Which of the following best describes a chronological record that reconstructs and examines the sequence of activities surrounding or leading to a specific operation, procedure, or event in a security-relevant transaction from inception to the final result?
A. Audit trail
B. Accountability
C. User and Entity Behavior Analytics
D. Security information and event management (SIEM)

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Audit trail.

Logs are the work product of accounting. Accountability can be achieved through reviewing or examining (auditing) a set of correlated logs (audit trail) to uniquely trace the activity to an entity.

Accounting, Auditing, and Accountability (Yet Another AAA)

• Accountability is “the security objective that generates the requirement for actions of an entity to be traced uniquely to that entity.” (NIST SP 800-33)
• Audit is the “independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures.” (NIST SP 800-12 Rev. 1)
• Audit trail is “a chronological record that reconstructs and examines the sequence of activities surrounding or leading to a specific operation, procedure, or event in a security-relevant transaction from inception to final result.” (NIST SP 800-53 Rev. 4)

SIEM

Security information and event management (SIEM) refer to the collection, analysis, correlation, and related activities that support auditing and tracing accountability. A SIEM server is a server that supports security information and event management.

User and Entity Behavior Analytics (UEBA)

User behavior analytics (UBA) as defined by Gartner is a cybersecurity process about detection of insider threats, targeted attacks, and financial fraud. UBA solutions look at patterns of human behavior, and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns—anomalies that indicate potential threats.

Developments in UBA technology led Gartner to evolve the category to user and entity behavior analytics (“UEBA”). In September 2015, Gartner published the Market Guide for User and Entity Analytics by Vice President and Distinguished Analyst, Avivah Litan, that provided a thorough definition and explanation. UEBA was referred to in earlier Gartner reports but not in much depth. Expanding the definition from UBA includes devices, applications, servers, data, or anything with an IP address. It moves beyond the fraud-oriented UBA focus to a broader one encompassing “malicious and abusive behavior that otherwise went unnoticed by existing security monitoring systems, such as SIEM and DLP.” The addition of “entity” reflects that devices may play a role in a network attack and may also be valuable in uncovering attack activity. “When end users have been compromised, malware can lay dormant and go undetected for months. Rather than trying to find where the outsider entered, UEBAs allow for quicker detection by using algorithms to detect insider threats.”

Source: Wikipedia

Reference

• User behavior analytics
• Security information and event management

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

• It is available on Amazon.
• Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

以下哪項最能描述按時間順序排列的記錄，該記錄在從開始到最終結果的安全性相關事務中，重建和檢查圍繞或導致特定操作，過程或事件的活動的順序？
A. Audit trail
B. Accountability
C. User and Entity Behavior Analytics
D. Security information and event management (SIEM)