Chapter 13 - Describing Security Data Collection

Question 1

Name 6 Monitoring Data Types

Answer 1

1. Session Data
2. Full Packet Capture
3. Transaction Data
4. Extracted Content
5. Statistical Data
6. Alert Data

Question 2

Describe Session Data

Answer 2

Contains “5-tuple” for each session including timestamps and the amount of data transferred.
Example - NetFlow

Question 3

Describe Full Packet Capture

Answer 3

A record containing all bits transferred on the wire.

Example - PCAP file / Wireshark

Question 4

Describe Transaction Data

Answer 4

The are usually produced by daemon or services and occur as a result of network sessions and system activities.
Example - HTTP or SMTP daemon logs

Question 5

Describe Extracted Content

Answer 5

Objects that are mined from network traffic.

Example - files downloaded from web site or email attachments

Question 6

Describe Statistical Data

Answer 6

Takes other security monitoring data types and presents it at a higher level. Useful for forming baselines.
Example - Graph that shows web server connections per minute

Question 7

Describe Alert Data

Answer 7

Generally produced by IDS or IPS and triggered when traffic characteristics match a specific rule

Question 8

Define False Positive

Answer 8

When a security control acts when malicious activity did not take place

Question 9

Define False Negative

Answer 9

When a security control did not act when malicious activity did take place

Question 10

Define True Positive

Answer 10

When a security control acted when malicious activity did take place.

Question 11

Define True Negative

Answer 11

When a security control did not act because there was no malicious activity