SIEM Yönetimi - Merkezi Log ve Güvenlik Analizi
SIEM (Security Information and Event Management), tüm IT altyapısından gelen logları tek noktada toplayarak, gerçek zamanlı analiz ve korelasyon yapan kritik bir güvenlik çözümüdür. Günümüzde, ortalama bir veri ihlali 287 gün sonra tespit ediliyor - SIEM sistemleri bu süreyi dramatik şekilde azaltarak, tehditleri saatler içinde tespit etmenizi sağlar.
Kuvve Technology olarak, Splunk, ELK Stack (Elasticsearch-Logstash-Kibana), IBM QRadar, Wazuh gibi enterprise ve open-source SIEM çözümleriyle, işletmenizin güvenlik olaylarını 7x24 izleme ve analiz hizmeti sunuyoruz.
SIEM Neden Kritik?
1. Tehdit Tespiti ve Müdahale
Geleneksel Güvenlik (Firewall, AV) vs. SIEM:
Firewall/AV:
- Bilinen tehditleri engeller
- Signature bazlı tespit
- Tek katman savunma
- Bağlantısız olaylar
SIEM:
- Bilinmeyen tehditleri tespit eder (anomaly detection)
- Behavior-based analysis
- Çok katmanlı korelasyon
- Zaman serisi analizi ile attack pattern tespiti
Örnek Senaryo:
Saat 14:00: Normal ofis saatlerinde 50+ failed login (web uygulaması)
Saat 14:15: Aynı IP'den başarılı login
Saat 14:20: Privilege escalation denemesi
Saat 14:25: Database'e anormal sorgu (SQL injection girişimi)
Saat 14:30: Büyük veri transferi (exfiltration)
➜ SIEM Korelasyonu: "Credential stuffing → Privilege escalation → Data theft"
attack chain tespit edildi ve otomatik ticket oluşturuldu!
2. Uyumluluk (Compliance) Gereksinimleri
ISO 27001, PCI-DSS, KVKK, GDPR gibi standartlar, log toplama ve analiz gerektirir:
- PCI-DSS 10.6: Tüm sistem bileşenlerinin log review mekanizması
- ISO 27001 A.12.4: Logging ve monitoring
- KVKK Madde 12: Kişisel veri güvenliği için teknik önlemler
- GDPR Article 32: Log monitoring and incident detection
SIEM olmadan bu gereksinimleri karşılamak neredeyse imkansız.
3. Olay Müdahale (Incident Response)
Bir güvenlik olayı tespit edildiğinde, SIEM forensic analiz için altın değerindedir:
- Timeline reconstruction: Saldırı ne zaman başladı?
- Attack vector: Saldırgan nasıl içeri girdi?
- Lateral movement: Hangi sistemlere yayıldı?
- Data exfiltration: Hangi veriler çalındı?
- Patient zero: İlk enfekte olan cihaz hangisi?
4. Operasyonel Verimlilik
SIEM sadece güvenlik için değil, operasyonel sorunlar için de kritik:
- Application performance monitoring
- Infrastructure health check
- Capacity planning
- Troubleshooting
- Audit trail
SIEM Mimarisi ve Bileşenler
Veri Akışı
┌─────────────────────────────────────────────────────────────────┐
│ DATA SOURCES │
├─────────────────────────────────────────────────────────────────┤
│ Network: Firewall, IPS/IDS, Router, Switch, Proxy │
│ Servers: Windows, Linux, Database, Web Server, Mail │
│ Apps: Cloud (AWS, Azure), SaaS (O365, G Suite), CRM │
│ Security: AV, EDR, DLP, CASB, WAF │
│ Identity: AD, LDAP, SSO, MFA │
└───────────┬─────────────────────────────────────────────────────┘
│ Syslog, API, Agent, File Monitoring
↓
┌─────────────────────────────────────────────────────────────────┐
│ COLLECTION LAYER │
│ ┌───────────┐ ┌───────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Syslog │ │Forwarders │ │ API │ │ Agents │ │
│ │ Server │ │ (Beats) │ │Connectors│ │ (Wazuh) │ │
│ └─────┬─────┘ └─────┬─────┘ └────┬─────┘ └────┬─────┘ │
└────────┼──────────────┼─────────────┼─────────────┼────────────┘
└──────────────┴─────────────┴─────────────┘
↓
┌─────────────────────────────────────────────────────────────────┐
│ PROCESSING & NORMALIZATION │
│ - Parsing (JSON, XML, CEF, LEEF) │
│ - Field extraction │
│ - Enrichment (GeoIP, Threat Intel) │
│ - Filtering and aggregation │
└────────────────────────────┬────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────────┐
│ STORAGE & INDEXING │
│ - Hot storage (fast search, recent data) │
│ - Warm storage (indexed, older data) │
│ - Cold storage (archived, compliance) │
└────────────────────────────┬────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────────┐
│ ANALYSIS & CORRELATION │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Rules │ │ML/Anomaly│ │Threat │ │Behavior │ │
│ │ Engine │ │Detection │ │ Intel │ │Analytics │ │
│ └────┬─────┘ └────┬─────┘ └────┬─────┘ └────┬─────┘ │
└───────┼─────────────┼─────────────┼─────────────┼──────────────┘
└─────────────┴─────────────┴─────────────┘
↓
┌─────────────────────────────────────────────────────────────────┐
│ ALERTING & RESPONSE │
│ - Email, SMS, Slack notifications │
│ - Ticket creation (JIRA, ServiceNow) │
│ - SOAR integration (automated response) │
│ - Analyst dashboards │
└─────────────────────────────────────────────────────────────────┘
Popüler SIEM Platformları
1. Splunk Enterprise
Avantajları:
- Çok güçlü search ve analiz (SPL - Search Processing Language)
- Geniş app ekosistemi (2000+ uygulama)
- Machine learning toolkit (MLTK)
- Excellent visualization
- Enterprise destek
Splunk SPL Örnekleri:
# Failed login attempts (son 24 saat)
index=windows EventCode=4625
| stats count by user, src_ip
| where count > 10
| sort -count
# Web application attack pattern
index=web status=4* OR status=5*
| rex field=request "(?<attack_type>union|select|script|alert)"
| stats count by attack_type, src_ip, uri
| where count > 5
# Data exfiltration detection (anormal veri transferi)
index=firewall action=allowed
| stats sum(bytes_out) as total_bytes by src_ip
| where total_bytes > 10000000000
| eval total_gb=round(total_bytes/1024/1024/1024, 2)
| table src_ip, total_gb
# Lateral movement detection (RDP/SMB)
index=windows EventCode IN (4624, 4776)
| transaction src_ip maxspan=1h
| where eventcount > 10
| stats values(dest_host) as accessed_hosts by src_ip, user
Korelasyon Rule Örneği (Brute Force Attack):
index=authentication
| stats count(eval(action="failure")) as failures,
count(eval(action="success")) as success,
dc(user) as unique_users
by src_ip
| where failures > 50 AND success > 0
| eval risk_score = (failures * 2) + (unique_users * 10)
| where risk_score > 100
| eval severity = case(
risk_score > 500, "critical",
risk_score > 200, "high",
risk_score > 100, "medium"
)
| table src_ip, failures, success, unique_users, risk_score, severity
Fiyatlandırma:
- License model: GB/day ingest
- Small (5 GB/day): ~$2,000/month
- Medium (50 GB/day): ~$15,000/month
- Large (500 GB/day): ~$100,000/month
- Cloud: Splunk Cloud (managed SaaS)
2. ELK Stack (Elasticsearch, Logstash, Kibana)
Avantajları:
- Open source (Apache 2.0 license)
- Yüksek performans (distributed search)
- Elasticsearch’ün güçlü full-text search
- Kibana’nın zengin visualization
- Geniş community
ELK Stack Kurulumu:
# Docker Compose ile ELK Stack
version: '3.8'
services:
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:8.11.0
container_name: elasticsearch
environment:
- discovery.type=single-node
- "ES_JAVA_OPTS=-Xms4g -Xmx4g"
- xpack.security.enabled=true
- ELASTIC_PASSWORD=YourStrongPassword123!
ports:
- "9200:9200"
volumes:
- es-data:/usr/share/elasticsearch/data
logstash:
image: docker.elastic.co/logstash/logstash:8.11.0
container_name: logstash
ports:
- "5044:5044" # Beats input
- "5000:5000" # TCP input
- "9600:9600" # API
volumes:
- ./logstash/pipeline:/usr/share/logstash/pipeline
- ./logstash/config:/usr/share/logstash/config
depends_on:
- elasticsearch
kibana:
image: docker.elastic.co/kibana/kibana:8.11.0
container_name: kibana
environment:
- ELASTICSEARCH_HOSTS=http://elasticsearch:9200
- ELASTICSEARCH_USERNAME=elastic
- ELASTICSEARCH_PASSWORD=YourStrongPassword123!
ports:
- "5601:5601"
depends_on:
- elasticsearch
volumes:
es-data:
driver: local
Logstash Pipeline Config:
# /usr/share/logstash/pipeline/syslog.conf
input {
# Syslog input
tcp {
port => 5000
type => "syslog"
}
# Beats input (Filebeat, Winlogbeat)
beats {
port => 5044
}
}
filter {
# Parse syslog
if [type] == "syslog" {
grok {
match => {
"message" => "%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:hostname} %{DATA:program}(?:\[%{POSINT:pid}\])?: %{GREEDYDATA:syslog_message}"
}
}
date {
match => [ "timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
timezone => "Europe/Istanbul"
}
}
# Windows Event Log parsing
if [event][code] == 4625 {
mutate {
add_field => { "event_type" => "failed_login" }
}
}
# GeoIP enrichment
if [src_ip] {
geoip {
source => "src_ip"
target => "geoip"
}
}
# Threat intelligence (example: check against known bad IPs)
if [src_ip] in ["1.2.3.4", "5.6.7.8"] {
mutate {
add_field => { "threat_level" => "high" }
add_tag => ["known_malicious_ip"]
}
}
}
output {
elasticsearch {
hosts => ["elasticsearch:9200"]
index => "logs-%{+YYYY.MM.dd}"
user => "elastic"
password => "YourStrongPassword123!"
}
# Alert critical events to stdout
if [threat_level] == "high" {
stdout {
codec => rubydebug
}
}
}
Kibana Query (KQL) Örnekleri:
# Failed SSH login attempts
event.code: 4625 AND source.ip: *
# SQL Injection attempts
http.request.method: POST AND message: (*union*select* OR *drop*table*)
# File upload to suspicious location
event.action: "file_create" AND file.path: *\\temp\\*.exe
# Privilege escalation
event.action: "user_added_to_group" AND group.name: "Administrators"
Elasticsearch Query DSL (Advanced Search):
{
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "now-1h"
}
}
},
{
"match": {
"event.code": "4625"
}
}
],
"filter": [
{
"term": {
"event.outcome": "failure"
}
}
]
}
},
"aggs": {
"failed_logins_by_ip": {
"terms": {
"field": "source.ip",
"size": 10,
"min_doc_count": 10
}
}
}
}
Maliyet:
- Open source: Free (self-hosted)
- Hardware: $5,000-20,000 (sunucu)
- Yönetim: İç IT ekibi veya managed service
- Elastic Cloud: $45/GB/month (managed SaaS)
3. IBM QRadar
Avantajları:
- Enterprise-grade SIEM
- Güçlü korelasyon engine
- Compliance raporlama
- Threat intelligence integration
- IBM X-Force entegrasyonu
QRadar AQL (Ariel Query Language):
-- Failed login attempts
SELECT sourceip, destinationip, username, COUNT(*) as attempts
FROM events
WHERE eventname='Failed Login'
AND starttime > LAST 24 HOURS
GROUP BY sourceip, destinationip, username
HAVING COUNT(*) > 10
ORDER BY attempts DESC
-- SQL injection detection
SELECT sourceip, destinationip, payload
FROM events
WHERE category = 103
AND payload MATCHES '.*UNION.*SELECT.*'
AND starttime > LAST 1 HOURS
-- Data exfiltration
SELECT sourceip, SUM(bytesreceived) as total_bytes
FROM flows
WHERE starttime > LAST 1 HOURS
GROUP BY sourceip
HAVING SUM(bytesreceived) > 10000000000
QRadar Custom Rule (Brute Force):
Rule: Multiple Failed Login Attempts
IF: Event count where (EventName='Failed Login' AND Username=<same>)
exceeds 10 in 10 minutes
from the same Source IP
THEN: Create Offense
Severity: High
Category: Authentication.Login Failed
Description: Brute force attack detected from {SourceIP}
Fiyatlandırma:
- Small (100 EPS): $20,000-40,000
- Medium (1000 EPS): $80,000-150,000
- Large (5000+ EPS): $300,000+
- Yıllık support: %20-25 of license cost
4. Wazuh (Open Source SIEM + XDR)
Avantajları:
- Tamamen ücretsiz ve open source
- Host-based IDS (HIDS)
- File integrity monitoring (FIM)
- Vulnerability detection
- Cloud security monitoring (AWS, Azure, GCP)
- Compliance (PCI-DSS, GDPR, HIPAA)
Wazuh Architecture:
┌──────────────────────────────────────────────────┐
│ WAZUH MANAGER CLUSTER │
│ ┌────────────┐ ┌────────────┐ ┌────────────┐ │
│ │ Master │ │ Worker │ │ Worker │ │
│ │ Manager │ │ Manager │ │ Manager │ │
│ └──────┬─────┘ └──────┬─────┘ └──────┬─────┘ │
└─────────┼────────────────┼────────────────┼──────┘
│ │ │
└────────┬───────┴────────┬───────┘
│ │
┌─────────▼────────────────▼─────────┐
│ Wazuh Agents (Endpoints) │
│ - Windows, Linux, macOS │
│ - Cloud instances │
│ - Docker containers │
└────────────────┬───────────────────┘
│
┌────────────────▼───────────────────┐
│ Wazuh Indexer (OpenSearch) │
│ - Log storage & indexing │
└────────────────┬───────────────────┘
│
┌────────────────▼───────────────────┐
│ Wazuh Dashboard (Kibana) │
│ - Visualization & alerts │
└────────────────────────────────────┘
Wazuh Installation (Docker):
# Wazuh single-node deployment
git clone https://github.com/wazuh/wazuh-docker.git -b v4.7.0
cd wazuh-docker/single-node
# Start Wazuh stack
docker-compose up -d
# Access Wazuh Dashboard
# URL: https://localhost:443
# User: admin
# Pass: SecretPassword (değiştirin!)
Wazuh Agent Deployment:
# Linux agent installation
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
apt-get update
apt-get install wazuh-agent
# Configure manager IP
echo "WAZUH_MANAGER='192.168.1.100'" >> /var/ossec/etc/ossec.conf
# Start agent
systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agent
# Windows agent (PowerShell)
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.0-1.msi -OutFile wazuh-agent.msi
msiexec.exe /i wazuh-agent.msi /q WAZUH_MANAGER='192.168.1.100'
NET START WazuhSvc
Wazuh Custom Rules:
<!-- /var/ossec/etc/rules/local_rules.xml -->
<group name="local,syslog,">
<!-- Brute force SSH detection -->
<rule id="100001" level="10" frequency="8" timeframe="120">
<if_matched_sid>5716</if_matched_sid>
<same_source_ip />
<description>Multiple SSH authentication failures from same source IP</description>
<mitre>
<id>T1110</id>
</mitre>
</rule>
<!-- Malware execution via suspicious file -->
<rule id="100002" level="12">
<if_sid>550</if_sid>
<match>tmp|temp</match>
<regex>\.exe$|\.dll$|\.scr$</regex>
<description>Suspicious file execution from temp directory</description>
<mitre>
<id>T1204</id>
</mitre>
</rule>
<!-- Privilege escalation -->
<rule id="100003" level="12">
<if_sid>5402</if_sid>
<user>root</user>
<description>User escalated privileges to root</description>
<mitre>
<id>T1548</id>
</mitre>
</rule>
</group>
Maliyet:
- Software: Free (GPL v2)
- Hardware: $3,000-15,000 (self-hosted)
- Managed Wazuh: $5-15/agent/month
SIEM Use Cases ve Detection Rules
1. Credential Stuffing / Brute Force
Dedection Logic:
IF:
- Failed login attempts > 10 (10 dakika içinde)
- Aynı source IP
- Farklı kullanıcı adları (dictionary attack)
THEN:
- Alert: High severity
- Action: IP'yi geçici engelle (firewall)
Splunk Alert:
index=authentication action=failure
| stats dc(user) as unique_users, count by src_ip
| where count > 10 AND unique_users > 5
| eval alert_desc = "Credential stuffing from " + src_ip + " targeting " + unique_users + " users"
2. Lateral Movement Detection
Dedection Logic:
IF:
- Başarılı login (user X, host A)
- 15 dakika içinde aynı kullanıcı farklı hostlara login (host B, C, D)
- RDP/SSH/SMB protokolleri
THEN:
- Alert: Critical
- Investigation: User X compromise olabilir
ELK Query:
{
"query": {
"bool": {
"must": [
{"match": {"event.action": "logged-in"}},
{"range": {"@timestamp": {"gte": "now-15m"}}}
]
}
},
"aggs": {
"lateral_movement": {
"terms": {"field": "user.name"},
"aggs": {
"unique_hosts": {
"cardinality": {"field": "host.name"}
}
}
}
}
}
3. Data Exfiltration
Dedection Logic:
IF:
- Normal saatlerin dışında (22:00-06:00)
- Anormal büyük veri transferi (> 10 GB)
- Destination: External/cloud storage
- Protocol: HTTPS, FTP, SMB
THEN:
- Alert: Critical
- Action: Network isolation
Wazuh Rule:
<rule id="100010" level="12">
<if_sid>5402</if_sid>
<time>10 pm - 6 am</time>
<match>bytes_sent > 10000000000</match>
<description>Potential data exfiltration detected</description>
</rule>
4. Ransomware Behavior Detection
Dedection Logic:
IF:
- Yüksek dosya değişikliği oranı (100+ dosya/dakika)
- File extension değişiklikleri (.encrypted, .locked)
- Shadow copy deletion (vssadmin delete shadows)
- Known ransomware process names
THEN:
- Alert: Critical
- Action: Host isolation, snapshot backup
Splunk Correlation:
index=endpoint
| transaction host maxspan=5m
| where (eventcount > 100 AND action="file_modify")
OR (process_name="vssadmin.exe" AND command_line="*delete*shadows*")
OR (file_extension IN ("*.encrypted", "*.locked", "*.crypt"))
| eval ransomware_score = (file_modify_count * 2) + (shadow_deletion * 50)
| where ransomware_score > 100
5. Insider Threat Detection
Dedection Logic:
IF:
- Kullanıcı, hassas verilere erişim (HR, Finance)
- Normal çalışma saatleri dışında
- USB cihaz bağlantısı veya cloud upload
- Büyük dosya kopyalama
THEN:
- Alert: High
- Investigation: User activity review
SIEM Implementation Roadmap
Faz 1: Planlama (2-4 Hafta)
Hedefler:
- Use case tanımlama
- Log kaynaklarının belirlenmesi
- Platform seçimi (Splunk vs ELK vs Wazuh)
- Lisans ve donanım sizing
Çıktılar:
- SIEM strategy document
- Log source inventory
- Hardware/cloud requirements
Faz 2: Deployment (4-8 Hafta)
Kurulum:
Hafta 1-2: SIEM platformu kurulumu
├── Hardware/cloud provisioning
├── SIEM software installation
├── High-availability configuration
└── Backup ve disaster recovery
Hafta 3-4: Log source integration (Phase 1)
├── Critical systems (Firewall, AD, VPN)
├── Syslog/agent configuration
├── Parser ve normalization
└── Test ve troubleshooting
Hafta 5-6: Log source integration (Phase 2)
├── Servers (Windows, Linux)
├── Applications (Web, Database, Email)
├── Cloud platforms (AWS, Azure, O365)
└── Security tools (AV, EDR)
Hafta 7-8: Detection rules ve dashboards
├── Use case implementation
├── Correlation rules
├── Alerting configuration
└── User training
Faz 3: Tuning (4-12 Hafta)
Optimization:
- False positive azaltma
- Alert threshold tuning
- Performance optimization
- Coverage expansion
Faz 4: Operations (Ongoing)
24x7 Monitoring:
- Tier 1: Alert triage ve initial response
- Tier 2: Investigation ve analysis
- Tier 3: Threat hunting ve advanced forensics
Fiyatlandırma ve Paketler
SIEM Managed Service (24x7 Monitoring)
Küçük İşletme (50-200 Cihaz)
Platform: Wazuh (Open Source) Log Volume: 5-10 GB/gün
Hizmetler:
- Wazuh deployment ve konfigürasyon
- 50+ endpoint agent
- Temel use case’ler (10 rule)
- 8x5 alert monitoring
- Aylık rapor
Fiyat: $1,500 - $3,000/ay
Orta Ölçek (200-1000 Cihaz)
Platform: ELK Stack veya Splunk Log Volume: 20-50 GB/gün
Hizmetler:
- SIEM platform (managed)
- 200+ endpoint agent
- Gelişmiş use case’ler (50+ rule)
- 24x7 alert monitoring
- Incident response (Tier 1-2)
- Threat intelligence integration
- Haftalık rapor
Fiyat: $8,000 - $18,000/ay
Kurumsal (1000+ Cihaz, Multi-Site)
Platform: Splunk Enterprise veya IBM QRadar Log Volume: 100-500 GB/gün
Hizmetler:
- Enterprise SIEM platform
- Unlimited agents
- Custom use case’ler (200+ rule)
- 24x7 SOC monitoring (Tier 1-2-3)
- Threat hunting
- Incident response ve forensics
- SOAR integration
- Compliance reporting (ISO, PCI-DSS)
- Dedicated security analyst
- Günlük/haftalık rapor
Fiyat: $35,000 - $120,000/ay
Self-Hosted SIEM Kurulum
Küçük (Wazuh/ELK):
- Setup: $8,000-15,000
- Hardware: $5,000-10,000
- Yıllık destek: $3,000-5,000
Orta (ELK/Splunk):
- Setup: $25,000-50,000
- Hardware: $20,000-40,000
- License: $24,000-180,000/yıl (Splunk)
- Yıllık destek: $10,000-20,000
Kurumsal (Splunk/QRadar):
- Setup: $100,000-300,000
- Hardware: $80,000-200,000
- License: $360,000-1,200,000/yıl
- Yıllık destek: $50,000-150,000
Gerçek Vaka Çalışmaları
Vaka 1: E-Ticaret Şirketi - PCI-DSS Compliance
Müşteri Profili:
- Online ödeme platformu
- 500,000+ transaction/gün
- PCI-DSS Level 1 uyumluluk gereksinimi
- Önceki durumu: Log’lar dağınık, korelasyon yok
Sorunlar:
- PCI-DSS 10.6 requirement karşılanamıyor
- Veri ihlali tespit süresi: 45+ gün
- Forensic investigation zor
- Audit maliyeti yüksek ($50K+)
Çözüm:
Platform: Splunk Enterprise
Log Sources:
├── Payment gateway (API logs)
├── Web application firewall (WAF)
├── Database audit logs
├── Network firewall
├── Active Directory
├── Linux/Windows servers
└── Cloud infrastructure (AWS)
Use Cases (PCI-DSS):
- 10.2.1: User access logging
- 10.2.2: Admin action logging
- 10.2.3: Audit trail access
- 10.2.4: Invalid access attempts
- 10.2.5: Authentication failures
- 10.2.6: Log initialization
- 10.2.7: Creation/deletion of system objects
- 10.6: Daily log review
Deployment: 8 hafta
- Hafta 1-2: Splunk cluster setup (3-node)
- Hafta 3-4: Log source integration
- Hafta 5-6: PCI-DSS rules implementation
- Hafta 7-8: Tuning ve audit preparation
Sonuçlar:
- PCI-DSS Audit: Passed (ilk denemede)
- Threat detection: 45 gün → 4 saat ortalama
- Compliance cost: $50K/yıl → $15K/yıl (audit kolaylaştı)
- Security posture: 3 major incident yakalandı (credential stuffing, SQL injection, insider threat)
- ROI: İlk yıl $120K tasarruf (ihlal önleme + audit)
Yatırım:
- Splunk license (50 GB/day): $180,000/yıl
- Professional services: $60,000 (one-time)
- Hardware: $35,000
- Total first year: $275,000
- 3-year TCO: $615,000 ($540K license + $75K support)
Vaka 2: Finans Kurumu - Advanced Threat Detection
Müşteri Profili:
- Yatırım bankası
- 2,000 çalışan, 50+ şube
- Yüksek düzeyli targeted attack riski
- Regülasyon gereksinimleri (BDDK, SPK)
Sorunlar:
- Advanced Persistent Threat (APT) riski
- Insider threat detection eksikliği
- Distributed log sources (on-premise + cloud)
- Forensic analiz yetersiz
Çözüm:
Platform: IBM QRadar + Wazuh Hybrid
Architecture:
├── QRadar SIEM (central correlation)
│ ├── 2000 EPS license
│ ├── 5 TB storage (1 year retention)
│ └── X-Force Threat Intelligence
├── Wazuh HIDS (endpoint monitoring)
│ ├── 2000 agents (all endpoints)
│ ├── File integrity monitoring
│ └── Vulnerability detection
└── SOAR Integration (Palo Alto Cortex XSOAR)
├── Automated triage
├── Enrichment (VirusTotal, AbuseIPDB)
└── Response playbooks
Use Cases:
1. Phishing attack detection
2. Lateral movement (RDP/SMB)
3. Privilege escalation
4. Data exfiltration
5. Insider threat (UEBA - User Behavior Analytics)
6. Ransomware behavior
7. Cloud security (O365, AWS)
8. Supply chain compromise
Implementasyon:
- Faz 1 (4 hafta): QRadar deployment, core log sources
- Faz 2 (6 hafta): Wazuh rollout (2000 agents)
- Faz 3 (4 hafta): Use case development, tuning
- Faz 4 (2 hafta): SOAR integration, playbook
- Toplam: 16 hafta
Sonuçlar:
- Threat detection: İlk 6 ayda 12 major incident yakalandı:
- 3x APT attempt (spear phishing)
- 2x Insider threat (data exfiltration)
- 4x Ransomware attempt (caught early)
- 3x Compromised credential
- MTTR (Mean Time To Respond): 8 saat → 45 dakika
- False positive rate: İlk ay %40 → 3 ay sonra %5
- Compliance: BDDK audit passed, SPK requirements met
- Cost avoidance: Tek bir data breach $5M+ maliyetten kurtarıldı
Yatırım:
- QRadar license (2000 EPS): $250,000
- Wazuh (free) + infra: $20,000
- SOAR platform: $80,000/yıl
- Professional services: $150,000
- Hardware: $100,000
- Total first year: $600,000
- Annual support: $120,000
ROI:
- Data breach cost avoidance: $5,000,000
- Reduced incident response cost: $200,000/yıl
- Audit efficiency: $50,000/yıl
- Net value (3 year): $4,200,000
SIEM Best Practices
1. Log Collection
Ne Toplanmalı:
Critical (Tier 1):
✅ Authentication logs (AD, SSO, VPN)
✅ Firewall/IPS logs
✅ Privileged access (admin actions)
✅ Security tool alerts (AV, EDR)
Important (Tier 2):
✅ Application logs (web, DB)
✅ Server logs (Windows Event, syslog)
✅ Network flow data (NetFlow)
✅ Cloud platform (AWS CloudTrail, Azure Monitor)
Optional (Tier 3):
○ DNS queries
○ Proxy logs
○ Email logs
○ IoT device logs
Ne Toplanmamalı:
- Debug-level logs (noise)
- Personally identifiable information (PII) - dikkatli!
- Irrelevant application logs
2. Retention Policy
Hot storage (fast search):
- Security events: 90 days
- High-value logs: 30-90 days
Warm storage (slower):
- All logs: 1 year
Cold storage (archive):
- Compliance: 7 years (PCI-DSS, GDPR)
- Legal hold: As needed
3. Alert Fatigue Önleme
Problem: Çok fazla alert → Analyst burnout → Missed threats
Çözüm:
- Tuning: False positive oranını %5 altında tut
- Prioritization: Critical/High/Medium/Low severity
- Aggregation: Benzer alertleri birleştir
- Suppression: Bilinen false positive’leri bastır
- Context: Alert’e ek bilgi ekle (user role, asset criticality)
4. Use Case Önceliklendirme
İlk 30 Gün:
- Authentication failures
- Malware detection
- Network intrusion
30-90 Gün: 4. Privilege escalation 5. Lateral movement 6. Data exfiltration
90+ Gün: 7. Insider threat (UEBA) 8. Advanced correlation 9. Threat hunting
5. Team Structure
Minimum Viable SOC:
- 1x SIEM Engineer (rule development, tuning)
- 2x Security Analyst (Tier 1, alert triage)
- 1x Incident Response (Tier 2, investigation)
Mid-Size SOC:
- 4x Tier 1 Analyst (24x7 shift coverage)
- 2x Tier 2 Analyst (escalation, investigation)
- 1x Tier 3 / Threat Hunter
- 1x SIEM Engineer / DevOps
Sıkça Sorulan Sorular (FAQ)
1. SIEM ile SOC arasındaki fark nedir?
- SIEM: Teknoloji platformu (log collection, correlation, alerting)
- SOC (Security Operations Center): İnsan + süreç + SIEM + diğer araçlar
SOC, SIEM’i kullanan güvenlik ekibidir.
2. Küçük işletmeler için SIEM gerekli mi?
Evet, eğer:
- 50+ cihaz/sunucu varsa
- Compliance gereksinimi varsa (PCI-DSS, HIPAA)
- Hassas veri işliyorsanız
- Cyber insurance gerekliyse
Alternatif: Managed SIEM service (outsource).
3. Open source SIEM (ELK, Wazuh) yeterli mi?
Avantajları:
- ✅ Ücretsiz
- ✅ Customizable
- ✅ Community support
Dezavantajları:
- ❌ Setup/yönetim complexity
- ❌ Enterprise support yok
- ❌ Advanced features eksik (UEBA, SOAR)
Öneri: SMB için Wazuh, enterprise için Splunk/QRadar.
4. SIEM kaç log tutar?
Tipik retention:
- Small: 30-90 gün (hot), 1 yıl (archive)
- Medium: 90 days (hot), 2 yıl (archive)
- Enterprise: 1 yıl (hot), 7 yıl (archive)
Compliance: PCI-DSS = 1 yıl, GDPR = 7 yıl.
5. SIEM kurulumu ne kadar sürer?
Minimum viable SIEM: 4-6 hafta
- Hafta 1-2: Platform setup
- Hafta 3-4: Log integration
- Hafta 5-6: Rules + tuning
Production-ready: 12-16 hafta (tuning dahil).
6. SIEM storage sizing nasıl hesaplanır?
Formula:
Daily ingest (GB) = Σ (Log sources × Events/sec × Event size)
Example:
- 100 Windows servers: 50 EPS × 100 = 5,000 EPS
- Firewall: 1,000 EPS
- Web app: 500 EPS
Total: 6,500 EPS
6,500 events/sec × 86,400 sec/day × 0.5 KB = ~270 GB/day
Storage (1 year):
- Hot (90 days): 270 GB × 90 = 24 TB
- Warm (275 days): 270 GB × 275 = 74 TB (compressed 10:1 = 7.4 TB)
Total: ~32 TB
7. SIEM ile SOAR farkı nedir?
| Özellik | SIEM | SOAR |
|---|---|---|
| Amaç | Log correlation, detection | Automated response |
| Fonksiyon | Alert oluşturur | Alert’e otomatik müdahale |
| Örnek | ”Brute force detected" | "Block IP at firewall” |
Entegrasyon: SIEM alert oluşturur → SOAR otomatik action alır.
8. Managed SIEM vs. In-house SIEM?
| Kriter | Managed | In-House |
|---|---|---|
| Setup time | 2-4 hafta | 12-16 hafta |
| CapEx | Düşük | Yüksek (hardware, license) |
| OpEx | Yüksek (aylık ücret) | Orta (staff, maintenance) |
| Expertise | Vendor sağlar | Kendi ekip |
| Control | Sınırlı | Tam kontrol |
Öneri: SMB → Managed, Enterprise → In-house.
9. SIEM false positive nasıl azaltılır?
Tuning stratejileri:
- Baseline: Normal davranışı öğren (2-4 hafta)
- Whitelist: Known-good IP/user/app ekle
- Threshold tuning: Alert eşiklerini ayarla
- Context: Asset criticality, user role ekle
- Feedback loop: Analyst feedback → rule update
Hedef: <5% false positive rate.
10. SIEM ile uyumluluk nasıl sağlanır?
PCI-DSS Requirements:
- 10.2: Audit trail
- 10.6: Daily log review
- 10.7: Log retention (1 year)
ISO 27001:
- A.12.4: Logging and monitoring
GDPR:
- Article 32: Security measures
- Article 33: Breach detection (72 hours)
SIEM çıktıları:
- Automated compliance reports
- Audit trail
- Incident timeline
Başlarken
SIEM projesi başlatmak için Kuvve Technology ile iletişime geçin:
- Ücretsiz Security Assessment: Mevcut log kaynaklarını analiz edelim
- Use Case Workshop: İhtiyaçlarınıza özel detection rules
- Platform Seçimi: Splunk vs ELK vs Wazuh karşılaştırma
- Pilot Deployment: 2-4 haftalık PoC
- Full Deployment: Production rollout
İletişim:
- Web: kuvve.com/iletisim
- E-posta: [email protected]
- Telefon: +90 (216) 390 02 20
24x7 SOC hizmeti veya self-hosted SIEM kurulumu için bugün bizimle iletişime geçin!
Bu çözüm işletmeniz için uygun mu?
Uzman ekibimizle görüşün, size özel bir teklif hazırlayalım.