4.4 Security Monitoring Flashcards
Security monitoring
The attackers never sleep - 24/7/365
* Monitor all entry points
– Logins, publicly available services, data storage
locations, remote access
* React to security events
– Account access, firewall rulebase, additional scanning
* Status dashboards
– Get the status of all systems at a glance
Monitoring computing resources
Systems
– Authentication - logins from strange places
– Server monitoring - Service activity, backups, software
versions
* Applications
– Availability - Uptime and response times
– Data transfers - increases or decreases in rates
– Security notifications - From the developer/
manufacturer
* Infrastructure
– Remote access systems - Employees, vendors, guests
– Firewall and IPS reports - Increase or type of attack
Log aggregation
SIEM or SEM (Security Information and Event Manager)
– Consolidate many different logs to a central database
– Servers, firewalls, VPN concentrators, SANs, cloud
services
* Centralized reporting
– All information in one place
* Correlation between diverse systems
– View authentication and access
– Track application access
– Measure and report on data transfers
Scanning
A constantly changing threat landscape
– New vulnerabilities discovered daily
– Many different business applications and services
– Systems and people are always moving
* Actively check systems and devices
– Operating system types and versions
– Device driver versions
– Installed applications
– Potential anomalies
* Gather the raw details
– A valuable database of information
Security Monitoring Reporting
Analyze the collected data
– Create “actionable” reports
* Status information
– Number of devices up to date/in compliance
– Devices running older operating systems
* Determine best next steps
– A new vulnerability is announced
– How many systems are vulnerable?
* Ad hoc information summaries
– Prepare for the unknown
Archiving
It takes an average of about 9 months for a
company to identify and contain a breach
– IBM security report, 2022
* Access to data is critical
– Archive over an extended period
* May have a mandate
– State or federal law
– Or organizational requirements
Alerting
Real-time notification of security events
– Increase in authentication errors
– Large file transfers
* Actionable data
– Keep the right people informed
– Enable quick response and status information
* Notification methods
– SMS/text
– Email
– Security console / SOC
Alert response and remediation
Quarantine
– A foundational security response
– Prevent a potential security issue from spreading
* Alert tuning
– A balancing act
– Prevent false positives and false negatives
* An alert should be accurate
– This is an ongoing process
– The tuning gets better as time goes on
Security Content Automation Protocol (SCAP)
Many different security tools on the market
– NGFWs, IPS, vulnerability scanners, etc.
– They all have their own way of evaluating a threat
* Managed by National Institute of
– Standards and Technology (NIST) http://scap.nist.gov
* Allows tools to identify and act on the same criteria
– Validate the security configuration
– Confirm patch installs
– Scan for a security breach
Using SCAP
SCAP content can be shared between tools
– Focused on configuration compliance
– Easily detect applications with known vulnerabilities
* Especially useful in large environments
– Many different operating systems and applications
* This specification standard enables automation
– Even between different tools
* Automation types
– Ongoing monitoring
– Notification and alerting
– Remediation of noncompliant systems
Benchmarks
Apply security best-practices to everything
– Operating systems, cloud providers, mobile devices, etc.
– The bare minimum for security settings
* Example: Mobile device
– Disable screenshots, disable screen recordings, prevent
voice calls when locked, force encryption backups,
disable additional VPN profiles, configure a “lost phone”
message, etc.
* Popular benchmarks - Center for Internet Security (CIS)
– https://www.cisecurity.org/cis-benchmarks/
Agents/agentless
Check to see if the device is in compliance
– Install a software agent onto the device
– Run an on-demand agentless check
* Agents can usually provide more detail
– Always monitoring for real-time notifications
– Must be maintained and updated
* Agentless runs without a formal install
– Performs the check, then disappears
– Does not require ongoing updates to an agent
– Will not inform or alert if not running
SIEM
Security Information and Event Management
– Logging of security events and information
* Log collection of security alerts
– Real-time information
* Log aggregation and long-term storage
– Usually includes advanced reporting features
* Data correlation
– Link diverse data types
* Forensic analysis
– Gather details after an event
Anti-virus and anti-malware
Anti-virus is the popular term
– Refers specifically to a type of malware
– Trojans, worms, macro viruses
* Malware refers to the broad malicious
software category
– Anti-malware stops spyware, ransomware,
fileless malware
* The terms are effectively the same these days
– The names are more of a marketing tool
– Anti-virus software is also anti-malware
software now
– Make sure your system is using a
comprehensive solution
Data Loss Prevention (DLP)
Where’s your data?
– Social Security numbers, credit card numbers,
medical records
* Stop the data before the attacker gets it
– Data “leakage”
* So many sources, so many destinations
– Often requires multiple solutions
– Endpoint clients
– Cloud-based systems
– Email, cloud storage, collaboration tools
