| Abstract [eng] |
The NIS2/TIS2 directive increases cybersecurity governance requirements for small and medium-sized organisations, yet practical, cost‑effective implementation and evaluation cases of open‑source network‑level security solutions remain limited. The aim of this thesis is to examine open‑source solutions for identifying and mitigating network‑level vulnerabilities, attack vectors, and cybersecurity incidents, and to develop an SME‑applicable prototype in the context of NIS2 Article 21 requirements. The study combines a literature review of NIS2, ENISA guidance and related standards with a laboratory experiment, comparative analysis and inductive evaluation. In the practical part, an isolated test environment was implemented integrating a pfSense firewall (traffic filtering and mirroring), a Zeek NDR sensor (protocol‑level telemetry and anomaly detection), an ELK SIEM stack (log aggregation, storage and visualisation), Nmap (vulnerability scanning and SSH bruteforce scenarios) and iperf3 (load and performance metrics). The prototype was evaluated by simulating DoS and SSH bruteforce attacks against an SSH service: both attack scenarios were detected, the false alarm rate (FAR) was 0%, and the mean time to detect (MTTD) was approximately ~45 minutes for DoS and ~23 minutes for bruteforce; however, detection time was affected by ELK ingestion delays (30–60 minutes) and background Internet noise. Centralised Zeek and network device events in ELK enabled incident timeline reconstruction and the formation of an evidence base required for incident analysis and reporting processes. The evaluation highlighted key advantages—low cost, flexibility and auditable artefacts—as well as limitations, including the need for continuous tuning, restricting administrative service exposure (e.g., via VPN or IP allow‑listing), and optimising the log processing pipeline to ensure operational effectiveness in real‑world environments. |
