Table 1 — SCAP: What It Solves and How It Enables Automation
| Without SCAP | With SCAP |
|---|---|
| Each security tool (NGFW, IPS, scanner) names and describes the same vulnerability differently | All SCAP-compliant tools use the same identifier and description for the same vulnerability |
| Correlation across tools requires manual translation between naming conventions | Correlation is automatic — the same identifier appears in all tool outputs |
| Remediation requires human intervention to match scanner findings to patch system entries | Scanner finding in standard SCAP format flows directly to patch system; patch applied automatically |
| Compliance checking results from different tools are inconsistent and hard to compare | Compliance validation, patch confirmation, and breach detection use standardized criteria |
| SCAP Automation Type | What It Does |
|---|---|
| Ongoing monitoring | Continuously checks system compliance states without requiring manual scan initiation |
| Notification and alerting | Automatically informs administrators when a system falls out of compliance |
| Remediation of non-compliant systems | Automatically pushes patches or configuration corrections to bring systems back into compliance |
Table 2 — Agent-Based vs. Agentless Monitoring Comparison
| Property | Agent-Based | Agentless |
|---|---|---|
| Installation | Software installed on each managed device | No permanent installation; executes in memory and removes itself |
| Monitoring coverage | Continuous; always running | On-demand; only during active check (login, VPN connect) |
| Real-time alerts | Yes — detects and alerts the moment a violation occurs | No — no alerting between check windows |
| Visibility depth | Deep; can monitor process-level activity | Shallower; limited to what can be assessed in a brief check window |
| Maintenance required | Yes — agent software and definitions must be kept current | Minimal — no persistent software to update on the device |
| Deployment complexity | Higher — must be installed before first use | Lower — works on any device that can connect to the checker |
| Best for | High-risk systems requiring continuous oversight | Diverse or guest devices; broad coverage without deployment overhead |
Table 3 — SIEM Core Functions
| Function | Description | Security Value |
|---|---|---|
| Real-time log collection | Events ingested as they occur from all connected sources | Immediate visibility; no delay between event and analysis |
| Log aggregation and storage | All log types centralized in one database over long time periods | Eliminates log silos; enables retention for forensic investigation |
| Centralized reporting | Single reporting engine operates across all data sources | Consistent cross-platform reports without querying each system individually |
| Data correlation | Links events from different systems to reveal attack patterns invisible in individual logs | Detects multi-stage and multi-system attacks; reduces false positives through context |
| Forensic analysis | Historical log retention supports post-incident investigation and timeline reconstruction | Enables investigators to understand what happened before and during a security event |
Table 4 — DLP Deployment Layers
| DLP Layer | Where It Operates | What It Protects Against |
|---|---|---|
| Endpoint client | Installed on workstations and laptops | Copying sensitive data to USB drives, personal cloud storage, or unauthorized applications directly on the device |
| Network / perimeter | Inline appliance or proxy at the network edge | Sensitive data leaving the organization through web uploads, FTP, or other outbound network channels |
| Email DLP | Email gateway or cloud email platform integration | Sensitive data attached to or embedded in outbound emails, even from authorized email accounts |
| Cloud-based DLP | Cloud access security broker (CASB) or cloud platform integration | Sensitive data transferred to or shared from cloud storage, collaboration tools, or SaaS applications |
| A single DLP deployment rarely provides complete protection. Comprehensive coverage requires coordinated layers across endpoints, network, email, and cloud. | ||
Table 5 — SNMP Polling vs. SNMP Traps
| Property | SNMP Polling | SNMP Trap |
|---|---|---|
| Who initiates | Management station sends request to device | Device sends notification to management station (unsolicited) |
| UDP port | 161 | 162 |
| Trigger | Fixed time interval (every 5 or 10 minutes) | Threshold condition on the monitored device (e.g., CRC errors increase by 5) |
| Latency | Up to one full polling interval; event between polls is missed until next poll | Immediate; notification sent the moment the threshold is crossed |
| Primary use | Historical performance graphing; trend analysis; capacity planning | Real-time alerting on critical conditions; immediate automated response |
| Data stored in | MIB (Management Information Base), accessed via OIDs | Trap PDU sent to management station; management station logs and acts |
Table 6 — NetFlow Architecture and What It Reveals
| Component | Role |
|---|---|
| NetFlow probe | Observes network traffic (built into router/switch software, or external hardware connected via SPAN port or physical tap); compiles flow summaries |
| NetFlow collector | Receives flow summary records from probes; aggregates and stores them for analysis |
| Reporting application | Queries the collector; produces dashboards and reports on traffic patterns |
| SPAN port | Switch feature that mirrors traffic to the probe's monitoring port; passive observation without being inline |
| Physical tap | Hardware device inserted into a cable to provide the probe with a copy of all traffic; fully passive |
| NetFlow Report Type | Security Value |
|---|---|
| Top 10 conversations (who talks to whom, how much) | Identifies dominant data flows; reveals unexpected large-volume communication |
| Top 10 endpoints by traffic volume | Surfaces high-traffic nodes that may indicate exfiltration sources or DDoS participants |
| New external destinations | Flags traffic to IP addresses not seen in the historical baseline — potential exfiltration |
| Protocol distribution | Identifies unexpected protocols (e.g., IRC or Tor traffic) indicating malware C2 activity |