4.5 Security Operations

Firewall

A security device that monitors and controls network traffic based on predetermined rules.

Stateless Firewall

A type of basic firewall that filters every packet based on data such as the source and destination IP and port, the protocol, and other technical information, and is the most basic type of firewall

Stateful Firewall

A type of basic firewall that pays attention to the state of traffic between systems and can allow the conversation to continue once it has been approved, tracking this information in a state table to then use that information to make a decision

Screened Subnet (DMZ)

Network zones that contain systems that are exposed to less trusted areas and are commonly used to contain web servers or other Internet-facing devices

Trend

Patterns in network security threats and attacks

Signature

Patterns of known malicious activity used by IDS/IPS systems to identify and block threats

Web Filter

Centralized proxy devices or agent-based tools that allow or block traffic based on content rules, sometimes called content filters

Agent-Based Web Filter

A type of web filter that requires software installation on devices to enforce content filtering

Centralized Proxy

Agent less web filters that have traffic routed through them

Universal Resource Locator (URL) Scanning

A web filtering action where malicious URLs, domains, or hosts are blocked

Content Categorization

A capability provided by web filters where URLs with common categories, such as adult material, business, or child-friendly material, can be allowed or blocked

Block Rules

A web filter capability that can stop systems from visiting sites that are in an undesired category or have been blocked due to reputation, threat, or other reasons

Reputation

A measure of the trustworthiness or reliability of a website or IP address based on historical data.

Group Policy

A Windows tool that provides the ability to control settings of numerous connected devices running Windows through Group Policy Objects (GPOs), such as disabling the guest account or setting password rules

SELinux

Security-Enhanced Linux which is a Linux kernel-based security module that provides additional security capabilities and options on top of existing Linux distributions, such as mandatory access control that can be enforced at the user, file, system services, and network layer

Implementation of Secure Protocols

Ensuring that communications and services are secure, like using HTTPS instead of HTTP or using SSH instead of Telnet

Protocol Selection

Choosing the appropriate network protocol based on needs of the organization as well as security requirements and compatability

Port Selection

Choosing specific network ports for communication based on security and functionality needs

Transport Method

Finding a secure way to transmit data between devices, like selecting and requiring appropriate versions of protocols like TLS for wired or wireless communication

DNS Filtering

Uses a list of prohibited domains, subdomains, and hosts and replaces the correct response with an alternate DNS response, often to an internal website that notes that the access was blocked and what to do about the block

Domain-Based Message Authentication Reporting and Conformance (DMARC)

An email protocol that determines whether an email message is authentic by quarantining messages that are not sent by DMARC-supporting senders, it gives the user the choice to access to reject the message

DomainKeys Identified Mail (DKM)

An email authentication method that signs both the body of the message and elements of the header to ensure that the message is actually from the organization it claims to be from

Sender Policy Framework (SPF)

An email authentication technique that allows organizations to publish a list of their authorized email servers, and these records specify which systems are allowed to send email from which domain, and those not listed in the SPF will be rejected

Gateway

A device designed to filter both inbound and outbound email, phishing protection, email encryption, attachment sandboxing, ransomware protection functions, URL analysis, and threat feed integration

File Integrity Monitoring

A security tool that creates a signature or fingerprint for a file, and then monitors it and the filesystem for changes and either reports the changes or restores them back to normal

Network Access Control (NAC)

A technology that focuses on determining whether a system or device should be allowed to connect to a network, can be an agent or agentless, and can check the system security and place them in a quarantine network or reject them outright

Endpoint Detection and Response (EDR)

Security tools that combine monitoring capabilities on endpoint devices and systems using a client or software agent with network monitoring and log analysis capabilities to collect, correlate, and analyze events

Xtended Detection and Response (XDR)

Similar to EDR, but has broader perspective and takes into account not just endpoints, but the entire organization’s technology stack, including cloud services, security services, and email services, while also leveraging detection algorithms and AI to analyze the data to find issues

User Behavior Analytics

The analysis of user actions and behavior to detect and prevent security threats or anomalies.