4.2 Flashcards
Monitoring and visibility is a critical aspect of
hardened security and zero trust initiatives
All types of systems must be monitored including:
- Corporate LAN endpoint devices
- Web, email, productivity, and other application
servers (i.e., SharePoint) - Voice over Internet Protocol (VoIP), messaging, and
conferencing services - Databases and storage area networks
- Infrastructure devices
- Customer premises edge
what do Network monitoring tools enhance?
enhance visibility into system health by offering real-time information about various wired, wireless, and
cloud-based components
This suite of tools utilizes two techniques to capture performance
metrics from assorted infrastructure and security devices – both physical and virtual:
*Agent-based monitoring
* Agentless monitoring
Agent-based monitoring
leverages lightweight software, known as a monitoring agent, on the devices or virtual machine to track the uptime and performance
Agentless monitoring
uses special application programming interfaces
(APIs) or integrated code to track the health of the devices
a less intrusive way to
achieve visibility
agent based monitoring example
*A prototypical example of agent-based monitoring is using Simple Network Management Protocol
version 2C and 3 agents on infrastructure devices to send traps and informs to SNMP management
stations
*In cloud computing environments, special agents can be embedded into virtual machine instances
or installed on instantiated virtual servers to perform various system management activities
*slowed system down
Agentless monitoring (info)
*It typically utilizes application-specific APIs and different network protocols (such as SNMP and
Windows Management Interface -WMI) to discern the overall performance of on-site and cloud-based assets, such as servers and applications
* This monitoring method does not involve the overhead of installing, tuning, and updating dedicated or third-party monitoring agents on every component
* This may be considered easier than the traditional agent-based approach
less intrusive
Log aggregation
the process of accumulating,
categorizing, standardizing, and consolidating log
data from across an IT infrastructure to enable and
enhance streamlined log analysis
what happens without Log aggregation?
administrators and
engineers would have to manually organize, deduplicate, and search through log data from various sources to generate meaningful metrics and information
Log aggregation goals
- Replicating log files to a centralized location
- Collecting Syslog, auditd, and other traps
- Supporting automated pipelines and workflows
- Parsing key-value pairs
- Performing more complex transformations such as
multiline log aggregation, tokenization, scrubbing,
or masking sensitive data
alerting
m delivers metrics and alarms
from various tools and systems to admins and
security operators for informational/event
notifications, incident management, and optimization of the wider ecosystem
what do alerting systems help ensure?
that event
responses are quick and efficient so that the odds of overlooked actions are reduced
The Security Content Automation
Protocol (SCAP)
a synthesis of interoperable
specifications derived from community ideas.
Community participation is a great strength for SCAP,
because the security automation community ensures
the broadest possible range of use cases is reflected in
SCAP functionality
compliance more achievable
importance of SCAP
Improves cybersecurity posture
Streamlines vulnerability evaluation
Simplifies compliance
Makes software deployments easy
Boosts cybersecurity collaboration
SCAP specifications
Asset Identification
Asset Reporting Format (ARF)
Common Platform Enumeration (CPE)
Open Vulnerability Assessment Language (OVAL)
Open Checklist Interactive Language (OCIL)
Trust Model for Security Automation Data (TMSAD)
Extensible Configuration Checklist Description Format
(XCCDF)
Software Identification (SWID) Tagging
Asset Identification
an important role in an
organization’s ability to quickly correlate different
sets of information about assets
Asset Reporting Format (ARF)
a data model to express the transport format of
information about assets, and the relationships between assets and reports
Common Platform Enumeration (CPE)
a standardized
method of describing and identifying classes of applications,
operating systems, and hardware devices present among an
enterprise’s computing assets
Open Vulnerability Assessment Language (OVAL)
an information security community effort to standardize how to
assess and report upon the machine state of computer systems
Open Checklist Interactive Language (OCIL)
a framework for expressing a set of questions to be presented to a
user and corresponding procedures to interpret responses to
these questions
Trust Model for Security Automation Data (TMSAD)
describes
a common trust model that can be applied to specifications
within the security automation domain, such as SCAP
Extensible Configuration Checklist Description Format
(XCCDF)
is a specification language for writing security
checklists, benchmarks, and related kinds of documents
Software Identification (SWID) Tagging
allows for the proper
management of software inventories of managed devices in
support of higher-level business, information technology, and
cybersecurity functions
Security information and event management (SIEM)
is a solution that helps enterprises detect, analyze, and
respond to security threats before they affect
business operations
Security information and event management (SIEM) is a combination of?
security information
management (SIM) and security event management
(SEM) into a unified security management system
SIEM technology gathers?
event log data from a
range of sources and recognizes activity that diverges from the norm in real-time
benefits of SIEM systems
*A centralized look at potential threats
*Advanced threat intelligence
*Regulatory compliance auditing and reporting
*Enhancing transparency into users, applications, and devices
Security orchestration, automation, and response (SOAR)
an assortment of software services and tools that
allow organizations to simplify and aggregate
security operations in three core areas
Security orchestration, automation, and response (SOAR) 3 core areas:
- Threat and vulnerability management
- Incident response
- Security operations automation
Security automation involves:
performing security
related tasks without the need for human intervention
- Can be defensive detection, response, and
remediation, or offensive vulnerability assessment
and penetration testing
Antivirus software
intended to protect computers
and mobile devices from exploits, malware,
crackers, and cybercriminals
antivirus systems examine:
data on hard drives, memory,
and incoming packets from the Internet (websites,
email messages, attachments, and applications) to
recognize, block, and offer ongoing protection
against malicious software, infected links, and other
threats and suspicious activity
Antivirus software functions by:
regularly scanning
all devices to discover and block known worms and
viruses as well as new and emerging malware
variants
heuristic rules
human driven but also a machine learning tool
Antivirus forms of detection:
- Signature detection
- Heuristic detection of files
- Multicriteria analysis (MCA) – uses the data from other detection
methods to flag a file as possibly dangerous - Sandbox and cloud analysis
- Intrusion prevention via host intrusion prevention system (HIPS)
- Anti-spam
- Ransomware protection
Data loss prevention (DLP)
a security initiative that
recognizes and mitigates unsafe or unauthorized
sharing, transfer, or use of sensitive data such as
personally identifiable information (PII) and
protected health information (PHI)
DLP engines and services can help organizations with:
monitoring and protection of sensitive information
across on-premises systems, cloud-based locations,
and endpoint devices
It also assists with compliance for regulations such as
the Health Insurance Portability and Accountability
Act (HIPAA) and General Data Protection Regulation
(GDPR)
Simple Network Management Protocol (SNMP)
a powerful
protocol and toolset that facilitates the sharing of
information among various devices on a network,
regardless of their hardware or software
SNMP uses a basic client-server architecture using:
- Managers collect and process information about
devices on the network - Clients, called agents, are any type of device or
device component connected to the network
netflow
a network monitoring protocol, developed by Cisco,
invented to capture metrics about the volume and types of traffic
traversing a network device
Technically, a flow is defined by its 5-tuple, a collection of five data
points:
- The source and destination IP addresses exchange information
- The source and destination ports, if any (ICMP, for example, doesn’t use ports)
- The protocol