CompTIA Security+ (SY0-601): Monitoring & Auditing

Signature-based
Network traffic is analyzed for predetermined attack patterns

Anomaly-based
A baseline is established and any network traffic that is outside of the baseline is evaluated

Behavior-based
Activity is evaluated based on the previous behavior of applications, executables, and the operating system in comparison to the current activity of the system

Process of measuring changes in networking, hardware, software, and applications

Perfmon.exe = Windows Performance Monitor

Risk level to which a system or other technology element is exposed

Network adapter is able to capture all of the packets on the network, regardless of the destination MAC address of the frames carrying them

Network adapter can only capture the packets directly addressed to itself

Software that is loaded on a managed device to redirect information to the network management system

Network Management System:

Software running on one or more servers to control the monitoring of network-attached devices and computers

SNMP v1/v2 are insecure due to the use of community strings to access a device

SNMP v3:
Version of SNMP that provides integrity, authentication, and encryption of the messages being sent over the network

A technical assessment conducted on applications, systems, or networks

Auditing is a detective control
• Security logs
• ACLs
• User rights/permissions
• Group policies (GPOs)
• Vulnerability scans
• Written organizational policies
• Interviewing personnel

Software tools are also used to help conduct audits

A standardized format used for computer message logging that allows for the separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them

SYSLOG uses port 514 over UDP

Actions taken to ensure the proper creation and storage of a log file, such as the proper configuration, saving, back up, security, and encryption of the log files

Log files should be saved to a different partition or an external server

When a maximum log size is reached, the system can begin overwriting the oldest events in the log files to make room

Logs should be archived and backed up to ensure they are available when required

Write Once, Read Many:

Technology like a DVD-R that allows data to be written only once but read unlimited times

Security Information & Events Management:
A solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications

Splunk
ArcSight
ELK/Elastic Stack
QRadar
Graylog
AlienVault/OSSIM

Since syslog relied on UDP, there can be delivery issues within congested networks

Basic security controls like encryption and authentication are not included by default within syslog

Due to security issues, newer syslog implementations added new features and capabilities
▪ Newer implementations can use port 1468 (TCP) for consistent delivery
▪ Newer implementations can use TLS to encrypt messages sent to servers
▪ Newer implementations can use MD-5 or SHA-1 for authentication and integrity
▪ Some newer implementations can use message filtering, automated log analysis, event response scripting, and alternate message formats

The newer version of the server is called syslog-ng or rsyslog

Syslog can refer to the protocol, the server, or the log entries themselves

Security Orchestration, Automation, & Response:
A class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment

Primarily used for incident response

A security information and event monitoring system with an integrated SOAR

Scans security/threat data
Analyze it with ML
Automate data enrichment
Provision new resources

Playbook:
A checklist of actions to perform to detect and respond to a specific type of incident

Runbook:
An automated version of a playbook that leaves clearly defined interaction points for human analysis