4.3 Incident Investigation Flashcards
Vulnerability scans
- Uses database of known vulnerabilities to scan systems based on a signature
- Run on systems to ensure that they are properly configured and hardened
Security Information and Event Management (SIEM) (2)
- Consolidates logs from multiple systems for analysis
- Has logic to find correlations in the data to help identify potential breaches
Define sensor relative to SIEM
Can provide network traffic data to SIEM in a standardized format
Define SIEM alerts
Capability of SIEM to analyze data and provide alerts based on this
Define syslog
A standard utility for transferring log files from a device to a central location, works across many different OS
Define slog & syslog-ng
Syslog-like implementations on Linux if it doesn’t have syslog
Define journalctl
A tool that allows querying logs stored in a special binary format on Linux systems
Define NXLog
A syslog alternative that runs as daemon on Linux
Define NetFlow
A standard for gathering network statistics from switches, routers, and other devices into a central repository for analysis that is compatible with multiple manufacturers
Define IP flow information export (IPFIX)
Newer version of NetFlow with extended capabilities
Define sFlow
NetFlow and IPFIX can consume resources during collection so sFlow is alternative solution that just takes samples of network traffic to reduce resource usage
