Design and Implementation of a Small Scale Security Operations Center with Intrusion Detection Systems & Elastic SIEM

 

 

Title of the Project

Theme Park Technology Impact Analysis
Students Details

202120288 Nadine Sharafeldin

201920036 Reem Salah Amin Abdulla Hadi

202111516 Rana Naim Mohammad Said
Abstract

In the age of AI technologies, it doesn't take a skilled hacker to run successful attacks anymore, as script kiddies, or even just anyone with an AI tool and the right prompt wreak havoc on people and organizations. Due to the continuous advancements in technology and the cyberspace, more and more security threats continue to emerge, with such a drastic increase in these threats, that it is now crucial for organizations to implement the Security in Depth Principle with constant monitoring and systematic defensive strategies. Security Operations Centers (SOCs) have been an essential part in upholding organizations nowadays, as they are the designated units for threat detection, incident analysis, and coordinated response.

The main processes in a Security Operations Center are:

  • Continuous monitoring and detection
  • Threat intelligence integration for proactively securing systems
  • Incident response plans that handle incidents via triage, containment, forensics, remediation
  • Vulnerability management to identify and patch weak points
  • Compliance management to ensure alignment with standard practices

Continuous monitoring and detection was achieved via IDS tools like Snort whose purpose is to listen to the network traffic and report whenever it detects unusual activity based on the rules configured. The WAF (Web Application Firewall), which is ModSecurity in our case, is responsible for the protection of web applications by analyzing the HTTP traffic, allowing or denying suspicious requests, and logging their details. SIEM (Security Information and Event Management) platforms, especially the ELK Stack (ElasticSearch, Logstash, Kibana), provide SOC analysts with centralized log management and normalization, threat correlation, interactive dashboards, alerting systems, etc, which addresses the other processes involved in a SOC.

This project utilizes all open-source components as mentioned above, in order to simulate a realistic and small scale SOC environment. By integrating Snort, ModSecurity, Filebeat, Logstash, ElasticSearch, and Kibana, the small scale SOC environment is a replica of the complete lifecycle of cyberattack detection and analysis.