Chapter 88 · Concepts

Security Tools — Concept Tables

Six reference tables covering SCAP automation, agent vs. agentless trade-offs, SIEM functions, DLP deployment layers, SNMP polling vs. traps, and NetFlow architecture.

Table 1 — SCAP: What It Solves and How It Enables Automation
Without SCAPWith SCAP
Each security tool (NGFW, IPS, scanner) names and describes the same vulnerability differentlyAll SCAP-compliant tools use the same identifier and description for the same vulnerability
Correlation across tools requires manual translation between naming conventionsCorrelation is automatic — the same identifier appears in all tool outputs
Remediation requires human intervention to match scanner findings to patch system entriesScanner finding in standard SCAP format flows directly to patch system; patch applied automatically
Compliance checking results from different tools are inconsistent and hard to compareCompliance validation, patch confirmation, and breach detection use standardized criteria
SCAP Automation TypeWhat It Does
Ongoing monitoringContinuously checks system compliance states without requiring manual scan initiation
Notification and alertingAutomatically informs administrators when a system falls out of compliance
Remediation of non-compliant systemsAutomatically pushes patches or configuration corrections to bring systems back into compliance
Table 2 — Agent-Based vs. Agentless Monitoring Comparison
PropertyAgent-BasedAgentless
InstallationSoftware installed on each managed deviceNo permanent installation; executes in memory and removes itself
Monitoring coverageContinuous; always runningOn-demand; only during active check (login, VPN connect)
Real-time alertsYes — detects and alerts the moment a violation occursNo — no alerting between check windows
Visibility depthDeep; can monitor process-level activityShallower; limited to what can be assessed in a brief check window
Maintenance requiredYes — agent software and definitions must be kept currentMinimal — no persistent software to update on the device
Deployment complexityHigher — must be installed before first useLower — works on any device that can connect to the checker
Best forHigh-risk systems requiring continuous oversightDiverse or guest devices; broad coverage without deployment overhead
Table 3 — SIEM Core Functions
FunctionDescriptionSecurity Value
Real-time log collectionEvents ingested as they occur from all connected sourcesImmediate visibility; no delay between event and analysis
Log aggregation and storageAll log types centralized in one database over long time periodsEliminates log silos; enables retention for forensic investigation
Centralized reportingSingle reporting engine operates across all data sourcesConsistent cross-platform reports without querying each system individually
Data correlationLinks events from different systems to reveal attack patterns invisible in individual logsDetects multi-stage and multi-system attacks; reduces false positives through context
Forensic analysisHistorical log retention supports post-incident investigation and timeline reconstructionEnables investigators to understand what happened before and during a security event
Table 4 — DLP Deployment Layers
DLP LayerWhere It OperatesWhat It Protects Against
Endpoint clientInstalled on workstations and laptopsCopying sensitive data to USB drives, personal cloud storage, or unauthorized applications directly on the device
Network / perimeterInline appliance or proxy at the network edgeSensitive data leaving the organization through web uploads, FTP, or other outbound network channels
Email DLPEmail gateway or cloud email platform integrationSensitive data attached to or embedded in outbound emails, even from authorized email accounts
Cloud-based DLPCloud access security broker (CASB) or cloud platform integrationSensitive data transferred to or shared from cloud storage, collaboration tools, or SaaS applications
A single DLP deployment rarely provides complete protection. Comprehensive coverage requires coordinated layers across endpoints, network, email, and cloud.
Table 5 — SNMP Polling vs. SNMP Traps
PropertySNMP PollingSNMP Trap
Who initiatesManagement station sends request to deviceDevice sends notification to management station (unsolicited)
UDP port161162
TriggerFixed time interval (every 5 or 10 minutes)Threshold condition on the monitored device (e.g., CRC errors increase by 5)
LatencyUp to one full polling interval; event between polls is missed until next pollImmediate; notification sent the moment the threshold is crossed
Primary useHistorical performance graphing; trend analysis; capacity planningReal-time alerting on critical conditions; immediate automated response
Data stored inMIB (Management Information Base), accessed via OIDsTrap PDU sent to management station; management station logs and acts
Table 6 — NetFlow Architecture and What It Reveals
ComponentRole
NetFlow probeObserves network traffic (built into router/switch software, or external hardware connected via SPAN port or physical tap); compiles flow summaries
NetFlow collectorReceives flow summary records from probes; aggregates and stores them for analysis
Reporting applicationQueries the collector; produces dashboards and reports on traffic patterns
SPAN portSwitch feature that mirrors traffic to the probe's monitoring port; passive observation without being inline
Physical tapHardware device inserted into a cable to provide the probe with a copy of all traffic; fully passive
NetFlow Report TypeSecurity Value
Top 10 conversations (who talks to whom, how much)Identifies dominant data flows; reveals unexpected large-volume communication
Top 10 endpoints by traffic volumeSurfaces high-traffic nodes that may indicate exfiltration sources or DDoS participants
New external destinationsFlags traffic to IP addresses not seen in the historical baseline — potential exfiltration
Protocol distributionIdentifies unexpected protocols (e.g., IRC or Tor traffic) indicating malware C2 activity