https://gbhackers.com/security-information-and-event-management-siem-a-detailed-explanation/
Critical Control 1: Inventory of Authorized and Unauthorized Devices
SIEM can correlate user activity with user rights and roles to detect violations of least
privilege enforcement, which is required by this control.
Critical Control 2: Inventory of Authorized and Unauthorized Software
SIEM should be used as the inventory database of authorized software
products for correlation with network and application activity.
Critical Control 3: Secure Conjurations for Hardware and Software on Laptops, Workstations, and Servers
Known vulnerabilities are still a leading avenue for successful exploits. If an automated
device scanning tool discovers a mis configured network system during a Common
Configuration Enumeration (CCE) scan, that misconfiguration should be reported to the
SIEM as a central source for these alerts. This helps with troubleshooting incidents as
well as improving overall security posture.
Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers,and Switches
Any misconfiguration on network devices should also be reported to the SIEM for consolidated analysis
Critical Control 5: Boundary Defense
Network rule violations, like CCE discoveries, should also be reported to one central
source (a SIEM) for correlation with authorized inventory data stored in the SIEM
solution
Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
Control 6 is basically a control about SIEMs, which are a leading means for collecting
and centralizing critical log data; in fact, there is even a subcontrol for analysis that
studies SIEM specifically. SIEMs are the core analysis engine that can analyze log events
as they occur.
Critical Control 7: Application Software Security
Like CCE scan results, vulnerabilities that are discovered in software applications should
also be reported to a central source where these vulnerabilities can be correlated with
other events concerning a particular system. SIEMs are a good place to store these scan
results and correlate the information with network data, captured through logs, to
determine whether vulnerabilities are being exploited in real time.
Critical Control 8: Controlled Use of Administrative Privileges
When the principles of this control are not met (such as an administrator running a
web browser or unnecessary use of administrator accounts), SIEM can correlate access
logs to detect the violation and generate an alert.
Critical Control 9: Controlled Access Based on Need to Know
SIEM can correlate user activity with user rights and roles to detect violations of least
privilege enforcement, which is required by this control.
Critical Control 10: Continuous Critical Control
SIEM can correlate vulnerability context with actual system activity to determine
whether vulnerabilities are being exploited.
Critical Control 11: Account Monitoring and Control
Abnormal account activity can only be detected when compared to a baseline of
known good activity. The baseline to meet this control should be recorded by the
SIEM; and, as future snapshots or baselines are recorded, they can be compared to the
approved baseline in the SIEM.
Critical Control 12: Malware Defenses
Malware that is discovered should be recorded according to this control. Centralized
anti-malware tools should report their findings to a SIEM, which correlates against
system and vulnerability data to determine which systems pose a greater risk due to the
malware discovered on that system
Critical Control 13: Limitation and Control of Network Ports, Protocols, and Services
if a system has a running port, protocol, or service that has not been authorized, it should also be reported to a central source where these vulnerabilities can be correlated with other events concerning a particular system. SIEMs can monitor log data to detect traffic over restricted ports, protocols, and services. Organizations can use these controls to decide which ports and services are useful for business, which are not, and which types of traffic and ports to limit
Critical Control 14: Wireless Device Control
Device misconfigurations and wireless intrusions should be reported to a central
database for incident handling purposes. A SIEM is a perfect candidate to consolidate
this information and use it for correlation or detection of threats to wireless
infrastructure
Critical Control 15: Data Loss Prevention
data loss rule violations, like CCE discoveries, should also be reported to one central source such as a SIEM, which can correlate data loss events with inventory or asset information as well as other system and user activity to detect complex breaches of sensitive data.
No comments:
Post a Comment