Which one of the following is not a common source of information that may be
correlated with vulnerability scan results?
A. Logs
B. Database tables
C. SIEM
D. Configuration
management system
C. A security information and event management (SIEM) system correlates log entries
from multiple sources and attempts to identify potential
security incidents.
Perform event correlation to combine information from multiple sources. This function is
typically performed by a security information and event management (SIEM) system.
Detecting Attacks and Security Operations SIEM systems can be used to
leverage identity information as well as the other types of security information we have discussed in
this book. Using identity information provides the “who” when reviewing events and
incidents, and when paired with other SIEM data and event logs, a complete view of what occurred,
what the user, service, or account’s behavior was, and human or automated analysis can determine
whether the actions were appropriate. Configuring a SIEM or other
security monitoring device to look for the following types of events can provide significant security
benefits: Privileged account usage Privilege changes and grants
Account creation and modification Employee termination and
terminated account usage Account life-cycle management events
Separation-of-duty violations Centralizing both IAM and user authentication and authorization
systems helps ensure that accounts and privileges are well understood and managed throughout an
organization. Attackers who can find a system that uses distinct accounts, or that does not centrally
log authentication and authorization events, can far more easily take advantage of that
system’s isolation without their exploits being detected.
CSA + Mike Chapple and David Seidl
No comments:
Post a Comment