Final answer:
To best address the visibility gap in the Intrusion Detection System logs regarding a compromise between two internal computers, installing Host-based Intrusion Detection Systems (HIDS) on each computer is recommended. HIDS provides detailed monitoring and analysis of each host, capturing malicious activities that network-level IDS might miss.
Step-by-step explanation:
A security engineer is investigating a compromise that occurred between two internal computers. During this investigation, it was identified that one computer infected another. The primary challenge the engineer faces is the visibility gap within the Intrusion Detection System (IDS) logs; while outbound callback traffic is visible, there is no record of traffic between the infected computers. to address the IDS visibility gap, the most effective solution would be to install Host-based Intrusion Detection Systems (HIDS) on each computer. A HIDS operates on individual hosts or devices on the network, monitoring and analyzing the internals of a computing system as well as the network packets on its network interfaces. This will enable the security engineer to detect malicious activities on each host that might not be visible on the network-level IDS.
Other options such as network taps, forwarding logs to a Security Information and Event Management (SIEM) system, or SPAN (Switched Port Analyzer) traffic might be helpful in a broader sense but are not as directly targeted at the problem of inter-computer traffic visibility as HIDS. Specifically, network taps are more useful for capturing all traffic for deep packet inspection or real-time monitoring, often at the perimeter of the network rather than inside it. Sending syslogs to a SIEM is beneficial for centralized logging and correlation but does not inherently improve traffic visibility. SPAN traffic would allow for a large amount of network traffic to be monitored, but it may not capture all the necessary details at the host level where the compromise has already occurred.