Security Operations 4.4

Question 1

Security Monitoring - Systems
What can be monitored?

Answer 1

Authentication - logins from strange places
Server monitoring - Service activity, backups software versions.
Applications - availability - uptime and response times
Data transfers - increases or decreases in rates.
Security notifications - from the developer/manufacturer.
Infrastructure - Remove access systems. Employees, vendors, guests

Question 2

Log aggregation

Answer 2

SIEM or SEM
Consolidate many different logs to a central database. Servers, firewall, VPN concentrators, SANs, cloud services.
Correlation between diverse systems.

Question 3

Scanning

Answer 3

A constantly changing threat landscape. Operating systems types and versions. Actively check systems and devices.

Question 4

Reporting

Answer 4

Analyse the collected data,
Status information, number of devices up to date/in compliance
Devices running older operating systems.

Question 5

Archiving

Answer 5

SIEM’s handle massive amounts of data. It would be too expensive to keep this dat in active storage and so they move it into offline archives. These are cheaper and can be restored later.

Question 6

Alerting - Real-time notification of security events.

Answer 6

Important to make sure that the alerts a fine tuned. To avoid false positives and false negatives.
SMS/Text messages to alert.

Question 7

False positive?

Answer 7

When a non-attack is recorded as an attack.

Question 8

False negative

Answer 8

A genuine attack not recorded by the systems.

Question 9

Quarantine

Answer 9

A foundational security response.

Question 10

SCAP

Answer 10

Security Content Automation Protocol.

Question 11

What is Security Content Automation Protocol.

Answer 11

Consolidates all vulnerabilities into a single language that all devices understand.

Maintained by the national institute of Standards and Technology (NIST)

Question 12

Using SCAP

Answer 12

Content can be shared between tools. The specification standard enables automation.
Automation types - ongoing monitoring,

Question 13

Benchmarks

Answer 13

Is is important to provide security best practices to everything. Operating systems, cloud providers, mobile devices etc.

Question 14

Agents/agentless

Answer 14

Device installed to check to see if the device is compliance.

Agents usually provide more detail as they are always monitoring for real time notifications.

Agentless runs without a formal install. Performs the check, the disappears.

Question 15

SIEM

Answer 15

Security information and event management
Log collection of security alerts
log aggregation and long term storage
data correlation

Question 16

DLP

Answer 16

Data loss prevention. Stop the data before the attacker gets it.
Often requires multiple solutions, Endpoint clients, cloud-based systems.

Question 17

SNMP (MIP)

Answer 17

Simple network management protocol.
Managers and monitors network devices such as routers and switches and provides reports back to the SNMP manager.

Often done in object identifiers. Values instead of specifics activity data.

Question 18

SNMP Trap

Answer 18

alerting or alarming process. When the trap fires an alert is raised and said to the management station over udp/162.

Question 19

Netflow

Answer 19

Standard for monitoring traffic flows and looking at statistics relating to application use.

Question 20

Vulnerability scanners

Answer 20

Gathers information on potential vulnerabilities. Minimally invasive.