4.4: Explain security alerting and monitoring concepts and tools

Key Concepts in Security Controls

  • Types of Security Controls: Various controls can protect networks, hosts, and data, all generating log data and alerts.

  • Cybersecurity Challenges: Collecting and reviewing output from security controls is a primary challenge in cybersecurity for professionals.

  • Monitoring and Alerting Systems: Security professionals need to explain how to configure systems for effective monitoring and alerting of these data sources.

Security Information and Event Management (SIEM)

  • Definition: Software that assists in managing security data inputs and provides reporting and alerting.

  • Core Function: To collect and correlate data from various sources such as network sensors and appliance/host/application logs.

  • Data Sources: Includes logs from:

    • Windows and Linux-based hosts

    • Switches

    • Routers

    • Firewalls

    • Intrusion Detection Systems (IDS)

    • Packet sniffers

    • Vulnerability scanners

    • Malware scanners

    • Data Loss Prevention (DLP) systems.

  • Dashboard Features: Configurable dashboards provide a high-level overview of network security metrics.

Data Collection Methods in SIEM

Agent-Based Collection

  • Definition: Involves installing an agent service on each host that filters, aggregates, and normalizes log data before sending it to the SIEM.

  • Resource Usage: Agents can use between 50–500 MB of RAM depending on the activity.

Listener/Collector Collection

  • Definition: Hosts are configured to push changes to the SIEM server without needing an installed agent.

  • Common Use: Typically used for collecting logs from switches and routers, often utilizing Syslog protocol for log forwarding.

Sensor Collection

  • Definition: Involves capturing packet data and traffic flow using sniffer devices which can record network data directly.

  • Methods: Uses mirror port functionalities or taps on network media.

Log Aggregation

  • Definition: The normalization of data from various sources to ensure consistency and searchability within the SIEM.

  • Importance of Parsers: Each data source requires a specific parser to identify relevant attributes correlated with standard fields in the analysis.

  • Time Normalization: Ensures all logs reflect a consistent chronological timeline.

Correlation of Security Events

  • Definition: The process of interpreting relationships between data points to identify significant security incidents.

  • Correlation Rules: Statements that match certain conditions using logical expressions (AND, OR) and operators (e.g., ==, <, >).

    • Example: A single login failure should not generate alerts, but multiple failures for the same account in one hour should trigger investigation.

Alerting and Monitoring Activities

  • Functionality of SIEM: Facilitates alerting, reporting, and archiving after data collection and aggregation.

  • Single Pane of Glass: Refers to the consolidated view provided by the SIEM for managing security activities.

  • Threat Intelligence Feed: Integrates known threat actor indicators with the network's collected data for enhanced alerting capabilities.

Alert Response and Remediation

  • Incident Response Process: Includes analysis, containment, eradication, and recovery related to alerts.

  • Validation: Analysts determine whether an alert is a true positive or a false positive.

  • Quarantine: Involves isolating indicators of compromise (e.g., network addresses, hosts, files).

  • Automation Advantages: SIEM systems can automate validation and remediation processes via integrations with other security products.

Reporting Functionality

  • Purpose: Provides managerial insight into the security system's status.

  • Types of Reports:

    • Executive Reports: High-level summaries for decision-makers.

    • Manager Reports: Detailed operational data for cybersecurity leaders.

    • Compliance Reports: Information as required by regulatory agencies.

  • Typical Reporting Metrics:

    • Authentication data, privileged user account anomalies, incident statistics, and trend analyses.

Archiving and Data Retention

  • Retention Policy: Ensures historical data is maintained for defined periods for forensic evidence or compliance needs.

  • Log Rotation Scheme: Manages data to prevent performance degradation of SIEM by archiving outdated information.

Alert Tuning and Management

  • Need for Alert Tuning: Helps reduce false positives that waste analysts' time and can lead to alert fatigue.

  • Consequences of Alert Fatigue: Analysts may overlook serious incidents due to being overwhelmed by low-priority alerts.

  • False and True Negatives: Importance in assessing alert system performance; true negatives reflect accurately permitted events, while false negatives represent missed alerts about real threats.

Strategies for Reducing False Positives

  • Machine Learning (ML): Analyzes data sets produced by SIEM to adjust alert rules dynamically.

  • Rule Refinement: Adjust parameters based on feedback from analysts.

  • Dedicated Group Handling: Redirect high-volume alerts to specialized teams to mitigate spamming analysts' dashboards.

  • Continuous Monitoring: Oversight of alert volume and analyst feedback to adjust sensitivity.

Infrastructure Monitoring

  • Network Monitor vs. SIEM: Network monitors collect data about the health of network infrastructure but do not analyze traffic patterns in the same context as SIEM.

  • Usage of SNMP: Simple Network Management Protocol (SNMP) is used to monitor network appliances and detect issues.

NetFlow Monitoring

  • Definition: Cisco-developed method for reporting network flow to structured databases, now IETF standard as IPFIX.

  • Flow Collector: Records metadata about traffic instead of each frame.

  • 5-Tuple Definition: Key information defining a traffic flow: Source address, destination address, protocol, source port, destination port.

    • 7-Tuple: Adds input interface and IP type of service information.

System Monitoring

  • Functionality: Similar reporting for computer hosts as network monitors do for infrastructure.

  • Log Importance: Logs are crucial for diagnosing issues and providing security audit trails.

Antivirus and Endpoint Protection

  • Modern Solutions: Emphasis on endpoint protection platforms (EPPs) over traditional antivirus (A-V) solutions, incorporating AI and behavior analytics for threat detection.

Vulnerability Management and Compliance Scanning

  • Function of Vulnerability Scanners: Assess configurations and settings against established benchmarks to identify vulnerabilities or misconfigurations.

  • SCAP Overview: Security Content Automation Protocol (SCAP) facilitates automated compliance scanning and vulnerability assessment.

    • OVAL and XCCDF: XML schemas involved in determining system security status and best pratic configurations.