Section 23: Monitoring and Auditing Flashcards
Signature Based Monitoring
Network traffic is analyzed for predetermined attack patterns
Anomaly-based Monitoring
A baseline is established and any network traffic that is outside of the baseline is evaluated
Behavior-based Monitoring
Activity is evaluated based on the previous behavior of applications, executables, and the OS in comparison to the current activity of the system
Baselining
Process of measuring changes in networking, hardware, software, and applications
Security Posture
The amount of risk you want to take in; it’s like the target you want to reach in your security
What is a protocol analyzer?
Captures and analyzes network traffic; can be connected in promiscuous mode (captures everything) or non-promiscuous mode (only capturing packets address to the specific machine)
Port Mirroring
One more switch ports are configured to send their packets to another switch
SNMP
Aids in monitoring network-attached devices and computers
Agents
Software that is loaded onto the system so you can manage it
SNMPv3
Version of SNMP that provides integrity, authentication, and encryption of the messages being sent over the network (don’t use 1 and 2)
Logs are considered as being part of ______
Auditing
Logs
Data files that contain the accounting an audit trail for actions performed by a user on the computer or network
Security Logs
Logging on and off the system
System Logs
crashing, etc.
Application Logs
Logs the events for the OS and third party apps
SYSLOG uses what port?
514 UDP
Log File Maintenance
Actions taken to ensure the proper creation and storage of a log file, such as the proper configuration, saving, backing up, securing and encrypting of the log files
Log files should not be saved on _________
the same device on which the logs are collected
Protecting Logs. How do you do it?
Save your logs to an encrypted folder on the server and have good backup processes in place
SIEM
A solution that provides real time or near real time analysis of security alerts generated by network hardware and applications
Syslog
Allows you to collect your logs and send them to a central server
SOAR
Security Orchestration, Automation, and Response - A class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment (think of it as SIEM 2.0)
Playbook
A checklist of actions to perform to detect and respond to a specific type of incident
Runbook
An automated version of a playbook that leaves clearly defined interaction points for human analysis