siem Flashcards
Security Information and Event Management
SIEM
Security information and event management, SIM+SEM together
SIM
Security information management
SEM
Security event information
SIM definition
The practice of collecting, monitoring, and analyzing data from computer logs
SEM definition
The process of collecting, monitoring, and analyzing data from events in software, system, and IT environment
Types of logs to capture
Application logs, system logs, and host activity
Application logs
Logs modification of applications and changing records
System logs
Logs who logged into system and what actions they performed
Host activity
Machines starting up, rebooting, shutting down, changes to configs, and disk space
SIEM collects data from
Firewalls, intrusion detection systems, intrusion prevention systems, and application servers
Security intrusion
A security event, or a combination events, that constitutes a security incident in which an intruder
gains, or attempts to gain, access to a system (or system resource) without having authorization to do so
Intrusion detection
A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized
manner
Intrusion detection system
Notifies that an unusual activity has occurred and is usually placed behind the firewall
Parts of IDS
Sensors, analyzers, and user interface
IDS sensors
Collect data from network packets, logs files, and system call traces
IDS analyzers
Determine if intrusion has occurred based on data from sensors and can send alerts or rocommendations
IDS user interface
View output and control system behavior
3 classifications of IDS
Host-based (HIDS), network-based (NIDS), and distributed/hybrid
HIDS
Monitors the characteristics of a single host for suspicious activity
NIDS
Monitors network traffic and analyzes network, transport, and application protocols to identify suspicious activity on the perimeter security
Distributed/hybrid IDS
Combines information from a number of sensors, often both host and network based, in a central analyzer that is able to better identify and respond to intrusion activity
What are the 2 interfaces for NIDS?
One for monitoring/watching traffic, other for accessing reports
NID sensors
Inline sensor and passive sensor (more common)
Inline sensor
Inserted into network segment so traffic must go through it and part of a firewall
Passive sensor
Monitors a copy of the network traffic with no extra step in handling live data to contribute to a packet delay
