LP - Security Monitoring & Alerting Flashcards
Agent-based monitoring uses
lightweight software, known as a monitoring agent like SNMP
Agentless monitoring uses
special application programming interface calls or requests or integrated code to track the devices
Types of scanning tools
- Wired and wireless IP scanners
- Port scanners
- Vulnerability scanners (Nessus)
- Compliance scanning
Scanning and Alerting Life Cycle
- Planning
- Implementation
- Testing and validation
- Response
- Remediation
- Archieving and Reporting
SCAP stands for
Security Content Automation PRotocol
What is SCAP?
(National Institute of Standards and Technology) for automating security vulnerability management, security measurement, and policy compliance evaluation.
ARF stands for
asset reporting format
CPE stands for
Common Platform Enumeration
OVAL stands for
Open Vulnerability Assessment Language
OCIL stands for
Open Checklist Interactive Language
TMSAD stands for
Trust Model for Security Automation Data
XCCDF stands for
Extensible Configuration Checklist Description Format
SWID stands for
Software Identification Tagging
What does SIEM do?
gathers event logs data from a range of sources and recognizes activity that diverges from the norm in real-time
SOAR stands for
Security Orchestration and Automation and Response
SOAR operates in three key areas:
- Threat and vulnerability management
- Incident response
- Security operations automation
Life cycle of SOAR
- Threat detection
- Notification
- Investigation
- Response
- Resolution
Antivirus system use the following as form of detection:
- Signature detection
- Heuristic detection of files
- Multicritera analysis (MCA)
- sandbox or cloud analysis
- HIPS - host bases prevention systems
SNMP uses an invertered path
architecture
Netflow is defined by its 5-tuple data collection points:
- source IP
- destination IP
- Source port
- destination port
- the protocol
The most recent version of Netflow is version
9
