Network Monitoring Flashcards
Simple Network Management Protocol (SNMP)
Sends and receives data from managed devices back to a centralized network management station
Granular (SNPM)
Sent trap messages get a unique objective identifier to distinguish each message as a unique message
Management Information Base (MIB)
The structure of the management data of a device subsystem using a hierarchical namespace containing object identifiers
Verbose
SNMP traps may be configured to contain all the information about a given alert or event as a payload
SNMP Trap
SNMP PDU an unrequested message an agent can send the MIB to notify about an important event
System Logging Protocol (Syslog)
Sends system log or event messages to a central syslog server
Audit Log / Audit Trail
Contains a sequence of events for a particular activity
Application Log (Windows)
Contains information about software running on a client or server
Security Log (Windows)
Contains information about the security of a client or server
System Log (Windows)
Contains information about the OS itself
Windows Logs entry levels
Informational
Warning
Error
Security Information and Event Management (SIEM)
Provides real-time or near-real-time analysis of security alerts generated by network hardware or applications
Security Information and Event Management (SIEM) Log Collection
*Provides important forensic tools
*Helps address compliance reporting requirements
Security Information and Event Management (SIEM)
Normalization
*Nomalize data into a common model
*Maps log messages into a common data model,
*Connect and analyze related events
Security Information and Event Management (SIEM)
Correlation
Links the logs and events from different systems or applications into a single data feed
Security Information and Event Management (SIEM)
Aggregation
*Reduces the volume of event data
*Consolidates duplicate event records and merge into a single record
Security Information and Event Management (SIEM)
Reporting
Real-time monitoring dashboards for analysts
*Long-term summaries for management
Protocol used by Security Information and Event Management (SIEM)
Syslog protocol
UDP 514 / TCP 1468
Benefits of patch management
- Security
- Uptime
- Compliance
- Improve Features
Steps of patch management
- Planning
- Testing
- Implementation
- Auditing
Planning (Patch Management)
Track available patches and updates
* Determines how to test and deploy each patch
Testing (Patch Management)
Test any patch received from a manufacturer prior to automating its deployment through the network
Implementation (Patch Management)
Deploy the patch to all of the workstations and servers that require it
Auditing (Patch Management)
Scan the network and determines if the patch was installed properly and if there are any unexpected failures that may have occurred
Signature-based Detection
Signature contains strings of bytes (a pattern) that triggers detection
Policy-based Detection
Relies on specific declaration of the security policy
Statistical Anomaly-based Detection
Watches traffic patterns to build baseline
Non-Statistical Anomaly-based Detection
Administrator defines the patterns/baseline
Managed Device
Any device that can communicate with an SNMP manager known as the management information base (MIB)
5 Elements of SIEM (Security Information and Event Management)
- Log Collection
- Normalization
- Correlation
- Aggregation
- Reporting
