ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

Your organization is deploying a new SIEM that will ingest security event data in near real-time from application servers located in branch offices connected over the public Internet. To prevent both eavesdropping on the log contents and the insertion of forged log messages while they are in transit, which log-transfer design should you recommend?

Batch log files hourly, compress them, and upload via FTP over an IP-whitelisted channel to the SIEM.
Attach an HMAC to each log entry but forward them over unencrypted TCP to minimize overhead.
Use RFC 5425 syslog over TLS with mutual certificate authentication between every server and the SIEM.
Send standard UDP syslog on port 514 across a dedicated management VLAN to limit exposure.

Report Issue

Answer Description

Using the TLS transport mapping for syslog defined in RFC 5425 establishes an encrypted channel that prevents packet sniffers from reading log contents (protecting confidentiality) and requires X.509 certificate-based mutual authentication between the log sender and receiver (providing strong source authentication and integrity). This combination directly mitigates the twin risks of eavesdropping and message injection. A plain UDP syslog feed on a separate VLAN offers no cryptographic protection. FTP, even over an IP-restricted path, transmits data unencrypted and relies on post-transfer integrity checks at best. Sending unsigned logs over unencrypted TCP, even if an HMAC were added, would still expose the data to interception and relies on a shared secret that cannot authenticate individual hosts as robustly as mutual TLS. Therefore, the RFC 5425 syslog-over-TLS approach is the most effective answer.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.