4.4 - CompTIA Security+

Monitoring computing resources

Systems

Applications

Activities

Log aggregation

  • Log aggregation: Parsing information from multiple log and security event data sources so that it can be presented in a consistent and searchable format.

Alerting

  • Alerting: Determining/detecting events that should be investigated as potential incidents.

Scanning

  • Scanning: The process of identifying open ports and services on a host to assess vulnerabilities and security posture.

Reporting

  • Reporting: Managerial control that provides insight into the status of the security system. A SIEM can assist with this activity by exporting summary statistics and graphs

Archiving

  • Archiving: Reporting is a managerial control that provides insight into the status of the security system. A SIEM can assist with reporting activity by exporting summary statistics and graphs

Alert response and remediation/validation

Quarantine

  • Quarantine: The process of isolating a IoC source, such as a network address, host computer, or file.

Alert tuning

  • Alert tuning: The process of adjusting detection and correlation rules to reduce incidence of false positives and low-priority alerts.

Tools

Security Content Automation Protocol (SCAP)

  • Security Content Automation Protocol (SCAP): NIST protocols consolidates vulnerabilities into a single language that all devices will understand.

Benchmarks

  • Benchmarks: Predefined security configurations provided by organizations such as the Center for Internet Security (CIS) to guide secure system setups.

Agents/agentless

  • Agent-based software: Software components installed on devices to collect and report security-related data back to a central management system, enabling continuous monitoring and compliance assessment.

  • Agentless software: Security solutions that do not require software installation on devices; instead, they utilize existing protocols to gather data, providing a streamlined approach to monitoring and protecting systems.

Security information and event management (SIEM)

  • Security Information and Event Management (SIEM): A comprehensive solution that aggregates and analyzes security data from diverse sources, enabling organizations to detect incidents, respond to threats, and maintain compliance through real-time monitoring.

Antivirus

  • Antivirus: Software responsible for identifying, quarantining, and removing malware from computer systems.

Data loss prevention (DLP)

  • Data loss prevention (DLP): Software used to monitor, flag, and remove data/traffic that contains sensitive information.

Simple Network Management Protocol (SNMP) traps

  • Simple Network Management Protocol (SNMP) traps: A protocol used for network management, allowing devices to send alerts about specific events or thresholds to a management console.

NetFlow

  • NetFlow: A network protocol developed by Cisco for collecting and monitoring network traffic flow data, providing insights into bandwidth usage and helping identify potential security incidents. Functions by using a probe to collect traffic information and using a collector to create network traffic reports.

Vulnerability scanners

  • Vulnerability scanners: A software solution that will report the total number of unmitigated vulnerabilities for each host, and can consolidate results to evaluates issues with patches/configurations.