Re-read the question. The question asks about integrity of the AGGREGATE logs. Answer choice A only mentions hashing the source logs. Either way, hashing does not *provide* integrity. Rather, hashing will detect whether or not the integrity of a particular piece of data is maintained, but hashing on it's own will not ENSURE the integrity. You need a preventative control, which would be storing on a write-protected server.
I say C. The way SIEM protects logs is by write protecting them. Quote from Darill Gibson's securit+ 501 book,
"Logs/WORM: A SIEM typically includes methods to prevent
anyone from modifying log entries. This is sometimes referred to as
write once read many (WORM). As logs are received, the SIEM will
aggregate and correlate the log entries. After processing the logs, it
can archive the source logs with write protection."
By comparing the hash values of the original log files with the hash values of the log files stored within the SIEM, organizations can verify the integrity of the log files and detect any unauthorized modifications or tampering.
The correct answer is C. Write protect the aggregated log files and move them to an isolated server with limited access.
Here’s a breakdown of why option C is the best choice for ensuring the integrity of aggregated log files within a Security Information and Event Management (SIEM) system:
Write Protection: This prevents any modifications to the log files after they are created. Once logs are written, protecting them from changes ensures that the data remains trustworthy and tamper-proof.
Isolated Server with Limited Access: By storing the logs on an isolated server, you reduce the risk of unauthorized access and potential tampering. Limited access control ensures that only designated personnel can interact with the logs, further securing the integrity of the data.
Hashing source log files does nothing to ensure the integrity of aggregated log files.
Technically, all answers here are wrong. You should hash the aggregated log files AND move them to an isolated server.
Once the log files are aggregated, they cannot be tampered with, as write protection prevents any modifications. Moving them to an isolated server with limited access further enhances security by reducing the risk of unauthorized access.
Option A, “Set up hashing on the source log file servers that complies with local regulatory requirements,” is indeed a security measure, but it doesn’t directly ensure the integrity of the aggregated log files within a SIEM.
Hashing is used to verify the integrity of data during transmission or storage, ensuring that the data hasn’t been tampered with. However, this measure is typically applied at the source log file servers, not on the aggregated log files within the SIEM.
On the other hand, option C, “Write protect the aggregated log files and move them to an isolated server with limited access,” directly targets the aggregated log files in the SIEM, ensuring their integrity by preventing unauthorized access or modifications.
So, while both options are security measures, option C is more directly related to the question’s focus on the integrity of aggregated log files within a SIEM.
It's C.
From Darril Gibson's Sy0-601 book:
"The following list outlines some additional capabilities shared by most SIEMS:
- log collectors
- data inputs
- log aggregation
- correlation engine
- reports
- packet capture
- user behavior analysis
- sentiment analysis
- security monitoring
- automated triggers
- time synchronization
- event deduplication
- Logs/WORM:
A Siem typically includes methods to prevent anyone from modifying log entries.
This is sometimes referred to as write once read many (WORM).
As logs are received, the SIEM aggregates and correlates the log entries.
After processing the logs, it can archive the source logs with write protection."
C. Write protect the aggregated log files and move them to an isolated server with limited access.
This option directly addresses the integrity of the aggregated log files within the SIEM. Write protection helps prevent any unauthorized changes or tampering with the log data, while isolating the files on a server with limited access enhances security and controls over who can access and modify them.
Option A (setting up hashing on the source log file servers) is also a good practice for ensuring log file integrity at the source level, but it may not directly address the integrity of aggregated log files within the SIEM, which was the specific focus of the question.
Therefore, for maintaining the integrity of aggregated log files in the context of a SIEM, option C would be the more suitable choice.
C ensures that the log files are protected from unauthorized modifications and are stored in an environment with restricted access, which helps maintain their integrity and prevents tampering.
This section is not available anymore. Please use the main Exam Page.SY0-601 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
stoneface
Highly Voted 2 years, 9 months agodaddylonglegs
1 year, 7 months agomosher21
Highly Voted 2 years, 1 month agoHCM1985
1 year, 9 months agoDima1993
1 year, 2 months agoFart2023
Most Recent 1 year, 1 month agoRyanL26
1 year, 1 month agoBD69
1 year, 3 months agoPaula77
1 year, 3 months agoPayu1994
1 year, 4 months agoklinkklonk
1 year, 4 months agoEighthNotes
1 year, 4 months agobuscan422
1 year, 5 months agoMortG7
1 year, 5 months agoImBleghk
1 year, 5 months agoPropheticBettor
1 year, 6 months agoganymede
1 year, 6 months agoTheFivePips
1 year, 7 months agoIGasset
1 year, 7 months agodemianUY
1 year, 7 months ago