Chapter 87 · Flashcards

Security Monitoring — Flashcards

Ten cards covering SIEM, log aggregation, continuous scanning, archiving mandates, alerting, quarantine, and alert tuning. Click any card to flip it.

What is a SIEM, and what is its defining capability beyond log storage?

Security Information and Event Management — centralizes logs from servers, firewalls, VPN concentrators, cloud services, and other sources into one database. Its defining capability is correlation: connecting events across disparate systems to detect attack patterns that are invisible in any single log. Also called SEM (Security Event Manager).

What three categories of computing resources does security monitoring cover?

1. Systems — authentication events (logins from unexpected locations), server service activity, backup status, software versions. 2. Applications — uptime, data transfer volumes, developer security notifications. 3. Infrastructure — remote access (employees, vendors, guests), firewall/IPS reports showing attack spikes or new attack types.

Why is a sudden increase in data transfer volume a security alert trigger?

A spike in data transfer — especially outbound — that significantly exceeds the established normal baseline is a primary indicator of data exfiltration. An attacker who has compromised a system and is copying out data will generate transfer volumes far above the normal operational baseline. This is one of the most reliable behavioral indicators of an ongoing breach.

What four types of data does continuous scanning collect from network devices?

1. Operating system types and versions (identify EOL or unpatched systems). 2. Installed applications and versions (detect CVE-affected software). 3. Device driver versions (frequently overlooked patching target). 4. Configuration anomalies (deviations from security baseline indicating tampering or misconfiguration).

What is an actionable report, and how does it differ from a status report?

An actionable report answers "what should we do next?" — it identifies specific systems requiring action, not just the current state. A status report answers "where are we?" Actionable reports drive decisions: devices not in compliance, systems running a newly-CVE-affected version, users with anomalous access patterns. Data that does not drive action has no security value.

What is ad hoc reporting and when is it used?

Ad hoc reporting is on-demand, customized reporting for unanticipated needs. Used for: investigating how many systems are affected by a newly disclosed CVE; analyzing a user's historical access during an incident; projecting future exposure when an OS approaches end-of-life. Requires a continuously-updated database so queries can be answered immediately against current and historical data.

What is the IBM 2022 breach discovery statistic, and why does it matter for log archiving?

IBM Security (2022): organizations take an average of ~9 months to identify and contain a breach. Implication for archiving: logs must be retained for at least this period for historical evidence to be available when the breach is discovered. A 90-day retention policy destroys evidence of any breach with a longer dwell time. Many regulations (HIPAA, PCI-DSS) also mandate specific minimum retention periods.

What are the three alert notification methods and when is each appropriate?

1. SMS/text — immediate notification for on-call personnel; works outside business hours; highest-urgency delivery. 2. Email — more detail than SMS; creates a documented record; suitable for supplementary notification. 3. SOC console — centralized dashboard for security operations teams; enables systematic triage, escalation, and tracking during active monitoring shifts.

What is quarantine in alert response, and why is it the first containment action?

Quarantine isolates a compromised or suspected system from network communication — preventing the attacker from pivoting to other systems and stopping the system from receiving further C2 instructions. It is the first containment action because stopping the spread is the immediate priority; analysis and cleanup come after containment. Quarantine preserves the system for forensic investigation while ending the active threat.

What is alert tuning, and what are its two failure modes?

Alert tuning is the ongoing calibration of alert thresholds and rules to accurately detect real threats. Two failure modes: False positive (alert fires on harmless activity) — causes alert fatigue, wastes analyst time, real threats drowned in noise. False negative (real threat does not trigger an alert) — organization is unaware of active incident. Alert tuning is never finished; it improves as the organization's understanding of its baseline deepens.