Security Basics mailing list archives
Re: SOC and SIEM
From: RobOEM <rd.seclists () gmail com>
Date: Wed, 1 Feb 2012 19:06:01 +0100
Hi, I was preparing a witty and yet informative answer, when I realized I had no idea wtf a DIDS was. Google and wiki were of no help, many definitions were proposed (like IDSes spread out and centralized inside a network, spread out inside different networks and sharing information, and a mix between HIDS and NIDS), so since we're on sec-basics I'll ask. What do you mean by DIDS? Is there a real world implementation of that? Who makes it? Also, are you cramming for your CISSP? If not, what makes you ask such questions? Rob', truth seeker. My planned answer follows --- Hi,
From Wiki: A security event manager (SEM) (acronyms SIEM and SIM) is a
computerized tool used on enterprise data networks to centralize the storage and interpretation of logs, or events, generated by other software running on the network. Shorter wiki: A SIEM is a tool that centralizes and (hopefully) correlates (to some degree) events from the infrastructure. An IDS is just another element of your security infrastructure, and cannot truly detect intrusions (I won't go into that, but let's say that the near real time requirements doesn't allow complex detection rules, and also KISS), so at least needs to be watched by a Competent Guy (TM), or to be fed into a SIEM so that your CG (TM) can also Do Good Things (TM). So for instance, you have a simple 3-tier web app behind a firewall, and four event sources for your SIEM: a firewall, system events from whatever daemon running on your servers, and whatever (D)IDS your execs were convinced to buy because it could stop lulzsec from getting inside your network. Event 1 : IDS says you have an SQL injection. Taken alone, this is false, it's just an attempt at an SQLi and you have no idea whether or not it has succeded. Event 2 : system daemon says you have a file creation on a temp folder in your DB server Event 3 : system daemon says said dropped file is ran under the DBserver user Event 4 : firewall says you have outbound connection created to blah server on port 80 Event 5 : IDS says blah server is hosted on an IP with a bad reputation (I assume that's the D in DIDS) So then, your SIEM deduces like a boss that your DB server was pwned. That's the difference between an IDS and a SIEM. Rob' On Wed, Feb 1, 2012 at 2:59 PM, Raheel Hassan <raheel.hassan () gmail com> wrote:
Hi, Thank you very much to every one for explaining the difference. Could you please give your opinions that how DIDS (Distributed Intrusion Detection Systems) and SIEMS are different with each other? Thanks, ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: SOC and SIEM mustafa . aman . shah (Feb 01)
- <Possible follow-ups>
- Re: SOC and SIEM Kartik . netsec (Feb 01)
- RE: SOC and SIEM ricardo.pertuz (Feb 01)
- Re: SOC and SIEM Raheel Hassan (Feb 01)
- Re: SOC and SIEM RobOEM (Feb 01)
- Re: SOC and SIEM Raheel Hassan (Feb 01)
- Re: SOC and SIEM RobOEM (Feb 01)