Page 1217 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1217

Many IDSs and IPSs send collected data to a security information and
               event management (SIEM) system. A SIEM system also collects data

               from many other sources within the network. It provides real-time
               monitoring of traffic and analysis and notification of potential attacks.
               Additionally, it provides long-term storage of data, allowing security
               professionals to analyze the data.

               A SIEM typically includes several features. Because it collects data
               from dissimilar devices, it includes a correlation and aggregation

               feature converting this data into useful information. Advanced analytic
               tools within the SIEM can analyze the data and raise alerts and/or
               trigger responses based on preconfigured rules. These alerts and
               triggers are typically separate from alerts sent by IDSs and IPSs, but
               some overlap is likely to occur.


               IDS Response

               Although knowledge-based and behavior-based IDSs detect incidents
               differently, they both use an alert system. When the IDS detects an

               event, it triggers an alarm or alert. It can then respond using a passive
               or active method. A passive response logs the event and sends a
               notification. An active response changes the environment to block the
               activity in addition to logging and sending a notification.




                             In some cases, you can measure a firewall’s effectiveness

                  by placing a passive IDS before the firewall and another passive
                  IDS after the firewall. By examining the alerts in the two IDSs, you
                  can determine what attacks the firewall is blocking in addition to

                  determining what attacks are getting through.


               Passive Response Notifications can be sent to administrators via
               email, text or pager messages, or pop-up messages. In some cases, the

               alert can generate a report detailing the activity leading up to the
               event, and logs are available for administrators to get more
               information if needed. Many 24-hour network operations centers
               (NOCs) have central monitoring screens viewable by everyone in the
               main support center. For example, a single wall can have multiple
   1212   1213   1214   1215   1216   1217   1218   1219   1220   1221   1222