Network Intrusion Detection/Prevention Systems
SIEM : Security Incident and Event Management
Network Log Analysis
Host Firewall: iptables/firewall.d/Windows firewall
Attack Surface Reduction
IDS/IPS: An IDS is an intrusion detection system, which is a software that monitors activity on the network and will automatically generate logs. If suspicious activity is detected, the IDS will send out alerts and the cybersecurity professionals will (hopefully) examine the alerts and act accordingly. An IPS, intrusion prevention system, is very similar except that the IPS will automatically take action if it detects suspicious activity.
Unfortunately, both IDS and IPS are known for generating false positive alerts, which can be difficult to tell apart from real alerts. For IDS and IPS being operated by live personnel, part of the challenge of the job is sorting through these alerts to see what is a false positive and what is real.
SIEM: System Information and Event Management is
Network Log Analysis: After an intrusion or incident has occurred, investigators need to figure out what happened. One of the best ways is to analyze the network logs: who came in, who did what, and what did they do? This can be done manually, where a human slowly reads through the logs to see what happened; or it can be done automatically, by running the logs through a data mining tool.
Network Firewall: A network firewall is one of the critical defensive devices whose purpose is to protect an entire network. Usually placed at the very edge of a network, a firewall can block certain IP addresses or certain ports, and can usually detect suspicious activity and block that as well. Configuring a network firewall properly is critical to the security of the network.
Host Firewall: A host firewall is a firewall which protects a single computer or device. Similar to a network firewall, a host firewall can block suspicious incoming connections. It’s important to have both a network firewall as well as host firewalls to build defense in depth: if the network layer fails to block an attack, the host layer still has a chance to succeed.
Hopefully your firewall works better than this.
Attack Surface Reduction: The more functionality a system has, the more security vulnerabilities your system will have. The most secure system in the world is a system which does nothing at all. Attack surface reduction is about reducing un-needed functionalities, to reduce the amount of vulnerabilities in a system. Usually this means turning off features you’re not using on a server or on network devices.