Re: SOC and SIEM

[Raheel Hassan <raheel.hassan () gmail com>]

Hi,

Here are the answers to your questions,

1- What do you mean by DIDS?
I mean an IDS which can mobile or agent based takes decisions at each
of the local and remote site.
The design must not be centralized. The agents can communicate with
each other to find complex attacks.

2- Is there a real world implementation of that?

There is a lot of research work which has been done in past some of
the examples are TRINETER, PAID, INDRA  etc. Yes there are many real
world examples like MonALISA, i think prelude also etc
I can send you the papers if you want.

3- Who makes it?
There are many companies like MonAlisa and prelude.

4- Also, are you cramming for your CISSP?
NO i am nor preparing for any exam.

5- If not, what makes you ask such questions?
For some time i was doing research on different IDSs. I thought why
not to classify them according to their distinct features but i stuck
up and messed up with the terminologies like SOC, SIEM and DIDS.  I
was thinking may some has who already have an experience can guide me,
if i am missing something.

That is why i decided to post the request at this forum.


On Wed, Feb 1, 2012 at 7:06 PM, RobOEM <rd.seclists () gmail com> wrote:
> Hi,
>
> I was preparing a witty and yet informative answer, when I realized I
> had no idea wtf a DIDS was. Google and wiki were of no help, many
> definitions were proposed (like IDSes spread out and centralized
> inside a network, spread out inside different networks and sharing
> information, and a mix between HIDS and NIDS), so since we're on
> sec-basics I'll ask.
>
> What do you mean by DIDS?
> Is there a real world implementation of that?
> Who makes it?
> Also, are you cramming for your CISSP?
> If not, what makes you ask such questions?
>
> Rob', truth seeker.
>
> My planned answer follows
> ---
> Hi,
>
> From Wiki: A security event manager (SEM) (acronyms SIEM and SIM) is a
> computerized tool used on enterprise data networks to centralize the
> storage and interpretation of logs, or events, generated by other
> software running on the network.
>
> Shorter wiki: A SIEM is a tool that centralizes and (hopefully)
> correlates (to some degree) events from the infrastructure.
>
> An IDS is just another element of your security infrastructure, and
> cannot truly detect intrusions (I won't go into that, but let's say
> that the near real time requirements doesn't allow complex detection
> rules, and also KISS), so at least needs to be watched by a Competent
> Guy (TM), or to be fed into a SIEM so that your CG (TM) can also Do
> Good Things (TM).
>
> So for instance, you have a simple 3-tier web app behind a firewall,
> and four event sources for your SIEM: a firewall, system events from
> whatever daemon running on your servers, and whatever (D)IDS your
> execs were convinced to buy because it could stop lulzsec from getting
> inside your network.
>
> Event 1 : IDS says you have an SQL injection. Taken alone, this is
> false, it's just an attempt at an SQLi and you have no idea whether or
> not it has succeded.
> Event 2 : system daemon says you have a file creation on a temp folder
> in your DB server
> Event 3 : system daemon says said dropped file is ran under the DBserver user
> Event 4 : firewall says you have outbound connection created to blah
> server on port 80
> Event 5 : IDS says blah server is hosted on an IP with a bad
> reputation (I assume that's the D in DIDS)
>
> So then, your SIEM deduces like a boss that your DB server was pwned.
> That's the difference between an IDS and a SIEM.
>
> Rob'
>
>
> On Wed, Feb 1, 2012 at 2:59 PM, Raheel Hassan <raheel.hassan () gmail com> wrote:
> > Hi,
> >
> > Thank you very much to every one for explaining the difference. Could
> > you please give your opinions that how DIDS (Distributed Intrusion
> > Detection Systems) and SIEMS are different with each other?
> >
> > Thanks,
> >
> > ------------------------------------------------------------------------
> > Securing Apache Web Server with thawte Digital Certificate
> > In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> > how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> > purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> > set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> > certificates.
> >
> > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> > ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------