A company's Chief Information Security Officer is concerned that the company's proposed move to the cloud could lead to a lack of visibility into network traffic flow logs within the VPC.
Which of the following compensating controls would be BEST to implement in this situation?
A SIEM (Security Information and Event Management) system provides a comprehensive solution for gaining visibility into network traffic within a VPC in a cloud environment. SIEM solutions collect, analyze, and correlate security events from various sources, offering centralized logging, real-time monitoring, historical analysis, and alerting capabilities. This makes SIEM an ideal compensating control to mitigate concerns about visibility into network traffic flow logs when moving to the cloud. Neither EDR, HIDS, nor UEBA offer the same breadth of visibility and centralized monitoring capabilities as SIEM.
SIEM is always the best answer for visibility and continuous monitoring (CONMON). Build those dashboards, alerts, and correlation searches to keep track of the information the organization deems vital via its security strategy. Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)
B is the correct answer
B. SIEM
Security information and event management (SIEM) solutions provide near realtime analysis of security alerts generated by a wide variety of network hardware, systems, and applications. SIEM platforms enhance incident detection and response capabilities by providing expanded insights into operational activity through collection, aggregation, and correlation of vast volumes of event data across the entire enterprise environmentSIEM removes much of the need to analyze individual systems by collecting log data and parsing it in a way that makes it easily searched and analyzed regardless of the underlying log format. Additionally, SIEM platforms remove much of the specialized knowledge needed to locate and analyze logs collected and stored on individual systems. For example, a security analyst can learn how to search and query for events using SIEM methods instead of learning how to interact with multiple operating systems, network devices, and/or applications to perform the same task.
Purpose: SIEM systems collect, analyze, and correlate security events from various sources within the network, including flow logs from VPCs in cloud environments. Visibility: SIEM provides comprehensive visibility into network traffic and security events by aggregating logs and alerts from different sources. This allows for real-time monitoring and historical analysis of network traffic. Centralized Logging: SIEM solutions can centralize the collection of flow logs, making it easier to manage and analyze network traffic patterns and detect anomalies. Alerting and Reporting: SIEM systems can generate alerts and reports based on predefined rules and correlations, helping security teams quickly identify and respond to potential security incidents.