18.1 Introduction to SIEM Flashcards
Organizations detect attacks against their information security assets with a concept called _________, or more specifically, ______________.
Organizations detect attacks against their information security assets with a concept called **continuous monitoring**, or more specifically, **information security continuous monitoring (ISCM)**.
Explain ISCM. ISCM provides real-time insight into:
ISCM is the processes and technologies used to detect information security risks associated with an organization’s operational environment in real time.
- The current state of an organization’s networked assets.
- Vulnerabilities and threats that attack an organization’s networked assets.
- How well security controls are protecting an organization’s networked assets.
While log entries were originally designed to assist with troubleshooting system issues, they later proved useful to security professionals as a source of insight into:
- The state of a device or a network.
- Who has access to a device or a network.
- User activities on a device or a network.
_________ are created on devices such as Linux and Windows systems.
**Operating system logs** are created on devices such as Linux and Windows systems.
- Security access events: For example, an unauthorized user attempts to view privileged data, such as a company payroll file.
- Security permissions events: For example, a user attempts to give themselves permissions to view and edit a privileged file.
_________ are created by devices such as Apache and IIS (Internet Information Services) servers. Security events that can be identified by these logs include:
**Application logs** are created by devices such as Apache and IIS (Internet Information Services) servers.
- Application access events: For example, a brute force attempt to log into an administrative account on a web application.
- Fraud events: For example, a user on a financial application attempts to transfer a large sum of funds to a suspicious external account.
____________ are created on devices such as routers, switches, and DHCP/DNS servers.
Security events that can be identified by these logs include:
**Networking device logs** are created on devices such as routers, switches, and DHCP/DNS servers.
- Administrative events: For example, a network administrator accidentally opens a port allowing unauthorized traffic into a network.
- Network security events: For example, a DHCP starvation attack occurs in which the DHCP server receives thousands of requests in a short period of time, consuming all available IP addresses.
__________ are created on devices such as IDS/IPS, firewalls, endpoint devices, and honeypots.Security events that can be identified by these logs include:
**Security device logs** are created on devices such as IDS/IPS, firewalls, endpoint devices, and honeypots.
- Endpoint events: For example, a user accidentally downloads malware onto their laptop from a phishing email.
- IDS signature events: For example, a packet with an illegal TCP flag combination is identified by an IDS.
What are the 4 most common types of logs used by secuirty professoinals?
- Operating system logs
- Application logs
- Networking device logs
- Secuirty device logs
__________ is the identification and collection of logs from multiple computing sources.
Log aggregation is the identification and collection of logs from multiple computing sources.
_______ is the process of converting the single string of data into fields of structured data.
**Log parsing** is the process of converting the single string of data into fields of structured data.
If we separate the values, we can categorize each field and rearrange them to match a uniform structure, a process known as _______.
If we separate the values, we can categorize each field and rearrange them to match a uniform structure, a process known as **log normalization**.
What is log correlation?
Log correlation monitors incoming logs for logical sequences, patterns and values to identify events that are invisible to individual systems. They can perform analysis that would otherwise be done by repetitive human analysis. They can identify things happening that are unusual for your business processes.
WHat does SIEM stand for and what is it?
Security professionals use a technology called **security information and event management (SIEM)** (pronounced “sim”) to simplify and manage monitoring security events.
What are the two parts of SIEM?
IEM is made up of two types of software:
- Security information management (SIM), which is primarily focused on log management and involves collecting logs in a central location for later analysis.
- Security event management (SEM), which is primarily focused on event monitoring and involves identifying, evaluating, and correlating logs to determine security events and create alerts.
