Security Essentials, Textbook page 86

Copyright Goodheart-Willcox Co., Inc. 86 Security Essentials ■ ■ Packet capture. Packet capture is the act of intercepting a data packet as it crosses a specific network point. Packet capture provides another source of data collection. ■ ■ SIEM correlation. SIEM correlation is an SIEM feature that searches through aggregated data and reports common characteristics. This allows the software and system administrators to search for patterns, similarities, attempted or actual breaches, potential failures, or other incidents. ■ ■ Automated alerts. Administrators often create automated alerts and triggers, which are rules that generate and inform administrators about specific events or incidents to streamline the process of reviewing data. Alerts are triggered automatically if the conditions for the rule are met. ■ ■ Event deduplication. Event deduplication is a process that merges identical events into a single event. There can be a significant number of duplicate events in an event log, and processing duplicate information can result in extensive overhead and latency. Allowing an SIEM product to perform deduplication saves a significant amount of time and overhead. ■ ■ Time synchronization. Time synchronization is a process that ensures all devices agree on the correct time. This is a critical configuration element, espe- cially when analyzing log data and potential incidents or data breaches. The data analyzed by SIEM systems relies on accurate time reporting throughout the network and devices. Therefore, it is important that the devices are coordi- nated through time synchronization. ■ ■ User behavior analysis (UBA). User behavior analysis (UBA) is a security assessment that monitors user behavior and compares it to established base- line information. For example, UBA software identifies patterns of unusual behavior, such as applications launched, Internet or network activity, and downloads, by comparing data to existing baselines and alerting administra- tors of anomalies. In addition to baselines, user activity can be compared with data sourced from packet collection and event logs. ■ ■ Sentiment analysis. Sentiment analysis is a security feature that assesses social attitudes and opinions to make predictions about likely outcomes. A major source of informing sentiment analysis comes from logged data of online social networks, e-mail, and instant messages. When used correctly, sentiment anal- ysis can help identify intentions or motivations and provide warning of forth- coming cyberattacks. ■ ■ SIEM logs. SIEM logs are records of events that are reviewed or analyzed. In addition, the logs can be used as evidence to prove compliance to regulations. Logs create critical output and must be protected from changes whether inten- tional, accidental, or malicious. SIEM software can save the logs to a write- once-read-many (WORM) device. A WORM device is a storage device that allows data to be saved but not changed. These devices are either optical discs or ROM chips. SIEM systems typically have a presentation tool that displays for easy analyza- tion. An SIEM dashboard is a tool that summarizes data and transforms it into use- ful information to provide simple security monitoring. SIEM products allow for flexibility in designing an effective dashboard. Often, SIEM dashboards display ■ ■■ alerts or anomalies from critical hardware ■■ notifications and data from sensors that have been deployed on a system and ■ options for focusing on data sensitivity activities. 4.3

Previous Page Next Page

Security Essentials, Textbook Page 86 (100 of 704)

Help