Security+ Flashcards: Security Operations, Monitoring, SIEM, Log Management

A Security Information and Event Management system, or SIEM, collects, normalizes, and correlates log data from across the IT environment to detect security threats in real time. It aggregates logs from firewalls, servers, endpoints, applications, and cloud services into a centralized platform. Correlation rules and analytics identify patterns indicating attacks, such as multiple failed logins followed by successful access from a new location.

Security monitoring requires logs from multiple sources. Authentication logs record login attempts, successes, and failures. Firewall logs record allowed and denied network connections. Web proxy logs record internet access and blocked sites. DNS logs record domain lookups that may indicate command and control communication. Email gateway logs record inbound and outbound messages and blocked threats. Endpoint logs record process execution, file changes, and registry modifications. Application logs record user activities and errors.

A security operations center, or SOC, is a centralized team that continuously monitors, detects, and triages security events using SIEM, endpoint detection, and other tools during daily operations. The SOC focuses on real-time detection and initial response. An incident response team, or IRT, is activated when a confirmed security incident requires deeper investigation, containment, eradication, and recovery beyond what the SOC handles during routine monitoring.

Threat intelligence is evidence-based information about existing or emerging threats that helps organizations make informed security decisions. It comes in three levels: strategic intelligence provides high-level trends for executives, tactical intelligence provides attacker techniques and procedures for security teams, and operational intelligence provides specific indicators of compromise like malicious IP addresses, domain names, and file hashes for automated detection. Threat intelligence feeds integrate into SIEMs, firewalls, and endpoint tools to automatically detect known threats.

User and entity behavior analytics, or UEBA, uses machine learning and statistical analysis to establish baseline patterns of normal behavior for users and devices, then detects deviations that may indicate security threats. It can identify compromised accounts by detecting unusual login times, locations, or data access patterns; insider threats by detecting unusual data downloads or access to unrelated systems; and lateral movement by detecting accounts accessing systems they have never used before.

Log retention defines how long security logs are stored before deletion. Factors include regulatory requirements, such as PCI DSS mandating one year of log retention with three months immediately accessible; legal hold obligations that require preserving logs relevant to litigation; incident investigation needs, since attackers may maintain access for months before detection; storage costs and capacity constraints; and organizational security policies. Most security frameworks recommend retaining logs for at least one year. ---