JSR Notes:
IDS/IPS - on your own computer/network, not a proxy computer. Since IDS is detection systems, IDS would be like an alarm.
- prevention vs detection, so you can look at the two in terms of preventative vs. real time ation, or static vs dynamic
SIEM - logging and management - for individuals or organzaions - the OS has some but you can
Avinash Notes:
IDS/IPS
IDS (short for Intrusion Detection System) and IPS (short for Intrusion Prevention System) are methods of network security that scan and inspect network traffic and the use of system resources in order to detect and protect against malicious activity. There are three basic functions at the heart of all IDPSs: to identify malicious activity, to record the information in a log, and attempt to end the activity or pause it (it may also report the activity to the user at this stage). IPSs are of four general types: network-based (monitors the entire network), wireless-based (monitors a wireless network), behavior analysis-based (identifies potential threats and looks for signs of attacks, e.g. unusually large traffic flow during DDoS attacks) and host-based.
For the most part, IDS and IPS are quite similar. However, their main differences lies in their mode and range of operation. IPSs are in-line or embedded into the data traffic flow and can actively prevent and block malicious activity. A good analogy is a dam, which is in the middle of a river, controlling the open floodgates and the amount of water flowing. The IPS can also send alarms, perform network resets, destroying malicious packets and blacklisting IP addresses. The IDS is limited to a much more static role and employs methods of detection based on signatures (examining packets for telltale signs/code pieces of malware), statistical anomalies (checking traffic with the usual amount to look for odd behaviors) and “stateful protocol analysis” (which checks the behaviors of data flow through protocols by comparing them with the data flow through the same protocols in a malware-free environment.)
SIEM
SIEM is an acronym for Security Information and Event Management. SIEM is the integration of real-time monitoring and analysis systems into software. It gives the program the ability to create security alerts and keep a record of activity in a log that may be accessed at any time, among other abilities. SIEM has 7 main capabilities: