ASSEMBLAGE SEMI-AUTOMATIQUE DE LOGS POUR ENTRAINEMENT D’OPÉRATEURS DE SIEM

Abstract

Security information and Event management (SIEM) software enable the aggregation of information generated by all security sensors within a defended network providing optimal visibility on security alerts. SIEMS have become the main information management tool used by system defenders to organize logs and security alerts for an organization's Network Operation Center (NOC). The training of system defenders is a recurring challenge, which is costly in terms of both money and time. This research contributes to the development of training methods that does not depend on network penetration teams. This research is based on the development of new techniques to train network defenders, particularly SIEM operators. We intend to develop a new approach that does not rely on the presence of a penetration testing team. The use of SIEM replay connectors is a viable alternative to train SIEMS operators. However, organizing logs characteristic of malicious scenarios in a way which can be useable by SIEM replay connectors is not trivial. This research has developed techniques and proposes an architecture to assemble logs useable by replay connectors to train SIEM operators in a semi-automatic fashion.