Logout

IDS-IPS-and-SIEM-Systems


JSR Notes:


IDS/IPS - on your own computer/network, not a proxy computer. Since IDS is detection systems, IDS would be like an alarm.

- prevention vs detection, so you can look at the two in terms of preventative vs. real time ation, or static vs dynamic

 

SIEM - logging and management - for individuals or organzaions - the OS has some but you can

Avinash Notes:

IDS/IPS

IDS (short for Intrusion Detection System) and IPS (short for Intrusion Prevention System) are methods of network security that scan and inspect network traffic and the use of system resources in order to detect and protect against malicious activity. There are three basic functions at the heart of all IDPSs: to identify malicious activity, to record the information in a log, and attempt to end the activity or pause it (it may also report the activity to the user at this stage).  IPSs are of four general types: network-based (monitors the entire network), wireless-based (monitors a wireless network), behavior analysis-based (identifies potential threats and looks for signs of attacks, e.g. unusually large traffic flow during DDoS attacks) and host-based.

For the most part, IDS and IPS are quite similar. However, their main differences lies in their mode and range of operation. IPSs are in-line or embedded into the data traffic flow and can actively prevent and block malicious activity. A good analogy is a dam, which is in the middle of a river, controlling the open floodgates and the amount of water flowing. The IPS can also send alarms, perform network resets, destroying malicious packets and blacklisting IP addresses. The IDS is limited to a much more static role and employs methods of detection based on signatures (examining packets for telltale signs/code pieces of malware), statistical anomalies (checking traffic with the usual amount to look for odd behaviors) and “stateful protocol analysis” (which checks the behaviors of data flow through protocols by comparing them with the data flow through the same protocols in a malware-free environment.)

 

SIEM

SIEM is an acronym for Security Information and Event Management. SIEM is the integration of real-time monitoring and analysis systems into software. It gives the program the ability to create security alerts and keep a record of activity in a log that may be accessed at any time, among other abilities. SIEM has 7 main capabilities:

  1. Data Aggregation: Logging program activity and events and gathering the data from multiple programs together into a single log.
  2. Correlation: Clumps similar data together to help make it easy to look for certain types of events across many program logs (to search for signs of malware attack)
  3. Alerting: Creating alarms and notifications; automated reporting. Can be sent along 3rd part apps like emails and reminder applications.
  4. Dashboards: Organizing data into charts and tables for data classification.
  5. Compliance: Automating the gathering of compliance data; like an add-on to the compliance capability.
  6. Retention: Using long-term storage (HHDs, tapes) to help analyse data and create better statistical models and correlations based on the data traffic.
  7. Forensic Analysis: Searching across different logs and time periods based on specified search criteria (e.g. System alert 1345 within the past 2 days”).