Which of the following MUST the administrator of a security information and event management (SIEM) system ensure?
Which of the following MUST the administrator of a security information and event management (SIEM) system ensure?
The administrator of a security information and event management (SIEM) system must ensure that all sources are synchronized with a common time reference. This synchronization is crucial for accurately correlating events and determining the sequence in which they occurred. Without a common time reference, the data collected from various sources could be misleading or confusing, significantly hindering the effectiveness of the SIEM system in identifying and investigating security incidents.
Time is one of the most important things when it comes to the analysis of log information collected from security devices. https://resources.infosecinstitute.com/certification/security-technologies-and-tools-siem/
Time synchronization is important but it is asking about most Important. We need to ensure data sources does not contain information infringing upon privacy regulations. We need to either mask, anonymize or remove privacy data before sending to SIEM. This should be most important task.
It is important that all sources are synchronized with a common time reference because it ensures that the events being logged and analyzed are correctly correlated and accurately reflect the order in which they occurred. This is important for properly identifying and investigating security incidents, as well as for creating reports and performing analytics on the data. If the sources are not synchronized, the data may be misleading or confusing, which can hinder the effectiveness of the SIEM system.
CISSP OFFICIAL GUIDE 9TH EDITION. PG829:Logging systems should also make use of the Network Time Protocol (NTP) to ensure that clocks are synchronized on systems sending log entries to the SIEM as well as the SIEM itself. This ensures that information from multiple sources has a consistent timeline. Information security managers should also periodically conduct log reviews, particularly for sensitive functions, to ensure that privileged users are not abusing their privileges. For example, if an information security team has access to eDiscovery tools that allow searching through the contents of individual user files, security managers should routinely review the logs of actions taken by those administrative users to ensure that their file access relates to legitimate eDiscovery initiatives and does not violate user privacy
A is correct
It is clearly A.
SIEM needs that for correlation
A is correct. Without NTP/timestamps, doesnt matter which log format the data arrives in. we MUST have the timestamps to correlate data.
Time sync is most important
Privacy regulations compliance is a must for SIEM administrator to ensure that the data sources do not contain information infringing upon privacy regulations.
Time synchronisation is obviously the most important thing. But how can the SIEM administrator influence the time of each reporting system?? Even if the SIEM admin tries to insert some correction in the received timestamps, the source systems time could deviate more and more over time. IMHO there is no way for the receiver to ensure a synchronous time.
C is not a MUST do for an SIEM Administrator. I go with A.