4.4 Explain security alerting and monitoring concepts and tools

What does SIEM stand for and what does this do?

SIEM stands for Security Information and Event Manager). This is used for centralized reporting and consolidate logs from different devices into a single centralized database.

What is Ad hoc reporting?

This is a special report used for quick decisions and for unique situations. This report isn’t a scheduled report and is useful for when trying to make a quick decision.

What is alert tuning?

This is a term used to describe trying to balance out false positives and false negatives. It’s important to balance these out as you want to make sure the alerts you’re getting are legit rather than constantly being alerted by something.

What does SCAP stand for and what does this do?

SCAP stands for Security Content Automation Protocol. This is a framework designed by NIST to allow tools to identify and act on the same criteria when identifying threats. Devices such as NGFW’s, IPS and vulnerability scanners may have their own way to identify threats, but SCAP allows all these devices to work together and helps ensure these devices are using the compliance standard.

What is a benchmark?

Benchmark refers to a set of best practices, guidelines, or configuration standards designed to help organizations secure their IT systems and applications. These benchmarks are typically created by cybersecurity organizations or government agencies and provide detailed instructions on how systems should be configured to reduce vulnerabilities and maintain compliance with security policies. Benchmarks can be viewed at https://www.cisecurity.org/cis-benchmarks

What does DLP stand for?

DLP stands for Data Loss Prevention.