Home page logo
/

basics logo Security Basics mailing list archives

Re: SOC and SIEM
From: Raheel Hassan <raheel.hassan () gmail com>
Date: Wed, 1 Feb 2012 19:53:32 +0100

Hi,

Here are the answers to your questions,

1- What do you mean by DIDS?
I mean an IDS which can mobile or agent based takes decisions at each
of the local and remote site.
The design must not be centralized. The agents can communicate with
each other to find complex attacks.

2- Is there a real world implementation of that?

There is a lot of research work which has been done in past some of
the examples are TRINETER, PAID, INDRA  etc. Yes there are many real
world examples like MonALISA, i think prelude also etc
I can send you the papers if you want.

3- Who makes it?
There are many companies like MonAlisa and prelude.

4- Also, are you cramming for your CISSP?
NO i am nor preparing for any exam.

5- If not, what makes you ask such questions?
For some time i was doing research on different IDSs. I thought why
not to classify them according to their distinct features but i stuck
up and messed up with the terminologies like SOC, SIEM and DIDS.  I
was thinking may some has who already have an experience can guide me,
if i am missing something.

That is why i decided to post the request at this forum.


On Wed, Feb 1, 2012 at 7:06 PM, RobOEM <rd.seclists () gmail com> wrote:
Hi,

I was preparing a witty and yet informative answer, when I realized I
had no idea wtf a DIDS was. Google and wiki were of no help, many
definitions were proposed (like IDSes spread out and centralized
inside a network, spread out inside different networks and sharing
information, and a mix between HIDS and NIDS), so since we're on
sec-basics I'll ask.

What do you mean by DIDS?
Is there a real world implementation of that?
Who makes it?
Also, are you cramming for your CISSP?
If not, what makes you ask such questions?

Rob', truth seeker.

My planned answer follows
---
Hi,

From Wiki: A security event manager (SEM) (acronyms SIEM and SIM) is a
computerized tool used on enterprise data networks to centralize the
storage and interpretation of logs, or events, generated by other
software running on the network.

Shorter wiki: A SIEM is a tool that centralizes and (hopefully)
correlates (to some degree) events from the infrastructure.

An IDS is just another element of your security infrastructure, and
cannot truly detect intrusions (I won't go into that, but let's say
that the near real time requirements doesn't allow complex detection
rules, and also KISS), so at least needs to be watched by a Competent
Guy (TM), or to be fed into a SIEM so that your CG (TM) can also Do
Good Things (TM).

So for instance, you have a simple 3-tier web app behind a firewall,
and four event sources for your SIEM: a firewall, system events from
whatever daemon running on your servers, and whatever (D)IDS your
execs were convinced to buy because it could stop lulzsec from getting
inside your network.

Event 1 : IDS says you have an SQL injection. Taken alone, this is
false, it's just an attempt at an SQLi and you have no idea whether or
not it has succeded.
Event 2 : system daemon says you have a file creation on a temp folder
in your DB server
Event 3 : system daemon says said dropped file is ran under the DBserver user
Event 4 : firewall says you have outbound connection created to blah
server on port 80
Event 5 : IDS says blah server is hosted on an IP with a bad
reputation (I assume that's the D in DIDS)

So then, your SIEM deduces like a boss that your DB server was pwned.
That's the difference between an IDS and a SIEM.

Rob'


On Wed, Feb 1, 2012 at 2:59 PM, Raheel Hassan <raheel.hassan () gmail com> wrote:
Hi,

Thank you very much to every one for explaining the difference. Could
you please give your opinions that how DIDS (Distributed Intrusion
Detection Systems) and SIEMS are different with each other?

Thanks,

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault