The course is part of these learning paths
Course Introduction and Security Basics
Governance, Compliance and Risk
In the last decade the nature and complexity of security attacks have increased tremendously. From simple attacks, which focused on hacking exposed web pages; we have evolved to stealthy attacks, which focus on the hacker staying hidden for years on end inside the victim’s network with the sole purpose of stealing data. To make matters worse, more and more companies have started to store their data in the cloud, thereby transferring part of the responsibility of securing that data to the cloud service provider. Therefore these days the cloud service is entrusted with the task of providing adequate security to the data and services that it provides to customers. While making a decision to move to the cloud, the two main metrics that enterprises look at tend to be cost and security risk.
Now let's look at the tools that the Amazon platform provides and also the sources that you would like to use for SIEM. Amazon provides certain tools like CloudWatch and CloudTrail. These services help in creating alerts, and monitoring them, and storing the logs as well. Primarily, these are more useful for application alerts. I would suggest that these tools be supplemented as follows.
This is a full-stack description of a Defense-In-Depth setup: firewalls at the perimeter for filtering out traffic at the network layer, intrusion prevention systems running behind the firewalls. This will help in detecting attacks for which updates have not yet been released and also in protecting unpatched servers. Web-traffic filtering proxies, this will eliminate all unauthorized access to and from the network. Also, this will provide a useful way to detect traffic to command control centers from infected machines. Antivirus and host-based intrusion prevention systems, this will provide us with a level of defense against known and unknown malware at the endpoint level.
Data exfiltration detection software, such as 1-2 or Disease Killer. Now let's look at the sources of SIEM logs. Logs must be enabled for all the above devices, as well as the authentication servers, data exfiltration detection software, domain controllers, mail servers, routers, switchers, file servers, proxy servers, URL filtering, patch control servers, antivirus servers, DMZ servers, nips, hips, NAS filers, DHCP servers, application servers, VPN servers, and any kind of mobile access Sentry software that you might have like MobilIron.
About the Author
Vish Chidambaram is an Award-winning Enterprise Security Leader with 18+ years of experience skilled in areas spanning Automation, Security Operation Analytics and Reporting, Threat Management Life cycle, Agile/DevOps environments, SaaS/Cloud security, Business Development/Consulting, Program Management and more. Most Recently Vish was the CISO at Rubicon Project, which is a SaaS based ad marketplace where he was responsible for securing a high performance SaaS platform with 40billion transactiions per day. He pioneered the integration of security in DevOps, by using automation, orchestration and machine learning tools He is passionate about teaching security and believes staying current is particularly relevant in the security industry. He also mentors security professionals and advises them thru career transitions. and details can be found at datacoreacademy.com or writing to firstname.lastname@example.org His linked in page is https://www.linkedin.com/in/vish-chidambaram/