Page 1250 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1250

form of data reduction that allows someone to glean valuable
               information by looking at only a small sample of data in an audit trail.

               Statistical sampling uses precise mathematical functions to extract

               meaningful information from a very large volume of data. This is
               similar to the science used by pollsters to learn the opinions of large
               populations without interviewing everyone in the population. There is
               always a risk that sampled data is not an accurate representation of
               the whole body of data, and statistical sampling can identify the

               margin of error.


               Clipping Levels

               Clipping is a form of nonstatistical sampling. It selects only events that
               exceed a clipping level, which is a predefined threshold for the event.
               The system ignores events until they reach this threshold.

               As an example, failed logon attempts are common in any system as
               users can easily enter the wrong password once or twice. Instead of
               raising an alarm for every single failed logon attempt, a clipping level
               can be set to raise an alarm only if it detects five failed logon attempts

               within a 30-minute period. Many account lockout controls use a
               similar clipping level. They don’t lock the account after a single failed
               logon. Instead, they count the failed logons and lock the account only
               when the predefined threshold is reached.

               Clipping levels are widely used in the process of auditing events to
               establish a baseline of routine system or user activity. The monitoring
               system raises an alarm to signal abnormal events only if the baseline is

               exceeded. In other words, the clipping level causes the system to
               ignore routine events and only raise an alert when it detects serious
               intrusion patterns.

               In general, nonstatistical sampling is discretionary sampling, or
               sampling at the auditor’s discretion. It doesn’t offer an accurate
               representation of the whole body of data and will ignore events that
               don’t reach the clipping level threshold. However, it is effective when

               used to focus on specific events. Additionally, nonstatistical sampling
               is less expensive and easier to implement than statistical sampling.
   1245   1246   1247   1248   1249   1250   1251   1252   1253   1254   1255