4.4 Flashcards
DLP
data loss prevention
a strategy to prevent sensitive data from leaving an org
aims to monitor data in use, in transit or at rest to detect and precent data theft
Types of DLP Systems
Endpoint DLP
Network DLP
Storage DLP
Cloud Based DLP
Endpoint DLP
installed as a software on workstations or laptops
monitors data in use on individual computers
can prevent or alert on file transfers based on predefined rules
NEtwork DLP
Software or hardware placed at the network perimeter
● Focuses on monitoring data entering and leaving the network
● Detects unauthorized data leaving the network
Storage DLP
installed on a server in the data center
inspects data at rest
Cloud based DLP
offered as a SaaS solution
protects data in the cloud
Monitoring systems
involves observing CPU< memory, disk usage, and netowrk performance
Baseline
A reference point representing normal system behavior under typical operating
conditions
■ Baseline metrics can include CPU usage, memory utilization, disk activity, and
network traffic
Alerting
Involves setting up notifications for specific events or conditions
● Alerts can be triggered based on thresholds or anomalies
Scanning
Regularly examines systems, networks, or applications to identify
vulnerabilities, misconfigurations, and issues
includes code scanning, configurations canning and code scanning
archiving
Involves long-term storage of data, including
○ Log data
○ Performance data
○ Incident data
Quarantining
Isolates a system, network, or application suspected of being compromised
■ Prevents the spread of threats and limits potential impact
■ Commonly used when dealing with malware infections
Alert Tuning
Adjusts alert parameters to reduce errors, false positives, and improve alert
relevance
SNMP
Simple Network Management Protocol (SNMP)
An Internet protocol used for collecting information from managed devices on IP
networks and modifying device behavior
Managed devices include the following
● Routers
● Switches
● Firewalls
● Printers
● Servers
● Client devices
SNMP MAnager
A central system that collects and processes information from managed devices
■ Often set up as a server, especially in large enterprise environments
■ Sends and receives SNMP messages to and from agents
SNMP Agents
Networked devices that send information about themselves to the manager
■ Run background services to collect data and send it to the manager
■ Transmit data at regular intervals or when requested by the manager
SNMP Message Types
SET
GET
TRAP
SET
Manager-to-agent request to change variable valuesG
GET
Manager-to-agent request to retrieve variable values
TRAP
Asynchronous notifications from agents to the manager to notify
significant events
● Notify the manager of events such as uptime, configuration changes, and
network downtime
● May be granular or verbose
TRAP Granular
Sent TRAP messages get a unique object identifier OID) to
distinguish each message as a unique message being
received
OID
Unique object identifier used to identify variables
for reading or setting via SNMP
● Allows the manager to distinguish individual SNMP
trap messages
MIB
management info base
A hierarchical namespace containing OIDs and their
descriptions
● Describes the structure of device subsystem
management data
● Stores consolidated information received through
SNMP traps
Verbose TRAP
SNMP traps may be configured to contain all of the information about a given alert or event as a payload
SNMP V3
SNMP version 3 offers enhanced security features
integrity
ntegrity
■ Hashing messages before transmission to prevent data
alteration
○ Authentication
■ Validating the source of messages
○ Confidentiality
■ Adding encryption using DES, 3DES, or AES
○ Dividing SNMP components into entities with different access
privileges for improved security
SIEM
SIEM (Security Information and Event Management)
■ A solution for real-time or near-real-time analysis of security alerts generated by
network hardware and applications
■ SIEM helps correlate various events and incidents from system log
SIEM Functionality
■ Correlates and analyzes log data
■ Consolidates data from various systems into a centralized database or repository
■ Detects patterns indicating security threats
■ Generates alerts for security teams to investigate
Agent based SIEM
Software agents are installed on each system to collect and send log data
● Provides real-time data and detailed information
Agentless SIEM
Log data is collected directly from systems using standard protocols
● Reduces maintenance but may not collect real-time or detailed data
ELK
(Elastic Stack)
● A collection of free and open-source SIEM tools, including the following
○ Elasticsearch
○ Logstash
○ Kibana
○ Beats
Components work together for log collection, storage, analysis, and virtualization
Archsight
SIEM log management and analytics software
● Suitable for compliance reporting for regulations like HIPAA, SOX, and PCI
DSS
QRadar
A SIEM log management, analytics, and compliance reporting platform
created by IBM
Firewalls
Act as a barrier between trusted internal networks and untrusted external
networks
■ Filter incoming and outgoing traffic based on security rules (ACLs)
Vulnerability Scanners
Identify security weaknesses, including missing patches, incorrect configurations,
and known vulnerabilitie
SCAP
Security Content Automation Protocol (SCAP)
Suite of open standards that enhances the automation of vulnerability
management, measurement, and policy compliance evaluation of systems
deployed in an organization
■ Developed by the National Institute of Standards and Technology (NIST)
■ Enhances the automation of security tasks, including the following
● Vulnerability scanning
● Configuration checking
● Software inventory
OVAL
an SCAP language
(Open Vulnerability and Assessment Language)
XCCD
SCAP language
(Extensible Configuration Checklist Description Forma
XML schema for developing and auditing best-practice configuration
checklists and rules
● Allows improved automation
ARF
asset reporting format
SCAP language
XML schema for expressing information about assets and their
relationships
● Vendor and technology neutral
● Flexible
● Suited for a wide variety of reporting application
CCE
common configuration enumeration method for SCAP
Scheme for provisioning secure configuration checks across multiple
sources
● Provides unique identifiers for different system configuration issues
CPE
(Common Platform Enumeration)
● Identifies hardware devices, operating systems, and applications
● Standard formatting
CVSS
Common Vulnerability Scoring System (CVSS)
Used to provide a numerical score reflecting the severity of a vulnerability (0 to
10)
■ Scores are used to categorize vulnerabilities as none, low, medium, high, or
critical
■ Scores assist in prioritizing remediation efforts but do not account for existing
mitigations
Benchmarks
Sets of security configuration rules for specific products to establish
security baselines
● Provide a detailed checklist that can be used to secure systems to a
specific baseline
Red Hat Enterprise Linux Benchmark
Examples of SCAP Benchmarks
Provides security configuration rules for Red Hat Enterprise Linux
FPC
full packet capture
Captures entire packets, including headers and payloads
Network and Flow Analysis
Flow Analysis
Focuses on recording metadata and statistics about network traffic, saving
storage space
■ Doesn’t include the actual content, just the metadata
■ Rapidly generates visualizations to map network connections, traffic types and session volumes
Flow Collector
Records metadata and statistics about network traffic
■ Collects information about the following
● Type of traffic
● Protocol used
● Data volume
■ Allows for efficient data storage and reduces processing overhead
Netflow
Cisco-developed protocol for reporting network flow information
■ Also known as IPFIX (IP Flow Information Export)
■ Defines traffic flows based on shared characteristics (e.g., source and destination
IP)
■ Data collected by NetFlow
● Network protocol interface
● IP version and type
● Source and destination
● IP addresses
● Source and destination ports
● Type of service use
Zeke
Hybrid tool for network monitoring
■ Monitors traffic like NetFlow but logs full packet captures based on interest
■ Filters or signatures trigger full packet capture to analyze specific data
■ Normalizes data for easy import into other tools for visualization and analysis
MRTG
multi router traffic grapher
Creates graphs displaying network traffic flows through routers and switches
■ Uses SNMP (Simple Network Management Protocol) to gather data
■ Helps identify traffic patterns and anomalies by visualizing data transfer volumes
SPOG
Single Pane of Glass
Central point of access for security teams
■ Provides access to information, tools, and systems for monitoring, managing, and
securing an organization’s IT environment
■ Offers a unified view of the security posture and facilitates informed
decision-making
● Can quickly and easily access critical information, aiding informed
decision-making
