Security Monitoring - 4.4

Summary

Security monitoring involves overseeing infrastructure, systems, and applications to detect and respond to potential threats. Tools like SIEM systems aggregate logs, trigger real-time alerts, and perform scanning to assess security posture. Activities include alert response, quarantining compromised systems, and tuning alerts to minimize false positives and negatives while ensuring accurate threat detection.

Notes:

Monitoring Computing Resources

  • Infrastructure: Monitoring the foundational hardware that makes up the network, including firewalls, routers, server hardware, and other networking devices.
  • Systems: Monitoring the operating system-level components that run on the infrastructure, such as server logs, OS events, and system processes.
  • Applications: Monitoring the applications running on the systems, such as file transfers, application errors, and client traffic.

Activities

  • Use of a SIEM (Security Information and Event Management) System:A system that aggregates and correlates logs from infrastructure, systems, and applications into a centralized location, making it easier to monitor and analyze data from distinct sources.
  • Alerting: Real-time notifications triggered when a security abnormality or potential threat is detected.
  • Scanning: Real-time scanning of devices and systems to assess their configurations, security posture, vulnerabilities, and other critical data that may impact overall security.
  • Reporting: Generating logs that detail activities occurring on the network, including security events, operational performance, and anomalies.
  • Archiving: Long-term retention of log data, often required for regulatory compliance and forensics, ensuring data is preserved for future analysis.
  • Alert Response and Remediation / Validation:
    • Quarantine: Isolating compromised systems or abnormal activities to prevent the spread of threats or further damage to the network.
    • Alert Tuning: Adjusting alert configurations to reduce the number of false positives and false negatives, ensuring that alerts are accurate and actionable.
      • True Positive: Correct identification of a threat as a threat.
      • False Positive: Incorrect identification of a non-threat as a threat.
      • True Negative: Correct identification of a non-threat as a non-threat.
      • False Negative: Incorrect identification of a threat as a non-threat.
Next: Security Tools