Lecture 4 pt. 2 Flashcards
What is network monitoring used for?
To monitor all activities on a network and collect data from bandwidth usage, packet loss, and latency.
It helps identify and troubleshoot problems with the network.
List the three primary metrics measured in network monitoring.
- Availability (uptime)
- Performance (data transfer speeds)
- Configuration (system inventory, application and hardware settings)
These metrics set a baseline for data-at-rest.
What does Network Security Monitoring (NSM) do?
Detects and responds to security threats on a network.
It collects data from network traffic patterns, unusual login attempts, and malware infections.
What are the goals of network security monitoring?
- Simplified security testing
- Prevention of unwanted operational disruptions
- Strengthened security strategies
These goals help in compliance with industry standards.
True or False: Network monitoring and network security monitoring are completely distinct tools.
False
Both tools overlap in functionality.
What are common sources of alerts in network security monitoring?
- IDS/IPS
- SIEM products
- Antimalware software alerts
- File integrity checking software
- Managed Security Service Providers (MSSP)
MSSPs provide outsourced monitoring and management of security devices.
Define True Positive in the context of alert evaluation.
The alert has been verified to be an actual security incident.
This indicates a successful detection of a security threat.
What is a False Positive?
The alert does not indicate an actual security incident.
Benign activity that results in a false positive is sometimes referred to as a benign trigger.
What does True Negative signify?
No security incident has occurred; the activity is benign.
This indicates that the system is functioning correctly without any threats.
What is a False Negative?
An undetected incident has occurred.
This can lead to serious security breaches if not identified promptly.
What is retrospective security analysis (RSA)?
The process of applying newly obtained rules or threat intelligence to archived network security data.
This can help identify previously undetected vulnerabilities.
What is session data in network security?
The record of the conversation between two hosts, including session ID and the amount of data transferred.
It provides insights into the interactions between network devices.
What does transaction data consist of?
Messages exchanged during network sessions, including client requests and server replies.
This data can be viewed in packet capture transcripts.
What does full packet capture provide?
The most detailed data collected, including the actual content of conversations.
It can help analyze malware or violations of security policies.
What is the most popular tool to review full packet captures?
Wireshark
It is widely used for analyzing detailed network traffic.
