FINSEC SIEM Infrastructure
Security Information and Event Management (SIEM) systems have been used in IT since long ago to guarantee security in computer transactions and technological environments. SIEMs collect information about the monitored IT system by using agents deployed close to the infrastructure elements. This information is encapsulated in the form of events and stored, this way the SIEM offers a security administrator a view of the security status and of the activity that is going on in the monitored system. Additionally, SIEMs often have capabilities to correlate events to identify anomalous behaviours, discover possible threats and detect security incidents. The findings of the correlation process of a SIEM can raise alarms which in turn may trigger actions according to predefined policies. Some examples of these actions are notifying the security administrator (through email, dashboard, etc.) or the execution of certain reactions to reconfigure the system or implement more specific countermeasures. The Atos XL-SIEM builds on top of Alien Vault Open Source SIEM (OSSIM) and improves the traditional SIEM capabilities offered by this technology with the integration of a high-performance correlation engine (Esper) deployed in an Apache Storm cluster, which combined with RabbitMQ offers better scalability and fault-tolerance. Amongst other enhancements it is worth highlighting the improved export capabilities. Besides the native OSSIM Event format, the XL-SIEM has capabilities to export information in two standard data formats: MISP and STIX v2.0.
In participating in the FINSEC project, Atos improves XL-SIEM current capabilities to export data using the official FINSEC data format, the so-called FINSTIX that extends STIX v2.0 to represent both cyber and physical security concepts. Data collection capabilities of the XL-SIEM will be enlarged to support processing of physical security data sources. Also, security analysis capabilities will be significantly improved, to allow correlating together both physical and cyber security events for a more comprehensive and effective real-time monitoring of complex threat scenarios.