China 
Africa 
Explore chapters and articles related to this topic
Cybersecurity Incident Response in the Enterprise
Published in Mohiuddin Ahmed, Nour Moustafa, Abu Barkat, Paul Haskell-Dowland, Next-Generation Enterprise Security and Governance, 2022
Nickson M. Karie, Leslie F. Sikos
The advances in technology constantly introduce new, advanced security threats for organizations. To continuously monitor the cybersecurity posture and prevent security threats and data breaches in near real-time, many organizations make use of a SOC. According to McAfee [8], “a Security Operations Center (SOC) is a centralized function within an organization employing people, processes, and technology to continuously monitor and improve an organization's security posture while preventing, detecting, analyzing, and responding to cybersecurity incidents.” Many SOCs utilize Security Information and Event Management (SIEM) to have a holistic view of an organization's information security [9].
Intrusion Detection and Prevention Systems (IDPSs)
Published in Mohssen Mohammed, Al-Sakib Khan Pathan, Automatic Defense Against Zero-day Polymorphic Worms in Communication Networks, 2016
Mohssen Mohammed, Al-Sakib Khan Pathan
There are two types of IDPS integrations [2]: Direct IDPS integration. The process of a product feeding information to another product is called direct IDPS integration. Direct IDPS integration is the most suitable when an organization uses multiple IDPS products from a single vendor. For example, a network-based IDPS technology perhaps uses host-based IDPS data to determine whether an attack is detected successfully by the network-based IDPS technology, and a network-based IDPS technology could give network flow information to an NBA IDPS technology. The feeding information helps in improving detection accuracy, speeds up the analysis process, and helps in ordering the threats according to their priorities. The main drawback of using a fully integrated solution is that a failure or compromise could affect all the IDPS technologies negatively.Indirect IDPS integration. Indirect IDPS integration is the process when many IDP products send their data to security information and event management (SIEM) software. The main function of the SIEM software is to import information from various security-related logs and correlate events among them. SIEM software commonly receives copies of the logs from the logging hosts over security network channels; then it normalizes the log data into standard fields and value (known as normalization), and it determines related events by matching Internet Protocol (IP) addresses, timestamps, usernames, and other characteristics. SIEM products can identify malicious activity such as attacks and malware infections as well as misuse and inappropriate usage of systems and networks.
Prevention from Cyberattacks
Published in Kutub Thakur, Al-Sakib Khan Pathan, Cybersecurity Fundamentals, 2020
Kutub Thakur, Al-Sakib Khan Pathan
The network-based IDS monitors and analyzes the traffic patterns and other parameters on the network traffic. If any anomaly in the traffic is found, it immediately alerts the network administrator or the security information and event management system (SIEM) for the corrective measures to safeguard the data and take the effective measures to avert any cyberattack. SIEM is a centralized security management system equipped with the security policy, alarm management, and many features related to network and system security.
Data Loss Prevention from a Malicious Insider
Published in Journal of Computer Information Systems, 2022
Edson Machado de Sousa, Abid Shahzad
More than half of CSPs use Security Information and Event Management (SIEM), and Log Management Systems to detect and analyze insider attacks. Logs are a critical resource to detect malicious behavior and to protect the CSP’s environment. They must be well configured to ensure the integrity of the logs and keep them secure and stored for a certain period based on their obligations and requirements. Kajiyama et al.2 recommended that customers want to ensure their CSPs have systems that guarantee that all access and procedures performed in their system are being logged and monitored. SIEM systems have better capabilities to manage logs and their coverage and functions are broader than Log Management Systems. SIEM combines three main capabilities such as Security Event Management, which includes functionalities to aggregate and analyze log files from IDS/IPS, network devices, vulnerability scanners, and asset inventory tools. Security Information Management is another capability that can be employed to collect, monitor, and analyze data from computer event logs with automated features and alerts, and can be activated when pre-set conditions are met to indicate suspicious behavior. Security Event Correlation is used to correlate behaviors collected from event logs, which are then analyzed to discover patterns that could indicate a security issue.
Insider Intrusion Detection Techniques: A State-of-the-Art Review
Published in Journal of Computer Information Systems, 2023
Network-based insider intrusion detection can either use higher-level events or lower-layer packet data. SIEM, an integral component of the Security Operations Center (SOC) is a commercial intrusion detection tool which analyzes the higher layer events collected from different endpoints at a central location to detect and predict the intrusions.7 We are analyzing the intrusion detection methods from both the higher layer event-based approach and the network flow-based detection approach.