Week 1

Question 1

What is Network Security Monitoring?

Answer 1

The collection, detection, and analysis of network security data providing indications and warning to detect and respond to instrusions.

Question 2

Information Security is divided into what 4 domains?

Answer 2

Protect- focus on securing systems to prevent exploitation
Detect- detect compromises that are actively occurring or have occurred. Network Security Monitoring is included in this.
Respond - focus on response after compromise has occurred
Sustain- deals with management of people, processes and associated tech.

Question 3

What is the difference between being Vulnerability-centric and Threat-centric

Answer 3

Vulnerability-centric focuses on “how” (config, software weaknesses, aka preventation)

Threat-centric focuses on “who” and “why” (adversaries, requires visibility into network and to collect and analyze data)

Question 4

What is the difference between NSM and Continuous Monitoring?

Answer 4

NSM is threat centric

CM is vulnerability-centric and should be seen as complement to NSM not a substitute or variant for NSM

Question 5

What three primary sections is NSM broken down into?

Answer 5

Collection
Detection
Analysis

Question 6

Collection includes what tasks?

Answer 6

Defining where largest amount of risk exists
IDing threats
IDing relevant data sources
Refining collection portions
Configing SPAN ports to collect packet data
Building SAN storage for log retention
Configing data collection

Question 7

What the most common categories of NSM data (6)

Answer 7

Full content data/ full packet capture
Session Data
Statistical Data
Packet string Data
Log Data
Alert Data

Question 8

What is Full content Data?

Answer 8

Provides full accounting for every data packet transmitted between 2 endpoints
Collects all info passed across network
Makes exact copies of traffic (pcap data format)

Question 9

What is Session Data?

Answer 9

Summary of communication
Most flexible and useful forms
Doesn’t provide level of detail in Full packet data
Small size allowed retention for longer time

Question 10

What core elements exist in Session Data

Answer 10

timestamp
Source IP address
Source port
Dest IP address
des. port
protocol
application bytes

slide 29 for image

Question 11

What is Statistical Data

Answer 11

Organization, analysis, interpretation and presentation of other types of data

Question 12

What is Packet String Data

Answer 12

Derived from FPC data
Exists as intermediate data form between FPC data and session data
Provides granularity while maintaining a size that is more manageable

Question 13

Describe Log Data

Answer 13

Generated from devices, systems or applications

includes web proxy logs, router and firewall logs, VPN auth. logs, Win security logs, SYSLOG data

Question 14

What is Alert Data

Answer 14

The notification generated by detection tool when locates anomaly within data it is configured to examine
Contains a description of alert along with pointer to anomalous data

Question 15

Explain Detection

Answer 15

Alerts are generated based on unexpected events and data
Examples:
Snort IDS and Bro IDS (network intrustion detection sys)
OSSEC, AIDE, McAfee HIPS (host intrusion detection sys)