turning to

next-generation SIEM solutions that offer enhanced capabilities and flex-
ibility to meet the challenges of today’s dynamic cybersecurity landscape.

3.9 Features of Next-Gen SIEM

In response to the limitations of traditional SIEMs, next-generation

SIEM solutions have emerged, offering a comprehensive and dynamic ap-
proach to security information and event management. Here are the fea-
tures needed in a modern SIEM solution combining the latest technology
with a comprehensive knowledge of how threats emerge:

• Collect and Manage Data from All Available Sources: Present-

day threats typically span multiple data sources. To be effective, every
data source must be available to your modern SIEM for it to analyze
and correlate the data. This includes cloud service data, on-premises
log data (security controls like identity, databases, and application
logs), and network data (intrusion detection, endpoint, flows, packets,
etc.).[37]

Figure 3.9 – NG-SIEM Data collection

• Incident Prioritization: The amount of data SOCs need to ana-

65
Chapter 3 : Security information and event management (SIEM)

lyze is staggering. It’s not unusual for large companies to generate

hundreds of millions of log entries every day. Modern SIEMs are
designed to reduce the signal-to-noise ratio to where you can regain
domain control. The ability to eliminate false positives and focus only
on events with abnormal behaviors is essential for robust security, ef-
ficient staff performance, and keeping down costs. On a typical day,
a best-in-class SIEM solution might reduce 500 million log entries to
60,000 session timelines, then surface fewer than 50 notable events.
From these, a dozen or so tickets might be generated for investiga-
tion.[37]

Figure 3.10 – Incident prioritization

• Automated Threat Remediation: In the face of successful cy-

berattacks, organizations require advanced remediation capabilities,
prompting the evolution of next-gen SIEM solutions to incorporate
automated incident response features. These sophisticated systems
adeptly compile details about an event and employ dynamic play-
books to orchestrate precise, automated actions for remediating in-
cidents. Next-gen SIEM solutions also seamlessly integrate into a
team’s security processes by automating workflows with integrated
systems like IT service management (ITSM), which streamlines the
overall incident response process for enhanced cybersecurity resilience.[38]

66
Chapter 3 : Security information and event management (SIEM)

• Proactive Threat Detection: Employing advanced analytics, ma-

chine learning, and behavior analysis, next-gen SIEMs can identify
suspicious activity and potential threats before they escalate into se-
curity incidents.[37]
• Improved Threat Intelligence Integration: They seamlessly in-
tegrate with threat intelligence feeds, providing security teams with
access to the latest threat indicators and attack vectors.
• Continuous Compliance: Next-gen SIEMs automate compliance
monitoring and reporting, enabling organizations to continuously track
their adherence to regulations and industry best practices. This in-
cludes features like mapping security controls to compliance require-
ments and generating compliance reports and dashboards.

Next-generation SIEM solutions emerge as a powerful response, ad-

dressing these limitations with features like proactive threat detection,
advanced data handling, and continuous compliance. By adopting next-
generation SIEM technology, organizations can proactively manage and
secure their IT environment.

3.10 Conclusion

This chapter has explored the history, theory, and practical applica-
tions of Security Information and Event Management (SIEM) systems.
We delved into the evolution of SIEM from its initial purpose of log aggre-
gation to its current role as a central pillar of modern security operations.
The discussion highlighted the significant benefits SIEM solutions bring to
organizations. We further examined the different types of SIEM solutions
available, catering to diverse needs and budgets.
However, the chapter also acknowledged the limitations of traditional
SIEMs, particularly their struggle to keep pace with the evolving threat
landscape. Fortunately, next-generation SIEM solutions have emerged, of-
fering advanced features like proactive threat detection, continuous com-

67
Chapter 3 : Security information and event management (SIEM)

pliance monitoring, and improved data handling.

In conclusion, SIEM technology has become an indispensable tool for
organizations striving to secure their IT infrastructure in an increasingly
complex and dynamic cyber environment. As threats continue to evolve,
next-generation SIEM solutions will play a crucial role in enabling organi-
zations to proactively manage their security posture and stay ahead of the
curve. This continuous evolution emphasizes the need for ongoing research
and development in the field of SIEM to address emerging challenges and
ensure its continued effectiveness in the ever-changing cybersecurity land-
scape.

68
 Part II

Practical Part

69
Chapter 4
Design and implementation

4.1 Introduction

As mentioned in the previous section, one of the main drawbacks of a

SIEM solution is its limitations in terms of the actions it can take against
the occurrence of a security event. This is where a Next-Gen SIEM solution
comes in.
In this chapter, we will give an observation of our solution, and we will
explain in detail their design, functionalities. Also, present the different
tools and the interfaces illustrating the most interesting options.

4.2 Prerequisites

To implement this project on the ground, we need a set of necessary

conditions to achieve and test it, among these conditions is the mandatory
existence of a SOC environment that contains at least the SIEM technology
that collects all the log data from different equipment of the organization’s
infrastructure, and this in order to process this data and automate the
investigations that are opened if an abnormal behavior is observed at the
level of a device on the infrastructure. And in order to test the effectiveness
of the solution we have developed, we need an attacking machine equipped
with malicious programs and scripts whose purpose is to know to what
extent the SIEM responds to different cyber-attacks.

70
Chapter 4 : Design and implementation

4.2.1 Infrastructure

The term IT infrastructure is defined as a combined set of hardware,

software, networks, facilities, etc. (including all equipment related to in-
formation technologies) used to develop, test, deliver, monitor, control or
support different IT services[39]. It depends on various components de-
signed to manage the company’s internal ecosystem or to provide services
outside the company. The more efficiently and reliably the infrastructure is
organized, the more the company’s ability to effectively use its services con-
tributes to its growth and development. The entire ecosystem is composed
of different software solutions, various hardware and network connections
that work together simultaneously and complement each other[40].

4.2.2 SOC Environment

In the first chapter, we discussed the importance and necessity of SOCs

for business continuity and operations, and we also showed the essential
components that must be strictly considered in its creation. Among the
three basic components, we mentioned technology, which is a key element
like the other two, because with an imbalance in one of them, the SOC
becomes ineffective, and this is what we strive to avoid. In the following
sections, we will detail the technologies and tools we have used at the SOC
level.

4.2.3 Attacker Machine

The purpose of the attacker machine is to model threats to detect and

prioritize potential threats on the different devices of the infrastructure, as
well as to calculate the value of potential mitigations to reduce or eliminate
these threats.

71
Chapter 4 : Design and implementation

4.3 Infrastructure Components

An organization houses hardware, software, servers, storage, and other

infrastructure components. The general idea is to improve communication
between these different components so that they complement each other.
In this section, we will examine the main components of IT infrastructure
in more detail:

1. Hardware:
Hardware refers to the physical components and devices that help
the organization organize the infrastructure. They are the founda-
tion. Therefore, although software and networks are part of the in-
frastructure, they are not physical components of the infrastructure
hardware.
Hardware includes, but is not limited to, the following elements:
• Desktops
• Laptops
• Mobile devices
• Storage devices
• Network cables
2. Software:
Various programs and applications that a company uses to function,
provide services, operate internal pipelines, etc. This software can also
be attributed to different operating systems on which all programs
and applications are deployed[40]. Software components include:
• Web servers
• Operating systems
• Enterprise resource planning (ERP)
• Customized software for internal work
3. Networks:

72
Chapter 4 : Design and implementation

Networks allow the organization to combine their different devices into

a single network and connect them to the internet. The connection
is secured by security firewalls that protect them from malware and
breaches[40]. A network includes the following components:
• Routers
• Switches
• Servers
• Data centers

4.4 SIEM Architecture

The modules: log collection module, log normalization module, log de-
consolidation module, event analysis module, incident management mod-
ule, alert management module, and dashboard module.
Below are the flowcharts that explain how each module works.

4.4.1 Log Collection Module

Figure 4.1 – Log collection module

As shown in Figure 4.1, logs from the identified devices are collected.
Each field is then filled in automatically in their respective domains. Then,
the logs are imported into the Normalization module. The collection mod-
ule uses Syslog Listener as its implementation. The (RFC) 3164 is an
IETF memo stating that logs must be standardized to facilitate collection
in the network.
As a rule, logs are in the following format based on Syslog software.
It triggers the parameters Date/ Time, IP address, installation (kernel,
user-level, mail system, Daemon system, etc.), severity (emergency, alert,
critical, error, warning, notification, etc.), and the Message.

73
Chapter 4 : Design and implementation

Different devices can fill all Syslog fields while others do not. However,
this module does not recognize devices not listed in the identified device
database.

4.4.2 Log Normalization Module

Figure 4.2 – Log normalization module

The collected logs are sent to the log normalization module, which
checks the logs and searches for the IP address and device details.
If the device has a normalization class, the logs are immediately normal-
ized and stored in the database of the normalized logs. A new class must
be added if the device does not have a normalization class. Normalization
includes content fields, removing unnecessary fields in device-generated
logs, and translating fields to similar formats.
The standardization module also contributes to the consolidation of
logs. The devices are already classified from the device identification mod-
ule; when the logs of these devices are passed to the normalizer, it is
possible to predict their module’s destination. For example, suppose the
normalization module detects that the log is from an IDS. In that case,
there is an excellent possibility that this is an attack; therefore, this log
should be an intended Incident Management Module. All normalized logs
are placed in the normalized log database before being forwarded to the
log consolidator.

4.4.3 Log Consolidation Module

The consolidation module must be implemented using correlation tech-

niques, and there are three particularly effective correlation techniques
already used by several SIEM like OSSIM Alien Vault:

74
Chapter 4 : Design and implementation

Figure 4.3 – Log consolidation module

• Cross-Correlation: Compares information from IDSs and vulnerabil-

ity scanners and prioritizes events in case the data is vulnerable or
not to a particular attack.
• Inventory Correlation: Checks if the attack affects a particular service
and operating system and a particular system version and checks if
the host attacked a system operating/active service.
• Logical Correlation: Refers to the logical rules used to join different
small events to fit a new model.

The consolidation module also uses two databases (attack inventory and
network surveillance (monitoring).

4.4.4 Event Analysis Module

Figure 4.4 – Event Analysis Module

Once logs are grouped and classified as events, problem logs must be
resolved and sent to their respective modules. For example, the Event
Analysis module passes all events to the Report/Recommendation Gener-
ator module, and those regardless of the type (id) of event.

75
Chapter 4 : Design and implementation

4.4.5 Incident Management Module

Figure 4.5 – Incident Management Module

Attack events originate primarily from an IDS/IPS. Unresolved attacks

are first brought to the Alert Management module, which will warn the
user by sending alerts.
To implement this module, we must use two techniques (sniping and
shunning). Event sniping, or session sniping, is a direct intervention to
disrupt the victim’s connection. The action is done by injecting forged
packets to reset the link (bit RST in the TCP protocol). The port, source
IP, and sequence numbers must be synchronized with the traffic that trig-
gered the event for the reset.
Shunning is the denial of access to a host suspected of an attack. In the
implementation, one solution is to stop an attacker’s IP access to reduce
the possibility of extending the attack to other targets in the protected
environment.
The attacks that cannot be resolved automatically are determined man-
ually by the user.

76
Chapter 4 : Design and implementation

4.4.6 Alert Management Module

Figure 4.6 – Alert Management Module

Critical events are sent to the alert management module that will handle
to alert the analyst.

4.4.7 Dashboard Module

This module sends queries to the database, retrieves the information

needed to calculate the indicators, and displays the result as a graph.
At this stage of our study, we began to have a clearer idea about our
objective and how to achieve it and especially about the degree of difficulty
of the project. For example, in the normalization module, we have to study
each possible log source and create a normalization class; here is the class
diagram of the log normalization module; it is necessary to consider the
possibility of extension in case there is a new source of logs:

Figure 4.7 – Class diagram of the log normalization module

77
Chapter 4 : Design and implementation

4.5 Wazuh tool

4.5.1 Wazuh Definition

Wazuh is a free and open-source security platform that unifies XDR

and SIEM capabilities. It protects workloads across on-premises, virtual-
ized, containerized, and cloud-based environments. Wazuh helps organiza-
tions and individuals to protect their data assets against security threats.
It is widely used by thousands of organizations worldwide, from small
businesses to large enterprises[41]. Wazuh won top honors as the Best
SIEM Solution in SC Award winners 2023 for developing an open-source
security platform that offers unified SIEM and XDR capabilities. With
multi-platform agents that collect security and runtime event data. It’s
a comprehensive security product with reduced licensing fees and main-
tenance costs compared to managing multiple proprietary tools. Wazuh’s
SIEM also helps with regulatory compliance, preventing costly fines and
penalties for non-compliance.[42]

4.5.2 Wazuh Features

The main capabilities that Wazuh provides are as follows:

• Intrusion detection: agents filter the monitored systems are seeking

out malware, rootkits, and doubtful anomalies. They can distinguish
hidden records, cloaked processes or unregistered network audience
members, and irregular system call responses.
• Log data analysis: peruses operating system and application logs
and safely forwards them to a central manager for rule-based analysis
and capacity. When no agent is sent, the server can receive data from
network devices or applications using Syslog.
• File integrity monitoring: monitors the record system, recogniz-
ing changes in content, authorizations, ownership, and properties of
records they got, to keep an eye on. It natively recognizes users and

78
Chapter 4 : Design and implementation

applications utilized to create or modify files in expansion. File in-

tegrity monitoring capabilities can be combined with threat insights
to distinguish threats or compromised hosts. In addition, a few ad-
ministrative compliance measures, such as PCI DSS, require it.
• Vulnerability detection: drag computer program inventory data
and send it to the server, correlated with continuously upgraded CVE
(Common Vulnerabilities and Exposure) databases, to recognize well-
known vulnerable software.
• Configuration assessment: monitors system and application setup
settings to guarantee compliance with security policies, measures, and
hardening guides. Agents perform periodic scans to identify appli-
cations that are known to be vulnerable, unpatched, or insecurely
configured.
• Incident response: out-of-the-box active responses to perform dif-
ferent countermeasures to address active threats, such as blocking
access to a system from the danger source when specific criteria are
met.
• Regulatory compliance: gives a few basic security controls to com-
ply with industry guidelines and rules. These features, adaptability,
and multi-platform support assist organizations that meet specialized
compliance requirements.
• Cloud security: helps monitor cloud infrastructure at an API level,
utilizing integration modules that can drag security information from
well-known cloud suppliers, such as Amazon AWS, Azure, or Google
Cloud. In expansion, Wazuh provides rules to evaluate the configu-
ration of the cloud environment, quickly spotting weaknesses.
• Containers security: provides security visibility into the Docker
hosts and holders, checking their behavior and recognizing dangers,
vulnerabilities, and anomalies. The Wazuh agent has local integration
with the Docker engine permitting users to monitor pictures, volumes,
network settings, and running containers.

79
Chapter 4 : Design and implementation

• Wazuh WUI: gives an effective user interface for information visu-

alization and analysis. This interface can manage the Wazuh setup
and monitor its status.

4.5.3 Wazuh Components

The Wazuh platform provides XDR and SIEM features to protect your
cloud, container, and server workloads. These include log data analysis,
intrusion and malware detection, file integrity monitoring, configuration
assessment, vulnerability detection, and support for regulatory compli-
ance.
The Wazuh solution is based on the Wazuh agent, which is deployed
on the monitored endpoints, and on three central components: the Wazuh
server, the Wazuh indexer, and the Wazuh dashboard.[41]

• Wazuh Indexer: A highly scalable, full-text search and analytics

engine. This central component indexes and stores alerts generated
by the Wazuh server.
• Wazuh Server: Analyzes data received from the agents. It processes
it through decoders and rules, using threat intelligence to look for well-
known indicators of compromise (IOCs). A single server can analyze
data from hundreds or thousands of agents, and scale horizontally
when set up as a cluster. This central component is also used to
manage the agents, configuring and upgrading them remotely when
necessary.
• Wazuh Dashboard: The web user interface for data visualization
and analysis. It includes out-of-the-box dashboards for security events,
regulatory compliance (e.g., PCI DSS, GDPR, CIS, HIPAA, NIST
800-53), detected vulnerable applications, file integrity monitoring
data, configuration assessment results, cloud infrastructure monitor-
ing events, and others. It is also used to manage Wazuh configuration
and to monitor its status.

80
Chapter 4 : Design and implementation

• Wazuh Agents: Installed on endpoints such as laptops, desktops,

servers, cloud instances, or virtual machines. They provide threat
prevention, detection, and response capabilities. They run on oper-
ating systems such as Linux, Windows, macOS, Solaris, AIX, and
HP-UX.

In addition to agent-based monitoring capabilities, the Wazuh platform

can monitor agent-less devices such as firewalls, switches, routers, or net-
work IDS, among others. For example, system log data can be collected via
Syslog, and its configuration can be monitored through periodic probing
of its data, via SSH or through an API.
The diagram below represents the Wazuh components and data flow.

Figure 4.8 – the Wazuh components and data flow.

4.5.4 Wazuh Indexer

The Wazuh indexer is a highly scalable, full-text search and analytics

engine. This Wazuh central component indexes and stores alerts generated
by the Wazuh server and provides near real-time data search and analytics
capabilities. The Wazuh indexer can be configured as a single-node or
multi-node cluster, providing scalability and high availability.[41]
The Wazuh indexer stores data as JSON documents. Each document
correlates a set of keys, field names or properties, with their corresponding
values which can be strings, numbers, booleans, dates, arrays of values,
geolocations, or other types of data.

81
Chapter 4 : Design and implementation

An index is a collection of documents that are related to each other.

The documents stored in the Wazuh indexer are distributed across dif-
ferent containers known as shards. By distributing the documents across
multiple shards, and distributing those shards across multiple nodes, the
Wazuh indexer can ensure redundancy. This protects your system against
hardware failures and increases query capacity as nodes are added to a
cluster.[41]
Wazuh uses four different indices to store different event types as shown
in the following table:
Index Description
wazuh-alerts Stores alerts generated by the Wazuh server. These are created
each time an event trips a rule with a high enough priority (this
threshold is configurable).
wazuh-archives Stores all events (archive data) received by the Wazuh server,
whether or not they trip a rule.
wazuh- Stores data related to the Wazuh agent status over time. It is used
monitoring by the web interface to represent when individual agents are or have
been Active, Disconnected, or Never connected.
wazuh-statistics Stores data related to the Wazuh server performance. It is used by
the web interface to represent the performance statistics.

Table 4.1 – Wazuh Indices and their Descriptions

The Wazuh indexer is well suited for time-sensitive use cases like se-
curity analytics and infrastructure monitoring as it is a near real-time
search platform. The latency from the time a document is indexed until
it becomes searchable is very short, typically one second.
In addition to its speed, scalability, and resiliency, the Wazuh indexer
has several built-in features that make storing and searching data even
more efficient, such as data rollups, alerting, anomaly detection, and index
lifecycle management.

4.5.5 Wazuh Server

The Wazuh server component analyzes the data received from the agents,
triggering alerts when threats or anomalies are detected. It is also used to
manage the agents’ configuration remotely and monitor their status.

82
Chapter 4 : Design and implementation

The Wazuh server uses threat intelligence sources to improve its de-
tection capabilities. It also enriches alert data by using the MITRE
ATT&CK framework and regulatory compliance requirements such as PCI
DSS, GDPR, HIPAA, CIS, and NIST 800-53, providing helpful context for
security analytics.
Additionally, the Wazuh server can be integrated with external software,
including ticketing systems such as ServiceNow, Jira, and PagerDuty, as
well as instant messaging platforms like Slack. These integrations are
convenient for streamlining security operations.[41]

Server Architecture

The Wazuh server runs the analysis engine, the Wazuh RESTful API,
the agent enrollment service, the agent connection service, the Wazuh
cluster daemon, and Filebeat. The server is installed on a Linux operat-
ing system and usually runs on a stand-alone physical machine, virtual
machine, docker container, or cloud instance.

Figure 4.9 – Server Architecture Diagram

Server Components

The Wazuh server comprises several components listed below that have
different functions, such as enrolling new agents, validating each agent’s
identity, and encrypting the communications between the Wazuh agent
and the Wazuh server.

83
Chapter 4 : Design and implementation

• Agent enrollment service: It is used to enroll new agents. This

service provides and distributes unique authentication keys to each
agent. The process runs as a network service and supports authenti-
cation via TLS/SSL certificates or by providing a fixed password.
• Agent connection service: This service receives data from the
agents. It uses the keys shared by the enrollment service to vali-
date each agent’s identity and encrypt the communications between
the Wazuh agent and the Wazuh server. Additionally, this service
provides centralized configuration management, enabling you to push
new agent settings remotely.
• Analysis engine: This is the server component that performs the
data analysis. It uses decoders to identify the type of information
being processed (Windows events, SSH logs, web server logs, and
others). These decoders also extract relevant data elements from the
log messages, such as source IP address, event ID, or username. Then,
by using rules, the engine identifies specific patterns in the decoded
events that could trigger alerts and possibly even call for automated
countermeasures (e.g., banning an IP address, stopping a running
process, or removing a malware artifact).
• Wazuh RESTful API: This service provides an interface to interact
with the Wazuh infrastructure. It is used to manage configuration
settings of agents and servers, monitor the infrastructure status and
overall health, manage and edit Wazuh decoders and rules, and query
about the state of the monitored endpoints. The Wazuh dashboard
also uses it.
• Wazuh cluster daemon: This service is used to scale Wazuh servers
horizontally, deploying them as a cluster. This kind of configuration,
combined with a network load balancer, provides high availability and
load balancing. The Wazuh cluster daemon is what Wazuh servers
use to communicate with each other and to keep synchronized.
• Filebeat: It is used to send events and alerts to the Wazuh indexer.

84
Chapter 4 : Design and implementation

It reads the output of the Wazuh analysis engine and ships events
in real time. It also provides load balancing when connected to a
multi-node Wazuh indexer cluster.

4.5.6 Wazuh Dashboard

The Wazuh dashboard is a flexible and intuitive web user interface

for mining, analyzing, and visualizing security events and alerts data. It
is also used for the management and monitoring of the Wazuh platform.
Additionally, it provides features for role-based access control (RBAC) and
single sign-on (SSO).

Data Visualization and Analysis

The web interface helps users navigate through the different types of
data collected by the Wazuh agent, as well as the security alerts generated
by the Wazuh server. Users can also generate reports and create custom
visualizations and dashboards.
As an example, Wazuh provides out-of-the-box dashboards for regu-
latory compliance such as PCI DSS, GDPR, HIPAA, and NIST 800-53.
It also provides an interface to navigate through the MITRE ATT&CK
framework and related alerts.

Agents Monitoring and Configuration

The Wazuh dashboard allows users to manage agents’ configuration and

to monitor their status. As an example, for each monitored endpoint, users
can define what agent modules will be enabled, what log files will be read,
what files will be monitored for integrity changes, or what configuration
checks will be performed.

85
Chapter 4 : Design and implementation

Regulatory compliance dashboard Threat detection and response dashboard

Auditing and policy monitoring Security information management

Figure 4.10 – Wazuh out-of-the-box dashboards

Figure 4.11 – agent monitoring dashboard

4.5.7 Wazuh Agent

The Wazuh agent runs on Linux, Windows, macOS, Solaris, AIX, and
other operating systems. It can be deployed to laptops, desktops, servers,

86
Chapter 4 : Design and implementation

cloud instances, containers, or virtual machines. The agent helps to pro-

tect your system by providing threat prevention, detection, and response
capabilities. It is also used to collect different types of system and applica-
tion data that it forwards to the Wazuh server through an encrypted and
authenticated channel.

Agent Architecture

The Wazuh agent has a modular architecture. Each component is in

charge of its tasks, including monitoring the file system, reading log mes-
sages, collecting inventory data, scanning the system configuration, and
looking for malware. Users can manage agent modules via configuration
settings, adapting the solution to their particular use cases.

Figure 4.12 – Agent Architecture Diagram

Agent Modules

All agent modules are configurable and perform different security tasks.
This modular architecture allows you to enable or disable each component
according to your security needs. Below you can learn about the different
purposes of all the agent modules.

• Log collector: This agent component can read flat log files and
Windows events, collecting operating system and application log mes-
sages. It supports XPath filters for Windows events and recognizes
multi-line formats like Linux Audit logs. It can also enrich JSON

87
Chapter 4 : Design and implementation

events with additional metadata.

• Command execution: Agents run authorized commands periodi-
cally, collecting their output and reporting it back to the Wazuh server
for further analysis. You can use this module for different purposes,
such as monitoring hard disk space left or getting a list of the last
logged-in users.
• File integrity monitoring (FIM): This module monitors the file
system, reporting when files are created, deleted, or modified. It keeps
track of changes in file attributes, permissions, ownership, and con-
tent. When an event occurs, it captures who, what, and when details
in real-time. Additionally, the FIM module builds and maintains a
database with the state of the monitored files, allowing queries to be
run remotely.
• Security configuration assessment (SCA): This component pro-
vides continuous configuration assessment, utilizing out-of-the-box
checks based on the Center of Internet Security (CIS) benchmarks.
Users can also create their own SCA checks to monitor and enforce
their security policies.
• System inventory: This agent module periodically runs scans, col-
lecting inventory data such as operating system version, network in-
terfaces, running processes, installed applications, and a list of open
ports. Scan results are stored in local SQLite databases that can be
queried remotely.
• Malware detection: Using a non-signature-based approach, this
component is capable of detecting anomalies and the possible presence
of rootkits. Also, it looks for hidden processes, hidden files, and
hidden ports while monitoring system calls.
• Active response: This module runs automatic actions when threats
are detected, triggering responses to block a network connection, stop
a running process, or delete a malicious file. Users can also create cus-
tom responses when necessary and customize, for example, responses

88
Chapter 4 : Design and implementation

for running a binary in a sandbox, capturing network traffic, and

scanning a file with antivirus.
• Container security monitoring: This agent module is integrated
with the Docker Engine API to monitor changes in a containerized
environment. For example, it detects changes to container images,
network configuration, or data volumes. Besides, it alerts about con-
tainers running in privileged mode and about users executing com-
mands in a running container.
• Cloud security monitoring: This component monitors cloud providers
such as Amazon AWS, Microsoft Azure, or Google GCP. It natively
communicates with their APIs. It is capable of detecting changes to
the cloud infrastructure (e.g., a new user is created, a security group
is modified, a cloud instance is stopped, etc.) and collecting cloud ser-
vices log data (e.g., AWS Cloudtrail, AWS Macie, AWS GuardDuty,
Microsoft Entra ID, etc.)

Communication with Wazuh Server

The Wazuh agent communicates with the Wazuh server to ship collected
data and security-related events. Besides, the agent sends operational
data, reporting its configuration and status. Once connected, the agent
can be upgraded, monitored, and configured remotely from the Wazuh
server[43].
The communication of the agent with the server takes place through a
secure channel (TCP or UDP), providing data encryption and compres-
sion in real-time. Additionally, it includes flow control mechanisms to
avoid flooding, queueing events when necessary, and protecting the net-
work bandwidth[43].
You need to enroll the agent before connecting it to the server for the
first time. This process provides the agent with a unique key used for
authentication and data encryption.

89
Chapter 4 : Design and implementation

4.6 Suricata

A Signature-Based IDS/IPS
Suricata is an open-source intrusion detection system (IDS) and intru-
sion prevention system (IPS) that can be used to detect and prevent a
wide range of network threats. Suricata is a high-performance engine that
can be used to monitor both wired and wireless networks[44]. It can be
used to detect a wide range of threats, including:
• Malware
• Network intrusions
• Denial-of-service attacks
• Data breaches
Suricata is a powerful tool that can be used to protect networks from a
wide range of threats. It is easy to install and configure, and it comes with
a comprehensive set of features. Suricata is a good choice for organizations
of all sizes.

4.6.1 A Detection Engine

Suricata is a detection engine and thus only performs capture, detection,

and the creation of alerts or log files. Both the regular modification of the
signature set and the interfaces for consulting alerts are beyond its scope.
A complete solution must therefore rely on other software[45]. If we were to
consider a typical system, it would likely be a system like the one presented
in the following figure:

90
Chapter 4 : Design and implementation

Figure 4.13 – suricata-ecosystem

It uses barnyard2 to transfer alerts from the unified2 binary format

to a database. The user interface is an alert viewing application such as
snorby [SNORBY] or a security event management system, also known as
SIEM[45].
One of Suricata’s most important tasks is traffic reconstruction. Each
layer of the OSI model must be reconstructed correctly, which involves
managing IP fragmentation, TCP segmentation, and all types of invalidi-
ties (inconsistencies in announced lengths, incorrect checksums, invalid
TCP window size, etc.). Suricata also performs decomposition and nor-
malization for certain protocols.[45]
The following diagram summarizes this work on an example HTTP
flow:

91
Chapter 4 : Design and implementation

Figure 4.14 – Suricata System

After validating the IP layer and defragmentation, reconstruction is

performed at the TCP level, and the data stream is then reconstituted
(streaming). When there is an application layer support in Suricata, this
leads to normalization of the application stream.
Adapted keywords offer complete granularity for writing signatures.
These can address the different layers presented in the diagram.
To perform pattern matching on each packet, you need to use the tcp-
pkt keyword:

Alert Rule
alert tcp - pkt any any -> any 80 ( msg :" HTTP dl "; content :" Get /
download . php "; sid :1; rev :1;)

This type of rule will not trigger an alert if the content is spread across
multiple packets. To address this issue, you can issue an alert at the
reconstructed stream level using the following rule:

Alert Rule
alert tcp any any -> any any ( msg :" HTTP download "; flow : established ,
to_server ; content :" Get / download . php ";)

92
Chapter 4 : Design and implementation

An alert on the normalized HTTP stream is obtained using the following

rule:

Alert Rule
alert http any any -> any any ( msg :" HTTP download "; content :" GET ";
http_method ; content :"/ download . php "; http_uri ;)

This last rule demonstrates the benefit of normalization in improving

the reliability of signatures. By searching for matches on reconstructed and
normalized traffic, all classical evasion techniques are countered. These
mainly rely on using traffic transformations to distort the view that the
IDS has of the traffic actually received by the monitored resource. At-
tacks can involve packet fragmentation, segmentation manipulation, and
obfuscation of application requests. As the IDS reconstructs and nor-
malizes traffic, the impact of these transformations is theoretically null.
However, the algorithms for managing fragmentation and segmentation
differ depending on the operating systems. If the IDS processing is uni-
fied, it is possible to conceal an attack by exploiting these differences in
RFC interpretation. Therefore, Suricata integrates personality handling
and performs for each IP to protect a reconstruction corresponding to the
operating system linked to that IP address. Application protocols often
suffer from the same problem, particularly HTTP. It is also possible to
configure the personalities of web servers.
For protocol events (such as invalid checksum, for example), Suricata
provides dedicated keywords and signature files. In the case of the previous
diagram, the following signatures are of interest:

Alert Rule
alert ip any any -> any any ( msg :" SURICATA IPv4 invalid checksum ";
ipv4 - csum : invalid ; sid :2200073; rev :1;)

This first signature will trigger an alert on packet number 4 of the

diagram using the ipv4-csum keyword. The second rule will alert on data-

93
Chapter 4 : Design and implementation

grams 6 and 7 using the stream-event keyword followed by the est_packet_out_of_win

option.

4.6.2 How Suricata Works

Suricata works by monitoring network traffic and looking for patterns

that match known threats. Suricata can use a variety of methods to detect
threats, including:
• Signature-based detection: Suricata can look for specific patterns
in network traffic that match known threats.
• Anomaly-based detection: Suricata can look for traffic that is
outside of the normal range of behavior.
• Behavior-based detection: Suricata can look for traffic that ex-
hibits behavior that is characteristic of a threat.

4.6.3 Suricata Features

Suricata comes with a comprehensive set of features, including:

• Support for a wide range of protocols
• Ability to detect a wide range of threats
• High performance
• Easy to install and configure
• Comprehensive set of tools

4.6.4 Suricata Benefits

Suricata offers a number of benefits, including:

• High performance: Suricata is a high-performance engine that can
be used to monitor both wired and wireless networks.
• Wide range of detections: Suricata can detect a wide range of
threats, including malware, network intrusions, denial-of-service at-
tacks, and data breaches.

94
Chapter 4 : Design and implementation

• Easy to use: Suricata is easy to install and configure, and it comes

with a comprehensive user guide.
• Open source: Suricata is an open-source tool, which means that it
is free to use and can be easily customized.

4.6.5 Suricata Deployment Options

Suricata can be deployed in a variety of environments, including:

• On-premises: Suricata can be deployed on-premises on a dedicated

server or virtual machine.
• Cloud: Suricata can be deployed in the cloud on a variety of cloud
providers, such as Amazon Web Services (AWS), Microsoft Azure,
and Google Cloud Platform (GCP).
• Managed service: Suricata can be deployed as a managed service
by a third-party vendor.

4.7 VirusTotal

4.7.1 Definition

VirusTotal is a free online service that serves as a powerful threat intelli-

gence tool. It analyzes suspicious files and URLs by utilizing scanners and
engines from numerous antivirus vendors. By submitting a file or URL,
VirusTotal generates a report with scan results from various antiviruses,
identifies potential malicious characteristics, and provides insights into the
file’s origin and historical detections. This comprehensive analysis allows
researchers and security professionals to quickly assess the potential risk
associated with a file or URL.[46]

95
Chapter 4 : Design and implementation

Figure 4.15 – Virustotal working system

4.7.2 Background and Development

VirusTotal was initially developed to address the need for a comprehen-

sive tool that could analyze files using multiple antivirus engines. Over the
years, it has evolved significantly, expanding its capabilities and integrat-
ing more advanced features. Continuous development efforts ensure that
VirusTotal stays at the forefront of threat detection technology, adapting
to new and emerging cybersecurity challenges.

4.7.3 How It Works

VirusTotal inspects items with over 70 antivirus scanners and URL/-

domain blocklisting services, in addition to a myriad of tools to extract
signals from the studied content. Any user can select a file from their
computer using their browser and send it to VirusTotal[47]. VirusTotal
offers a number of file submission methods, including:

• The primary public web interface

• Desktop uploaders
• Browser extensions
• A programmatic API

The web interface has the highest scanning priority among the pub-
licly available submission methods. Submissions may be scripted in any
programming language using the HTTP-based public API. As with files,

96
Chapter 4 : Design and implementation

URLs can be submitted via several different means including the VirusTo-
tal webpage, browser extensions, and the API.
Upon submitting a file or URL, basic results are shared with the submit-
ter, and also between the examining partners, who use results to improve
their own systems. As a result, by submitting files, URLs, domains, etc.
to VirusTotal you are contributing to raising the global IT security level.
This core analysis is also the basis for several other features, including
the VirusTotal Community: a network that allows users to comment on
files and URLs and share notes with each other. VirusTotal can be useful in
detecting malicious content and also in identifying false positives – normal
and harmless items detected as malicious by one or more scanners.

4.7.4 Advanced Features

In addition to its basic scanning capabilities, VirusTotal offers several

advanced features:
• VirusTotal Intelligence: A paid service that provides advanced
search capabilities and historical data access, allowing users to hunt
for malware and analyze trends over time.
• VirusTotal Graph: A visualization tool that helps users understand
the relationships between files, URLs, domains, and IP addresses.
This tool is particularly useful for tracking the spread and impact of
malware.
• VirusTotal Monitor: A service for software developers that helps
reduce false positives by allowing them to upload their software for
regular scanning and monitoring by the VirusTotal community.
• YARA Rules: VirusTotal supports YARA, a tool for pattern match-
ing in malware research. Users can create and share YARA rules to
detect and classify malware more effectively.

97
Chapter 4 : Design and implementation

4.7.5 Collaboration and Community

VirusTotal’s success is bolstered by its strong community of users and

partners. By leveraging collaborative efforts, VirusTotal enhances its de-
tection capabilities and keeps its database of threats up-to-date. The
VirusTotal Community allows users to share their findings, comment on
scan results, and collectively work towards a more secure digital environ-
ment.

4.8 IMPLEMENTATION

In computer science, implementation refers to the realization, so the

objective of this section includes:
Presentation of the techniques and the tools used for the implemen-
tation of the project: we used open-source tools (Wazuh, Suricata, and
VirusTotal that have been already mentioned and explained in detail in
the design chapter). We demonstrated our lab environment and the in-
stallation steps.

4.8.1 Lab Environment

This section presents the development environment, consisting of the

hardware and the software:

Hardware:

Hardware requirements highly depend on the number of protected end-

points and cloud workloads. This number can help estimate how much
data will be analyzed and how many security alerts will be stored and
indexed. In our case, we are using a Windows PC as the host machine
with the following resources:

• CPU: Intel Core i7

• RAM: 16GB

98
Chapter 4 : Design and implementation

• Storage: 512GB SSD

Figure 4.16 – Hardware resources

Software:

VMware Workstation for Windows: VMware Workstation is a

software program that allows you to run multiple operating systems on
a single computer by creating virtual machines (VMs). These VMs act
like separate computers, each with its own operating system and applica-
tions.[48]

Figure 4.17 – Vmware logo

The virtual machines used for this project are listed below:
Ubuntu VM: Ubuntu Linux is a free and open-source operating system
based on the Linux kernel. Renowned for its user-friendly interface, it’s a
popular choice for both beginners and experienced users. Regular updates
ensure security and a vast software repository provides access to a wide
range of applications.[49]

99
Chapter 4 : Design and implementation

Figure 4.18 – ubuntu logo

Kali Linux VM: Kali Linux is an open-source Linux distribution based

on Debian, designed for advanced penetration testing and security audit-
ing. It includes several hundred tools for various information security tasks
such as penetration testing, security research, computer forensics, and re-
verse engineering[50]. This VM is used as an attacking machine to simulate
different cyber attacks to verify the effectiveness of our SIEM.

Figure 4.19 – kali linux logo

Windows 10 VM: Windows 10 is a widely used operating system de-

veloped by Microsoft Corporation. It is part of the Windows NT family
of operating systems and was released on July 29, 2015, as the successor
to Windows 8.1. Windows 10 is designed to provide a unified user ex-
perience across various devices, including desktops, laptops, tablets, and
smartphones. It introduces several new features and improvements over
its predecessors.[51]

100
Chapter 4 : Design and implementation

Figure 4.20 – windows 10 logo

Windows Server 2016 VM: Windows Server 2016 is a server oper-

ating system developed by Microsoft as part of the Windows NT family.
Released on October 12, 2016, it is designed to provide a powerful and
flexible platform for building and managing enterprise-level IT infrastruc-
tures.[52]

Figure 4.21 – Windows server logo

Red Hat 9 VM: Red Hat Enterprise Linux 9 (RHEL 9), released in
2022, is a commercial operating system built on the open-source foundation
of Fedora Linux. Designed for businesses, it prioritizes stability, security,
and long-term support for critical applications running in data centers,
clouds, or at the network’s edge. RHEL 9 caters to hybrid cloud environ-
ments by working seamlessly across physical, virtual, and containerized
deployments.[53]

101
Chapter 4 : Design and implementation

Figure 4.22 – Red hat logo

4.8.2 Lab Environment Architecture

This lab environment utilizes a central Ubuntu server running Wazuh.

Four agents are deployed to monitor various operating systems: an Ubuntu
agent, a Windows 10 agent, a Windows Server 2016 agent, and a Red Hat
agent. Additionally, the Ubuntu agent is installed with Suricata, and
VirusTotal integration for enhanced threat analysis. For the cyber attacks
simulation, we have a Kali Linux VM.

Figure 4.23 – Lab architecture

102
Chapter 4 : Design and implementation

4.9 Installation

4.9.1 Wazuh Installation

First, we start by deploying Wazuh using all-in-one deployment. This

is the fastest way to get the Wazuh central components up and running.

1. Download and run the Wazuh installation assistant.

Figure 4.24 – Wazuh installation command

2. Once the assistant finishes the installation, the output shows the ac-
cess credentials and a message that confirms that the installation was
successful.

Figure 4.25 – access credential

After configuring Wazuh, we can now access the web interface using the
credentials above.

103
Chapter 4 : Design and implementation

Figure 4.26 – Wazuh login interface

Wazuh User Interface: The figure below represents Wazuh’s home

page that provides shortcuts to the application modules (Threat detection
and response, information management security, audit and policy moni-
toring, etc.).

Figure 4.27 – Wazuh home page

Adding Agents

Now that our Wazuh installation is ready, we can start deploying the
Wazuh agent.
To deploy a new agent, the user selects ”Deploy new agent” then a
list of information needs fields, such as the type of operating system,
Wazuh server address, and other information. Below is an example of

104
Chapter 4 : Design and implementation

Linux (Ubuntu) agent and Windows (Windows Server) agent.

Windows Agent:
According to the information filled, a downloading command is gener-
ated.

Figure 4.28 – windows adding agent

Figure 4.29 – windows adding agent

We execute the command in the machine that we need to deploy this

agent.

105
Chapter 4 : Design and implementation

Figure 4.30 – windows adding agent

Linux Agent: The same previous steps.

Figure 4.31 – linux adding agent steps

Figure 4.32 – linux adding agent steps

106
Chapter 4 : Design and implementation

Figure 4.33 – linux adding agent steps

Agent Dashboard

The agent dashboard provides detailed information about the selected

agent, the status, the agent’s IP address, and the operating system, as well
as visualizations for the application functionalities.

Figure 4.34 – Agent Dashboard

4.9.2 Suricata Installation

Wazuh integrates with a network-based intrusion detection system (NIDS)

to enhance threat detection by monitoring network traffic. By integrating
Suricata with Wazuh, administrators can enhance the Wazuh XDR fea-
ture in their environment. Automated response actions can be applied to

107
Chapter 4 : Design and implementation

certain events detected by Suricata on monitored endpoints.

We will demonstrate how to install Suricata and integrate it with Wazuh
to provide additional insights into your network’s security with its network
traffic inspection capabilities.

1. Install Suricata on the Ubuntu endpoint agent.

Figure 4.35 – installation command

2. Download and extract the Emerging Threats Suricata ruleset.

Figure 4.36 – downloading and extracting command

3. After installing Suricata, modify the settings in /etc/suricata/suricata.yaml

and set the appropriate variables (HOME_NET, rules files, af-packet
interface, etc.).

108
Chapter 4 : Design and implementation

Figure 4.37 – suricata.yaml file

4. Add the following configuration to the /var/ossec/etc/ossec.conf

file of the Wazuh agent. This allows the Wazuh agent to read the
Suricata logs file.

Figure 4.38 – suricata logs configuration

5. Restart Wazuh and Suricata services to apply changes.

Figure 4.39 – restarting command

109
Chapter 4 : Design and implementation

4.9.3 VirusTotal Integration

Wazuh detects malicious files through an integration with VirusTotal,

a powerful platform aggregating multiple antivirus products and an online
scanning engine. Combining this tool with our FIM module provides an
effective way of inspecting monitored files for malicious content.
1. In our project, we are going to use the VirusTotal API. In order to
use the API, we must sign up to VirusTotal Community.

Figure 4.40 – VirtusTotal sign up page

2. Once we have a valid VirusTotal Community account, we will find

our personal API key in our personal settings section. This key is all
you need to use the VirusTotal API.

Figure 4.41 – VirusTotal API key

3. Add the following configuration to the /var/ossec/etc/ossec.conf

file on the Wazuh server to enable the VirusTotal integration. This
allows triggering VirusTotal queries.

110
Chapter 4 : Design and implementation

Figure 4.42 – virustotal integration configuration

4.10 Conclusion

We understood that the solution we arrived at is a combination of

Wazuh, Suricata, and VirusTotal open-source tools; each tool has a robust
architecture that provides the missing features of the other.
Above, we describe our solution’s conceptual study and the detailed
architecture of the tools used. In the next chapter, we will be doing simple
tests while creating different scenarios of attacks to verify the effectiveness
of our project using our lab environment.

111
Chapter 5
Tests and Results

5.1 Introduction:

In the previous chapter, we described and set up the infrastructure re-

quired for the implementation of our SIEM solution, and then addressed
the implementation of the different components composing our SIEM sys-
tem. This chapter aims to test and verify the robustness of the SIEM
system in detecting cyberattacks. To do this, we will simulate real cyber-
attack scenarios.

5.2 Scenario 1: Vulnerability detection

5.2.1 Overview:

Wazuh uses the Vulnerability Detector module to identify vulnerabili-

ties in applications and operating systems running on endpoints. This use
case shows how Wazuh detects unpatched Common Vulnerabilities and
Exposures (CVEs) in the monitored endpoint.

5.2.2 Prerequisites:

The vulnerability detector is tested on the agents added previously

112
Chapter 5 : Tests and Results

5.2.3 Attack emulation:

We don’t have to perform any action. The Wazuh server creates a CVE
database in /var/ossec/queue/vulnerabilities/cve.db. It performs
vulnerability detection scans periodically for applications and operating
systems on each monitored endpoint.

5.2.4 Results and generated alerts:

To visualize the alert data in the Wazuh dashboard. We go to the

Vulnerability detector module, select an agent and click on vulnerabilities.

Red hat agent

Figure 5.1 – Red Hat agent vulnerabilities

113
Chapter 5 : Tests and Results

Windows 10 agent

Figure 5.2 – Windows 10 agent vulnerabilities

Windows server 2016 agent

Figure 5.3 – Windows server 2016 agent vulnerabilities

114
Chapter 5 : Tests and Results

Ubuntu agent

Figure 5.4 – Ubuntu agent vulnerabilities

5.3 Scenario 2: File integrity monitoring

5.3.1 Overview:

File Integrity Monitoring (FIM) helps in auditing sensitive files and

meeting regulatory compliance requirements. Wazuh has an inbuilt FIM
module that monitors file system changes to detect the creation, modifi-
cation, and deletion of files.
In this scenario we demonstrate if the Wazuh FIM module can detect
the details of file changes within the system by consulting the logged in-
formation. These logs include information on when and by whom these
changes happen.

5.3.2 Prerequisites:

Configure the ubuntu and windows endpoints to monitor filesystem

changes

115
Chapter 5 : Tests and Results

Ubuntu agent

Figure 5.5 – the monitored directories in ubuntu

Windows agent

Figure 5.6 – the monitored directories in windows

5.3.3 Attack emulation

To test the configuration we perform the following actions:

• Create a text file in the monitored directory then wait for 5 seconds.
• Add content to the text file and save it. Wait for 5 seconds.
• Delete the text file from the monitored directory.

5.3.4 Results and generated alerts:

In the wazuh dashboard we can visualize the alerts generated in both

ubuntu and windows agent in response to the addition and the change and
the delete of file.

116
Chapter 5 : Tests and Results

Ubuntu

Figure 5.7 – Visualize FIM alerts from Ubuntu

Windows

Figure 5.8 – Visualize FIM alerts from windows

5.4 Scenario 3: Detecting an SQL injection attack

5.4.1 Overview:

SQL injection is an attack in which a threat actor inserts malicious code

into strings transmitted to a database server for parsing and execution. A
successful SQL injection attack gives unauthorized access to confidential
information contained in the database.

117
Chapter 5 : Tests and Results

For this use case, we’ll simulate an SQL injection attack against an
Ubuntu endpoint to test our SIEM’s ability to detect and identify the
SQL patterns used in the attack.

5.4.2 Prerequisites:

install Apache and configure the Wazuh agent to monitor the Apache
logs.

Figure 5.9 – lines added to the Wazuh agent to monitor the access logs of Apache server

5.4.3 Attack emulation:

execute the following command from the attacker endpoint

Figure 5.10 – sql injection command

5.4.4 Results and generated alerts:

After executing the attack, we access the Wazuh Alerts in the Secu-
rity Events module. We can see the alert generated identified as a SQL
injection attack.

118
Chapter 5 : Tests and Results

Figure 5.11 – SQL injection rule alert

5.5 Scenario 4: Detecting DHCP starvation attack

5.5.1 Overview:

A DHCP starvation attack occurs when a malicious actor floods a

DHCP server with a large number of DHCP DISCOVER packets with
spoofed MAC addresses. This action exhausts all the available IP ad-
dresses the DHCP server can assign to clients. After a successful DHCP
starvation attack, a DHCP server will not be able to offer IP addresses to
its clients.
A DHCP starvation attack can have a devastating impact on organi-
zations. Hence, It is important that security teams detect and prevent
a DHCP starvation attack. In this scenario we used Suricata integration
with Wazuh to detect a DHCP starvation attack.

5.5.2 Prerequisites:

To illustrate the detection of a DHCP starvation we use:

• Ubuntu endpoint as DHCP server
• Yersinia tool installed on the Kali Linux attacker machine

119
Chapter 5 : Tests and Results

5.5.3 Attack emulation:

On Yersinia, click Launch attack > DHCP > sending DIS-

COVER packet > OK to start a DHCP starvation attack against the
DHCP server.

Figure 5.12 – yersinia GUI

5.5.4 Results and generated alerts:

To visualize the alert on the Wazuh dashboard, navigate to Modules

> Security events and apply a filter for rule.id:100005.

Figure 5.13 – Visualize DHCP rule alert

120
Chapter 5 : Tests and Results

5.6 Scenario 5: Responding to port scanning attack

5.6.1 Overview:

A port scan is a common technique hackers use to discover open doors

or weak points in a network. A port scan attack helps cyber criminals find
open ports and figure out whether they are receiving or sending data. It
can also reveal whether active security devices like firewalls are being used
by an organization.
In this test , we’ll simulate an Nmap scan against the an Ubuntu end-
point to test our SIEM’s ability to detect and identify network-related
attacks.

5.6.2 Prerequisites:

On the Wazuh server, we add custom rules to detect the use of the
Nmap scripting engine from Suricata alerts. These rules will be used by
the active response module.

Figure 5.14 – Nmap custom rule

for the active response configuration Wazuh includes an out-of-box

firewall-drop script that adds the IP address extracted from an alert to
the monitored endpoints firewall block list.

121
Chapter 5 : Tests and Results

Figure 5.15 – firewall-active-response

5.6.3 Attack emulation:

Nmap is an active reconnaissance tool used to gather information on

infrastructure. From the Kali endpoint, we perform an Nmap scan against
the ubuntu endpoint using the command below:

Figure 5.16 – nmap scan command

5.6.4 Results and generated alerts:

The Wazuh active response module sends a firewall-drop command to

the ubuntu. This command blocks the malicious IP address from making
further probes for a period of 3 minutes.
After executing the attack, we access the Wazuh Alerts in the Security
Events module. We can see the alert generated.

122
Chapter 5 : Tests and Results

Figure 5.17 – nmap rule alert

5.7 Scenario 6: Responding to DOS attack

5.7.1 Overview:

Denial of service attacks aims to render system resources unavailable

to users. In this scenario, we use the GoldenEye tool installed on the Kali
Linux endpoint to perform a DoS attack against the web server on the
ubuntu endpoint.

5.7.2 Prerequisites:

- Download Goldeneye on the Kali Linux endpoint by cloning the GitHub

repository. We use this tool to perform the HTTP DoS attack.

Figure 5.18 – clone command

- To perform an emulated DoS attack, we install Apache web server.

A web server running on the endpoint is needed as a target for attack
emulation.
- As the previous scenario a custom rule and an active response config-
uration are needed to detect and respond to this attack

123
Chapter 5 : Tests and Results

5.7.3 Attack emulation:

Navigate to the folder where the GoldenEye repository was cloned. Run
the following command to launch the attack:

Figure 5.19 – GoldenEye command in kali

5.7.4 Results and generated alerts:

In the wazuh security events we can see the active response alert that
block the dos attack and the GoldenEye attack detection alert.

Figure 5.20 – Visualize DOS alert

5.8 Scenario 7: Detecting and removing malware

5.8.1 Overview:

This simulation aims to demonstrate our SIEM capability to effectively

detect and respond to potential malware threats. We’ll simulate a scenario
where a suspicious file is introduced into the system, and we’ll observe how
Wazuh with VirusTotal integration analyze the file and trigger appropriate
actions.

124
Chapter 5 : Tests and Results

5.8.2 Prerequisites:

In the windows monitored endpoint configure Wazuh to monitor near

real-time changes in the /Downloads directory. also install the necessary
packages and create the active response script to remove malicious files.
In the wazuh server enables active response when the VirusTotal query
returns positive matches for threats.

5.8.3 Attack emulation:

In the agent, we download a malicious EICAR test file developed by

the European Institute for Computer Antivirus Research (EICAR) and
Computer Antivirus Research Organization (CARO) to test the response
of computer antivirus programs instead of using real malware.

Figure 5.21 – powershell command

5.8.4 Results and generated alerts:

The attack triggers a VirusTotal query and generates an alert. In ad-

dition, the active response script automatically removes the file.
To visualize the alert data in the Wazuh dashboard we go to the Security
events module and add the filters in the search bar to query the alerts.

125
Chapter 5 : Tests and Results

Figure 5.22 – Remove malware from Windows alert

5.9 Scenario 8: Blocking SSH brute-force attack

5.9.1 Overview:

An SSH brute force attack is a hacking technique that involves re-

peatedly trying different username and password combinations until the
attacker gains access to the remote server.
In this scenario we demonstrate how our SIEM system, can detect brute-
force attacks targeting logins on Redhat Linux (SSH). We’ll simulate the
attack using Hydra, a popular brute-force tool.

5.9.2 Prerequisites:

• SSH server installed and enabled on the RHEL endpoint.

• Attacker with an SSH client and the ‘hydra‘ tool installed to perform
the attack.

5.9.3 Attack emulation:

Run Hydra from the attacker endpoint to execute brute-force attacks

against the RHEL endpoint.

126
Chapter 5 : Tests and Results

Figure 5.23 – hydra command

5.9.4 Results and generated alerts:

Once the attack ends,The Wazuh dashboard displays the rule ID alert
and the active responses that block the attacker endpoint.

Figure 5.24 – ssh-brute-force alerts

5.10 Scenario 9: Mitigating Cross-Site Scripting (XSS)

Attack

5.10.1 Overview:

Cross-Site Scripting (XSS) is a web security vulnerability that allows

attackers to inject malicious scripts into a website, potentially leading to
a variety of attacks, including stealing user data, hijacking sessions, and
defacing the website.
In this scenario, we demonstrate how to mitigate XSS attacks using
input validation and output encoding techniques. We’ll simulate a simple
XSS attack and show how proper validation and encoding can prevent it.

127
Chapter 5 : Tests and Results

5.10.2 Prerequisites:

install Apache and configure the Wazuh agent to monitor the Apache
logs.( same as SQL injection attack scenario)

5.10.3 Attack emulation:

execute the following command from the attacker endpoint

Figure 5.25 – xss injection payload

5.10.4 Results and generated alerts:

After executing the attack, we access the Wazuh Alerts in the Security
Events module. We can see the alert generated identified as a XSS attack
and the active response that block the malicious endpoint .

Figure 5.26 – xss attack alerts

128
Conclusion

The ever-expanding threat landscape necessitates advanced security so-

lutions that go beyond traditional SIEM capabilities. This project ad-
dressed this need by proposing a next-generation SIEM built upon the
foundation of open-source tools.
Our key objective was to leverage the flexibility and cost-effectiveness
of open-source tools to create a comprehensive security information and
event management platform. This platform offers superior log collection,
analysis, and threat detection capabilities compared to traditional SIEM
solutions.
By utilizing open-source tools, we ensured wider accessibility and fos-
tered a collaborative development environment. This fosters continuous
improvement and rapid adaptation to emerging threats, keeping the plat-
form at the forefront of cybersecurity defense.
This work was an opportunity for us as students to see a part of the
professional world and implement the theoretical knowledge acquired dur-
ing our course. From there, we have identified the network and systems
various critical points and security vulnerabilities.

Future Directions

Our solution could be enriched by several improvements that can be

made:

• Integration with Threat Intelligence Feeds: Enhance threat de-

129
Chapter 5 : Tests and Results

tection by incorporating real-time threat intelligence feeds from rep-

utable sources.
• Machine Learning Integration: Implement machine learning algo-
rithms to automate threat detection and incident response processes
for improved efficiency.
• Integrate other cyberattacks and use cases as well as mul-
tiple applications and security tools: This would expand the
capabilities of the platform and make it more comprehensive.

Final Thoughts

Open-source tools offer a powerful foundation for building next-generation

SIEM solutions. This project demonstrates the potential of this approach
in creating a robust, cost-effective, and adaptable security platform. By
continuing to develop and refine this platform, we can empower organi-
zations of all sizes to effectively combat the ever-evolving cyber threat
landscape.

130
Bibliography

[1] Information Security Concepts. url: https : / / ebrary . net / 26647 / computer _
science/information_security_concepts.
[2] Understanding Authentication, Authorization, and Encryption. TechWeb - Boston
University. url: https://www.bu.edu/tech/services/security/iam/authorization/.
[3] Omar Santos. CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide.
1st. Cisco Press, 2020.
[4] Troy McMillan and Robin Abernathy. CCNA Security Study Guide: Exam 210-260.
2nd. Sybex, 2018.
[5] International Telecommunication Union Telecommunication Standardization Sec-
tor (ITU-T). Information technology - Open Systems Interconnection - Security
frameworks in open systems: Non-repudiation framework (Recommendation X.813).
Tech. rep. Geneva, Switzerland: ITU, Oct. 1996.
[6] Naeem Syed et al. “Traceability in Supply Chains: A Cyber Security Analysis”. In:
Computers Security 112 (Nov. 2021), p. 102536. doi: 10.1016/j.cose.2021.
102536.
[7] Debbie Walkowski. “What Are Security Controls?” In: F5 Labs (Aug. 2019). url:
https://www.f5.com/solutions/service-provider-security.
[8] Cybersecurity and Infrastructure Security Agency (CISA). Vocabulary. n.d. url:
https://niccs.cisa.gov/cybersecurity-career-resources/vocabulary.
[9] EC-Council. What is Cyber Security? Definition, Meaning, and Purpose. Feb. 2023.
url: https://www.eccouncil.org/cybersecurity-exchange/ethical-hacking/
what-is-cybersecurity/.
[10] Yuchong Li and Qinghui Liu. “A comprehensive review study of cyber-attacks and
cyber security; Emerging trends and recent developments”. In: Energy Reports 7
(2021), pp. 8176–8186. issn: 2352-4847. doi: https://doi.org/10.1016/j.egyr.

131
BIBLIOGRAPHY

2021.08.126. url: https://www.sciencedirect.com/science/article/pii/

S2352484721007289.
[11] Simplilearn. What is a Cyber Security Framework: Types, Benefits, & Best Prac-
tices. Feb. 2024. url: https : / / www . simplilearn . com / what - is - a - cyber -
security-framework-article.
[12] Federal Trade Commission. Understanding the NIST Cybersecurity Framework.
Oct. 2022. url: https://www.ftc.gov/business-guidance/small-businesses/
cybersecurity/nist-framework.
[13] Priit Anton et al. Data Security and Privacy Guidelines and Feasible Cyber Secu-
rity Methods for Data Exchange Platforms (EU-SysFlex Deliverable D5.4). Pub-
lic. Due Delivery Date: April 2021 (month 42), Date of Delivery: 31st of May,
2021, Status and Version: Final V1, Number of Pages: 85, Work Package/Task
Related: WP5/T5.4, Work Package/Task Responsible: Kalle Kukk/Priit Anton.
EU-SysFlex, Apr. 2021. url: https://www.researchgate.net/publication/
373930987 _ Investigating _ the _ Use _ of _ Machine _ Learning _ Methods _ for _
Levels_of_Sense_of_Presence_Classification_Based_on_Eye_Tracking_
Data.
[14] Peter F. Edemekong, Pavan Annamaraju, and Micelle J. Haydel. Health Insurance
Portability and Accountability Act. In: StatPearls [Internet]. Treasure Island (FL):
StatPearls Publishing; 2024 Jan–. PMID: 29763195. Feb. 2024.
[15] Marc-André Léger. Introduction to Cybersecurity Governance for Business Tech-
nology Management Chapter 2: Cybersecurity governance. May 2023.
[16] Cyber Security Agency of Singapore. Importance of Cybersecurity Risk Manage-
ment for Organisations. 2024. url: https://www.csa.gov.sg/docs/default-
source/publications/singcert/2024/importance-of-cybersecurity-risk-
management-for-organisations.pdf?sfvrsn=9ea735a_1.
[17] Ahmed AlKalbani et al. “Information Security Compliance in Organizations: An
Institutional Perspective”. In: Data and Information Management 1 (Dec. 2017).
doi: 10.1515/dim-2017-0006.
[18] Evan Anderson. What is Red Teaming? Chief Offensive Strategist, Randori, an IBM
Company. IBM. July 2023. url: https://www.ibm.com/security/resources/
what-is-red-teaming.
[19] Matt Bishop. “About Penetration Testing”. In: Security Privacy, IEEE 5 (Dec.
2007), pp. 84–87. doi: 10.1109/MSP.2007.159.
[20] Advania UK. The roles of red, blue and purple teams. Feb. 2024. url: https :
//www.advania.co.uk/insights/blog/understanding- the- roles- of- red-
blue-and-purple-security-teams/.

132
BIBLIOGRAPHY

[21] Joseph Muniz. The Modern Security Operations Center. Addison-Wesley Profes-
sional, 2021. isbn: 978-0135619858.
[22] Sandeep Bhatt, Pratyusa K. Manadhata, and Loai Zomlot. “The Operational Role
of Security Information and Event Management Systems”. In: IEEE Security Pri-
vacy 12.5 (2014), pp. 35–41. doi: 10.1109/MSP.2014.103.
[23] Dave Shackleford. Quels outils pour aider à automatiser la réponse à incident.
LEMAGIT. 2017. url: https : / / www . lemagit . fr / conseil / Quels - outils -
pour-aider-a-automatiser-la-reponse-a-incident.
[24] Joseph Muniz, Gary McIntyre, and Nadhem AlFardan. Security Operations Center:
Building, Operating, and Maintaining your SOC. Cisco Press, 2015.
[25] Epam Solutions Hub. What is Open Source Software. n.d. url: https://solutionshub.
epam.com/blog/post/what-is-open-source-software.
[26] Wikipedia contributors. Open source. n.d. url: https : / / en . wikipedia . org /
wiki/Open_source.
[27] Red Hat. The State of Enterprise Open Source: A Red Hat report. n.d. url: https:
/ / www . redhat . com / en / resources / state - of - enterprise - open - source -
report-2022.
[28] T. Timmerman. The risks of open-source software for corporate use - Compact.
Apr. 2020. url: https: / /www .compact .nl / articles / the- risks - of - open-
source-software-for-corporate-use/.
[29] Stack Overflow. The product approach to open source communities. Nov. 2023. url:
https://stackoverflow.blog/2023/11/08/the-product-approach-to-open-
source-communities/.
[30] Gustavo González-Granadillo, Susana González-Zarzosa, and Rodrigo Diaz. “Se-
curity Information and Event Management (SIEM): Analysis, Trends, and Us-
age in Critical Infrastructures”. In: Sensors 21.14 (2021). issn: 1424-8220. doi:
10.3390/s21144759. url: https://www.mdpi.com/1424-8220/21/14/4759.
[31] C. Di Sarno et al. “A novel security information and event management system
for enhancing cyber security in a hydroelectric dam”. In: International Journal of
Critical Infrastructure Protection 13 (2016), pp. 39–51. doi: 10.1016/j.ijcip.
2016.03.002.
[32] Manfred Vielberth. “Security Information and Event Management (SIEM)”. In:
Mar. 2021. isbn: 978-3-642-27739-9. doi: 10.1007/978-3-642-27739-9_1681-1.

133
BIBLIOGRAPHY

[33] Răzvan Stoleriu, Alin Puncioiu, and Ion Bica. “Cyber Attacks Detection Using
Open Source ELK Stack”. In: 2021 13th International Conference on Electron-
ics, Computers and Artificial Intelligence (ECAI). 2021, pp. 1–6. doi: 10.1109/
ECAI52376.2021.9515120.
[34] K. Scarfone. AlienVault OSSIM: SIEM Product overview. Security. Nov. 2015. url:
https://www.techtarget.com/searchsecurity/feature/AlienVault-OSSIM-
SIEM-Product-overview.
[35] Ahmed Wahab. SIEM TOOLS. Jan. 2024. doi: 10.13140/RG.2.2.24105.77929.
[36] Champ III Clark. Sagan User Guide Documentation. Release 1.2.2. 2022.
[37] Exabeam. 10 Must-Have Features to be a Modern SIEM. Jan. 2024. url: https:
//www.exabeam.com/explainers/new-scale-siem/10-must-have-features-
to-be-a-modern-siem/.
[38] CrowdStrike. What is Next-Gen SIEM? May 2024. url: https://www.crowdstrike.
com/cybersecurity-101/next-gen-siem/.
[39] Joe Roush. IT Infrastructure Components: An Introduction. May 2020. url: https:
/ /www.bmc.com/blogs/what- is- it- infrastructure- and- what- are- its-
components/.
[40] Vitaly Kuprenko. What is IT Infrastructure? A Beginner’s Guide. Jan. 2022. url:
https://www.freecodecamp.org/news/what-is-it-infrastructure/.
[41] Wazuh. Getting started with Wazuh. n.d. url: https://documentation.wazuh.
com/current/getting-started/index.html.
[42] SC Staff. SC Award Winners 2023 WaZuh – Best SIEM Solution. SC Media. Aug.
2023. url: https : / / www . scmagazine . com / news / sc - award - winners - 2023 -
wazuh-best-siem-solution.
[43] Wazuh. Wazuh agent - Components. n.d.-b. url: https://documentation.wazuh.
com/current/getting-started/components/wazuh-agent.html.
[44] Mark Viglione. “Explore Suricata: the Open-Source Threat Detection Engine”. In:
Infosec Institute (2023). url: https://www.infosecinstitute.com/resources/
network-security-101/suricata-what-is-it-and-how-can-we-use-it/.
[45] Connect - Editions Diamond. Présentation de l’IDS/IPS Suricata. n.d. url: https:
//connect.ed- diamond.com/MISC/MISC- 066/Presentation- de- l- IDS- IPS-
Suricata2.
[46] Peng Peng et al. “Opening the Blackbox of VirusTotal: Analyzing Online Phishing
Scan Engines”. In: Oct. 2019, pp. 478–485. isbn: 978-1-4503-6948-0. doi: 10.1145/
3355369.3355585.

134
BIBLIOGRAPHY

[47] VirusTotal. How it works. n.d. url: https://virustotal.readme.io/docs/how-

it-works.
[48] VMware. What is a Virtual Machine? Mar. 2024. url: https://www.vmware.com/
topics/glossary/content/virtual-machine.html.
[49] Melanie. Ubuntu: Everything you need to know about this Linux distribution. Data
Science Courses | DataScientest. Mar. 2024. url: https://datascientest.com/
en/ubuntu-everything-you-need-to-know-about-this-linux-distribution.
[50] What is Kali Linux? Kali Linux. n.d. url: https : / / www . kali . org / docs /
introduction/what-is-kali-linux/.
[51] Wikipedia contributors. Windows 10. Wikipedia. May 2024. url: https://en.
wikipedia.org/wiki/Windows_10.
[52] T. Walat. Microsoft Windows Server OS (operating system). SearchWindowsServer.
Dec. 2017. url: https://www.techtarget.com/searchwindowsserver/definition/
Microsoft-Windows-Server-OS-operating-system.
[53] Wikipedia contributors. Red Hat Enterprise Linux. Wikipedia. May 2024. url:
https://en.wikipedia.org/wiki/Red_Hat_Enterprise_Linux.

135