Re: SOC and SIEM

[RobOEM <rd.seclists () gmail com>]

Hi,

I was preparing a witty and yet informative answer, when I realized I
had no idea wtf a DIDS was. Google and wiki were of no help, many
definitions were proposed (like IDSes spread out and centralized
inside a network, spread out inside different networks and sharing
information, and a mix between HIDS and NIDS), so since we're on
sec-basics I'll ask.

What do you mean by DIDS?
Is there a real world implementation of that?
Who makes it?
Also, are you cramming for your CISSP?
If not, what makes you ask such questions?

Rob', truth seeker.

My planned answer follows
---
Hi,

> From Wiki: A security event manager (SEM) (acronyms SIEM and SIM) is a
computerized tool used on enterprise data networks to centralize the
storage and interpretation of logs, or events, generated by other
software running on the network.

Shorter wiki: A SIEM is a tool that centralizes and (hopefully)
correlates (to some degree) events from the infrastructure.

An IDS is just another element of your security infrastructure, and
cannot truly detect intrusions (I won't go into that, but let's say
that the near real time requirements doesn't allow complex detection
rules, and also KISS), so at least needs to be watched by a Competent
Guy (TM), or to be fed into a SIEM so that your CG (TM) can also Do
Good Things (TM).

So for instance, you have a simple 3-tier web app behind a firewall,
and four event sources for your SIEM: a firewall, system events from
whatever daemon running on your servers, and whatever (D)IDS your
execs were convinced to buy because it could stop lulzsec from getting
inside your network.

Event 1 : IDS says you have an SQL injection. Taken alone, this is
false, it's just an attempt at an SQLi and you have no idea whether or
not it has succeded.
Event 2 : system daemon says you have a file creation on a temp folder
in your DB server
Event 3 : system daemon says said dropped file is ran under the DBserver user
Event 4 : firewall says you have outbound connection created to blah
server on port 80
Event 5 : IDS says blah server is hosted on an IP with a bad
reputation (I assume that's the D in DIDS)

So then, your SIEM deduces like a boss that your DB server was pwned.
That's the difference between an IDS and a SIEM.

Rob'


On Wed, Feb 1, 2012 at 2:59 PM, Raheel Hassan <raheel.hassan () gmail com> wrote:
> Hi,
>
> Thank you very much to every one for explaining the difference. Could
> you please give your opinions that how DIDS (Distributed Intrusion
> Detection Systems) and SIEMS are different with each other?
>
> Thanks,
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------