Section 23.220 Alerting and Monitoring Activities Flashcards
Objective 4.4 Explain security alerting and monitoring concepts and tools
Alerting and monitoring utilises a wide range of activities
Log Aggregation
Collects and consolidates log data from various sources into a central location
● Aids in troubleshooting, performance monitoring, security analysis, and compliance
● Provides a holistic view of system events for identifying issues and correlations
● Vital for maintaining system health and analyzing performance trends
Used for…
○ Detecting security incidents
○ Investigating breaches
○ Gathering evidence
Compliance - Auditors would need to review also
Alerting and monitoring utilises a wide range of activities
Alerting
Involves setting up notifications for specific events or conditions
● Alerts can be triggered based on thresholds or anomalies
● Critical for proactive issue resolution, incident detection, and regulatory compliance
● Delivered through various channels, such as email, SMS, or push notifications
Alerting and monitoring utilises a wide range of activities
Scanning
Regularly examines systems, networks, or applications to identify vulnerabilities, misconfigurations, and issues
Scanning includes the following
Vulnerability scanning
Checks for vulnerabilities in systems, networks, or applications
■ Compares system’s state against a database of known vulnerabilities
Scanning includes the following
Configuration scanning
Checks for misconfigurations that could impact system
performance or security
■ Deviations are flagged for administrative review
Scanning includes the following
Code Scanning
Checks the source code of an application for potential
issues, such as security vulnerabilities or coding errors
● Utilises tools like Nessus, OpenVAS, and Qualys
● Helps maintain system health, security, and optimal performance
Alerting and monitoring utilises a wide range of activities
Reporting
Generates summaries or detailed reports based on collected and analysed data
● Provides insights into system performance, security incidents, compliance status, and more
● Essential for compliance reporting and continuous improvement
Alerting and monitoring utilises a wide range of activities
Archiving
Involves long-term storage of data, including…
○ Log data
○ Performance data
○ Incident data
● Ensures data is retained for future reference, analysis, auditing, or compliance
● Important for legal and regulatory requirements
● Can be achieved using cloud storage solutions like Amazon S3 or Google Cloud Storage
Alerting and monitoring utilises a wide range of activities
Alert Response and Remediation/Validation
Managing and resolving identified issues based on alerts or scans
● Begin by taking appropriate actions such as…
○ Investigating
○ Escalating
○ Initiating
Initial response may include investigation, escalation, or predefined procedures
● Remediation: involves taking steps to address vulnerabilities or issues, such as patching or reconfiguration
● Validation: verifies that remediation efforts were successful in addressing the
identified problems
Quarantining
Isolates a system, network, or application suspected of being compromised
■ Prevents the spread of threats and limits potential impact
■ Commonly used when dealing with malware infections
Alert Tuning
Adjusts alert parameters to reduce errors, false positives, and improve alert relevance
■ Can involve changing alert thresholds, conditions, or delivery methods
■ Helps minimise excessive alerts and noise, making alerts more actionable
