4.4 Security Monitoring

0.0(0)
studied byStudied by 0 people
GameKnowt Play
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/10

encourage image

There's no tags or description

Looks like no tags are added yet.

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

11 Terms

1
New cards

Security Monitoring

Because attackers are always attempting to access systems and services, continuous this is essential.

  • Includes tracking authentications, logins, service usage, and remote access to ensure all activity is legitimate.

  • Allows for quick responses to security events by reviewing account access, firewall rules, and scanning for unusual behavior

  • Often, this information is compiled into dashboards to provide a clear, at-a-glance view of the organization’s current security posture.

2
New cards

3
New cards

Systems (MCR)

Authentications, people logging in, and you want to see where they may be logging in from.

  • If you start to see a lot of authentications from another country, and you don’t have any employees in that country, that could be a cause for concern.

You could also monitor the services that are running on these devices

  • The type of activity and how much activity.

  • You can see if any backups have been completed on that device and what versions of software may be installed

  • Could help you determine if a device needs to be patched.

4
New cards

Log Aggregation

Monitoring diverse systems can be difficult due to different log formats and data types.

  • A Security Information and Event Manager (SIEM) helps by centralizing logs from firewalls, servers, routers, switches, and other devices into one database.

  • Makes it easier to generate reports and correlate events across systems

  • For example, you could track a user's VPN login and follow their actions on the network, or monitor access to applications

  • Also help track data transfer trends

Checking for availability and making sure these systems remain running should be a major part of our monitoring.

5
New cards

Applications (MCR)

  • Many security breaches have been identified by monitoring the amount of traffic that has been transferred.

  • If you start to see a lot of traffic suddenly being transferred that is well above the norm, that could indicate that an attacker is attempting to exfiltrate data.

  • You also want to keep the lines of communication (notifications) open between the software developers or manufacturers of these application

6
New cards

Infrastructure (MCR)

Firewalls and intrusion prevention systems can also be a very good source of information.

  • If you suddenly see a large spike of attacks, that could give you a warning that someone is trying to gain access to your systems.

Monitor the ongoing activity

  • You might have remote access systems where people are connecting using the VPN.

  • You might want to know how many of those connecting are employees, how many are vendors, and how many are guests.

7
New cards

Scanning

New vulnerabilities are discovered regularly, and devices like laptops and phones are constantly moving.

  • Continuously monitor information on all these devices by doing this.

  • Can collect data on operating systems, driver versions, installed applications, and potential anomalies.

  • Generates large amounts of data, the goal is to collect as much detail as possible for later analysis and reporting.

8
New cards

Reporting

provide detailed insights into the current status of systems on the network.

  • Often serve as guidance for next steps—these are known as actionable reports

  • Might highlight which devices are compliant with security patches and, more importantly, which are not.

  • Can also identify outdated operating systems or assess exposure to newly discovered vulnerabilities.

  • Can be quickly generated and customized

  • Including ad hoc reports for "what-if" scenarios that help plan for potential future threats.

9
New cards

Archiving

Unlike in movies, real-world breaches often go undetected for months.

  • A 2022 IBM report found it takes about nine months on average to identify and contain a breach.

  • During this time, attackers can quietly explore and entrench themselves within a network.

Highlights the critical need for long-term data archiving—not just for operational or legal compliance, but also to trace and analyze attacker behavior over extended periods.

10
New cards

Alerting

Real-time notifications about suspicious or critical activity within a network.

  • Based on predefined conditions—such as unexpected data transfers to external sites.

  • Instead of relying on someone to review logs later, can be sent immediately via SMS, email, or to a dedicated security operations center (SOC).

  • Allows the security team to quickly investigate and respond, minimizing potential damage.

11
New cards

Alert Response and Remediation

When an alert is triggered, the response may involve isolating the affected system to stop an attack from spreading.

  • Quarantining helps contain the threat by cutting off the compromised system from others on the network.

  • Crucial that alerts are accurate.

  • A false positive is an alert for a non-issue, while a false negative is a missed detection.

  • Refining the alert system to reduce these inaccuracies,

  • After, security teams can confidently act on alerts and make quick, informed decisions to mitigate threats.

Explore top notes

Explore top flashcards