IDS Visibility Gap Solution
Question
A security engineer is investigating a compromise that occurred between two internal computers.
The engineer has determined during the investigation that one computer infected another.
While reviewing the IDS logs, the engineer can view the outbound callback traffic, but sees no traffic between the two computers.
Which of the following would BEST address the IDS visibility gap?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.C.
In this scenario, the security engineer is investigating a compromise that occurred between two internal computers, where one computer infected another. The engineer can view the outbound callback traffic, but there is no traffic between the two computers in question. This indicates that there is an IDS visibility gap, and the engineer needs to take steps to address this issue.
Option A, installing network taps at the edge of the network, can help improve visibility, but it may not be sufficient in this scenario. Network taps are used to copy network traffic and send it to an IDS for analysis. While this can provide better visibility into network traffic, it may not be effective in detecting traffic between two internal computers on the same network segment.
Option B, sending syslog from the IDS into the SIEM, can help improve visibility by centralizing log data from different sources into a single location. However, it may not address the specific IDS visibility gap in this scenario, where there is no traffic between the two computers in question.
Option C, installing HIDS on each computer, can help improve visibility by monitoring host-based activity on each computer. HIDS can detect suspicious activity, such as changes to system files or network connections, that may be missed by network-based IDS. However, it may not address the specific IDS visibility gap in this scenario, where the engineer is trying to detect traffic between two internal computers.
Option D, SPAN traffic from the network core into the IDS, is the best answer in this scenario. SPAN (Switched Port Analyzer) is a method of forwarding a copy of network traffic to an IDS for analysis. By configuring a SPAN port on the network core, the security engineer can capture all traffic between the two internal computers, even if it doesn't pass through the IDS directly. This will allow the engineer to investigate the traffic and determine how the infection occurred.
Therefore, the best option to address the IDS visibility gap in this scenario is D, SPAN traffic from the network core into the IDS.
