Security Operations: Examining Security monitoring and alerting Flashcards
What are the three categories that need require monitoring?
Application
System
Infrastructure
What options can you used for monitoring and measuring these computing resources?
Performance metrics
Anomaly Detection
Availability Metrics
Endpoint detection and Response
Why do we use Performance metrics?
Use in the implementation of a security baseline, such as user-experience scenarios.
For example, implementing database encryption can secure the database and has the potential to severely hinder performance and user experience. You could use performance metrics to detect this and also compromise, as that’s another scenario in which performance is a factor.
Why is anomaly detection important?
Anomaly detection: Through real-time monitoring, security professionals can detect and implement rapid response mechanisms and procedures to help detect and control unexpected or unauthorized processes, requests, events, or chains of events.
Why is availability metrics critical?
Availability metrics: Provides crucial insights into the stability and performance of application-based computing resources, helping monitor and ensure seamless operation and minimal downtime.
Why is endpoint detection and response critical?
Endpoint detection and response: Actively identifies and responds to potential security threats and breaches at the endpoint level, providing real-time insights and remediation capabilities.
Why is alerting so important?
Altering, which is crucial to security, is the process of generating notifications or alarms when suspicious or potentially malicious activities are detected within a network, system, or application.
These alerts serve as early warnings, allowing for you to rapidly implement response mechanisms to threats, vulnerabilities, and attacks.
What tools can you utilize for alerts?
SCAP
SIEM
Antivirus
DLP
SNMPv3
NetFlow
Vulnerability scanners
Benchmark
What is SCAP?
Security Content Automation protocol (SCAP): A standardized framework for expressing and measuring security-related information in a standardized manner to support automated security-compliance checking and vulnerability management.
What is SIEM?
Security information and event management (SIEM): A comprehensive technology that enables organizations to collect, correlate, and analyze security data from various sources to effectively detect, alert, and respond to security incidents. It uses automation to provide log aggregation, alerting, reporting, alert response, remediation, and quarantining.
What is DLP?
Data loss prevention (DLP): A set of utilities and practices implemented to help protect an organization’s sensitive data through identifying, monitoring, and preventing unauthorized access or disclosure, both inside and outside an organization.
What is SNMPv3?
Simple Network Management Protocol (SNMP) traps: Provide messages sent by network devices to a central management system. This ensures real-time notifications about network events and issues. (version 3 is recommended – Mutual authentication and encryption)
What is Netflow?
NetFlow: Provides detailed information about network-traffic flow, assisting in the detection of anomalies and security threats.
What is Vulnerability scanners?
Vulnerability scanners: Actively scan and identify security weaknesses within a network or system. Provides rapid remediation to mitigate potential risks and threats.
What is benchmark?
Benchmarks: Provide predefined performance and security standards. Systems and application performance can be compared to identify deviations and potential issues requiring remediation. - Secure score
