4.4 Explain security alerting and monitoring concepts and tools Flashcards
1
Q
Data Loss Prevention (DLP) Systems
A
- Endpoint: Installed on devices; monitors data in use and prevents unauthorized transfers.
- Network: Monitors data at the network perimeter
- Storage: Installed on servers
- Cloud-Based: SaaS solution protecting data in cloud services.
2
Q
Monitoring Resources
A
- System Monitoring: Tracks CPU, memory, disk usage, and network performance.
- Application Monitoring: Manages software performance and availability.
- Infrastructure Monitoring: Observes servers, networks, VMs, containers, and cloud services.
3
Q
Alerting and Monitoring Activities
A
- Log Aggregation: Centralizes logs
- Alerting: Notifies based on thresholds or anomalies. Delivered via email, SMS, or push notifications
-
Scanning: Identifies vulnerabilities (see a separate card), misconfigurations, or code issues.
- Tools: Nessus, OpenVAS, Qualys.
- Reporting: Summarizes performance, security incidents, and compliance for continuous improvement.
- Archiving: Stores data for audits and regulatory compliance (e.g., Amazon S3).
-
Alert Response: Investigate, escalate, or act on alerts.
- Remediation: Apply patches or fixes.
- Validation: Confirm issues are resolved.
- Quarantining: Isolate compromised systems to contain threats.
- Alert Tuning: Adjust parameters to reduce false positives and improve relevance.
ChatGPT can make mistakes. Check important info.
4
Q
Simple Network Management Protocol (SNMP)
A
internet protocol for collecting and modifying data from managed devices on IP networks.
* Devices: Routers, switches, firewalls, printers, servers, and client devices.
Administrators use SNMPv3 to manage and monitor network devices, and SNMP uses UDP ports 161 and 162. SNMPV3 encrypts credentials before sending them over the network and is more secure than earlier versions.
-
SNMP Manager:
- Central system collecting data from devices.
- Sends and receives SNMP messages to/from agents.
-
SNMP Agents:
- Devices sending data to the manager at intervals or on request.
-
SNMP Message Types:
- SET: Changes values on devices.
- GET: Retrieves values from devices.
- TRAP: Notifies manager of events (e.g., uptime, changes, downtime).
-
OID (Object Identifier):
- Unique identifier for variables in SNMP messages.
- Part of MIB (Management Information Base), which stores SNMP data.
-
SNMP Versions:
- V1 & V2: Use plain-text community strings (less secure).
-
V3: Offers enhanced security:
- Integrity: Hashing messages to prevent alteration.
- Authentication: Validates message source.
- Confidentiality: Encrypts data using DES, 3DES, or AES.
5
Q
Security Information and Event Management (SIEM)
A
Monitor, managem and collect log data from network devices in real-time.
- Log Reviews: Essential for security; should be done routinely, not just after incidents.
-
SIEM Functionality:
- Consolidates data from various sources.
- Detects threat patterns and generates alerts.
-
Agent-Based vs. Agentless SIEM:
- Agent-Based: Software agents provide real-time, detailed data.
- Agentless: Uses protocols like SNMP for collection, with less maintenance but limited detail.
-
Common SIEM Solutions:
- Splunk: Big data analytics tool with templates and dashboards.
- ELK Stack: Open-source tools (Elasticsearch, Logstash, Kibana, Beats).
- ArcSight: Log management tool for compliance (HIPAA, SOX, PCI DSS).
- QRadar: IBM’s platform with analytics, compliance reporting, and dashboards.
- SEM: Real-time monitoring, analysis, and alerts for security events
- SIM: Long-term storage and analysis for trends and compliance reports
6
Q
Data from Security Tools / General Overview of Security Tools
A
-
Anti-Malware Software:
- Protects against viruses, worms, Trojans, ransomware, spyware.
- Generates detection logs, system scans, and updates.
- Sends data to SIEM for threat detection and system health.
-
Data Loss Prevention (DLP) Systems:
- Monitors endpoints, traffic, and cloud data to prevent breaches.
- Flags policy violations and attempts to leak sensitive data.
- Sends data to SIEM for corrective actions.
-
Network Intrusion Detection & Prevention Systems (NIDS/NIPS):
- NIDS: Detects malware, denial-of-service (DoS) attacks, and unauthorized access attempts, generating alerts.
- NIPS: Blocks threats, preventing DoS attacks, port scanning, brute-force attempts, and malware spread.
- Data includes threats, blocked traffic, and anomalies, sent to SIEM.
-
Firewalls:
- Filter traffic between internal and external networks.
- Log data on allowed/blocked traffic, rule changes, and threats.
- Sent to SIEM for perimeter security monitoring.
-
Vulnerability Scanners:
- Detect weaknesses, missing patches, and misconfigurations.
- Integrated with SIEM to track remediation progress.
-
Endpoint Security Software
-
EDR (Endpoint Detection and Response):
- Detects and responds to threats at endpoint level. Uses behavioral analysis to identify suspicious activity.
-
XDR (Extended Detection and Response):
- Expands beyond endpoints to include network devices, cloud infrastructure, and IoT devices. Offers a comprehensive view of the IT environment.
-
EDR (Endpoint Detection and Response):
7
Q
Security Content Automation Protocol (SCAP)
A
A suite of open standards developed by NIST for automating vulnerability management and policy compliance.
- Automates:
- Vulnerability scanning
- Configuration checks
- Software inventory
-
Components of SCAP:
- Standardizes vulnerability scanning, reporting, and scoring.
- Ensures security tools use SCAP-formatted data for interoperability.
-
SCAP Languages:
- OVAL: Describes system states and queries vulnerabilities.
- XCCDF: Creates checklists for best-practice configurations.
- ARF: Reports on assets, vendor-neutral and flexible.
-
Enumeration Methods in SCAP:
- CCE: Assigns IDs to system configuration issues.
-
CPE: Identifies hardware, OS, and apps in the format:
cpe:/part:vendor:product:version:update:edition:language
- CVE: Catalogs known vulnerabilities (e.g., CVE-2017-0144).
-
CVSS (Common Vulnerability Scoring System):
- Rates vulnerabilities from 0 to 10 to prioritize remediation.
- Categories: None, Low, Medium, High, Critical.
8
Q
NetFlow and Flow Analysis
A
- Analyzing network activity helps detect anomalies, security risks, and performance issues.
- Tools capture traffic patterns (metadata) or full data packets for deeper investigation.
Key Concepts:
-
Full Packet Capture (FPC):
- Records everything: headers + content (data payloads).
- Useful for deep investigation but requires more storage.
-
Flow Analysis:
- Collects metadata only (e.g., IP addresses, traffic types).
- Provides a bigger picture of traffic patterns without storing content.
-
Flow Collector:
- Gathers traffic metadata (protocols, data size, etc.).
- Efficient and saves space but offers less detail.
How Tools Fit Together:
-
FPC vs. Flow Analysis:
- FPC gives detailed content (e.g., emails or files).
- Flow analysis shows who talked to whom and when (no content).
- Use flow analysis for daily monitoring, FPC for deep investigations.
-
NetFlow:
- Cisco’s flow analysis tool: tracks IP addresses, protocols, and ports.
- Helps spot patterns (e.g., unusual traffic spikes).
-
Zeek:
- Hybrid tool: monitors network flow and captures packets when needed.
-
MRTG (Multi Router Traffic Grapher):
- Creates graphs of network traffic from routers and switches.
- Identifies traffic spikes and anomalies.
When to Use These Tools:
-
Monitoring:
- Use flow analysis to watch network trends and catch issues early.
-
Investigation:
- Use FPC when you need to analyze specific incidents in detail (e.g., data leaks or hacks).
-
Traffic Spikes:
- Flow analysis identifies the spike.
- Packet capture provides deeper insight into the cause.
-
Incident Response:
- Use both flow and packet data to understand and resolve security breaches.
