Alerting and Monitoring (OBJ .)

Alerting and Monitoring

• Importance
  • Crucial for maintaining integrity, confidentiality, and availability of information systems
• Components
  • Alerting (notifying personnel of potential security incidents)
  • Monitoring (continuous observation to detect anomalies or threats)

Study Topics

• Types of Alerts

  • True Positive
    • Correctly identifies a legitimate issue
  • False Positive
    • Incorrectly indicates an issue when there isn't one
  • True Negative
    • Correctly recognizes the absence of an issue
  • False Negative
    • Fails to alert about a real issue

• Alerting System Goals

  • Maximize true positives
  • Minimize false positives to avoid alert fatigue

• Monitoring Types

  • Automated Monitoring
    • Software tools for scanning and analyzing
  • Manual Monitoring
    • Human personnel actively reviewing and analyzing

• Monitoring Resources

  • Overview of monitoring systems, applications, and infrastructure

• Alerting and Monitoring Activities

  • Log Aggregation
    • Collecting and centralizing log data
  • Alerting
    • Notification of potential security incidents
  • Scanning
    • Continuous examination for anomalies
  • Reporting
    • Generating reports on system and network status
  • Archiving
    • Storing historical data
  • Alert Response and Remediation/Validation
    • Responding to alerts and validating remediation

• Simple Network Management Protocol (SNMP)

  • Widely used in network management systems
  • Monitors and manages network devices
  • SNMP traps for setting up and collecting data

• Security Information and Event Management (SIEM)

  • Integrated management technologies for holistic security views
  • Collects and aggregates log data
  • Agent-based and Agentless Monitoring

• Data from Security Tools

  • Collection from various sources (Antivirus, DLP systems, NIDS, NIPS, firewalls, Vulnerability scanner)
  • Consolidation in a SIEM

• Security Content Automation and Protocol (SCAP)

  • Enables automated vulnerability management, measurement, and policy compliance evaluation

• Network Traffic Flows

  • A sequence of packets from source to destination
  • Identifiable by a unique set of identifiers
  • Crucial for understanding network usage patterns and detecting security threats

• Single Pane of Glass

  • Consolidates data from different sources into a unified display
  • Provides administrators with a comprehensive view