Application Security Monitoring and Logging

Correct Answer: Notify the incident response team

The appropriate response when discovering a security incident is to notify the incident response team to investigate, as they are trained to handle such situations. Ignoring the incident, deleting the log, restarting the server, or disabling logging can have negative consequences or cause further damage. A vulnerability scan might be useful later, but it's not the initial response.

Correct Answer: Perform a risk assessment on the vulnerability

The first step should be performing a risk assessment to understand the scope and potential impact of the vulnerability. Terminating the application, disabling logging functionality, or announcing the vulnerability can have negative consequences on the business or clients. A patch should be developed after the risk assessment, and forcing a password reset is not related to app logging.

Correct Answer: Implement SIEM to centralize and correlate log data.

The most effective solution to the gap in correlation of events across multiple systems in application security monitoring and logging is to implement a Security Information and Event Management (SIEM) system. A SIEM system centralizes the storage and interpretation of logs, which allows for the correlation of events across multiple systems. This can provide a holistic view of the security posture and facilitate the detection of sophisticated threats that may operate across different assets. By correlating events, a SIEM makes it easier to identify patterns that could indicate a security incident or breach. Increasing the retention period for all system logs does not address the issue of correlating events, it simply keeps the logs available for a longer period. While long retention periods can be beneficial for forensic purposes, they do not enhance the real-time or proactive correlation and analysis of security events. Enhancing the granularity of individual system logging could result in more detailed logs, but unless those logs are correlated, the issue of identifying events across multiple systems remains unresolved. Detailed logs would still be in silos without a centralized system to analyze the broader context. Deploying additional firewall rules to restrict traffic between systems might improve the security posture by limiting potential attack pathways, but it does not contribute to the monitoring or correlation of application security events. It's a preventative measure rather than a monitoring or correlation strategy.