SCAP (Security Content Automation Protocol)
A standardized framework maintained by NIST (scap.nist.gov) that gives diverse security tools — NGFWs, IPS, vulnerability scanners, endpoint platforms — a common language for identifying, describing, and reporting vulnerabilities and configuration states. Without SCAP, the same vulnerability might be named differently by each tool, making correlation and automation impossible. SCAP enables automation across tools: a vulnerability scanner can identify a non-compliant system, pass the finding to a patch management system in a standard format, and the patch can be applied automatically. Key automation types: ongoing monitoring, notification/alerting, and remediation of non-compliant systems.
Security Benchmarks
Curated sets of security configuration settings representing the minimum acceptable security posture for a specific technology. Benchmarks exist for operating systems, cloud platforms, mobile devices, network devices, databases, and more. A benchmark defines what "secure" looks like for a given platform; compliance checking tools then measure each device against it and report deviations. The most widely referenced source is the Center for Internet Security (CIS) at cisecurity.org, which publishes free, community-validated benchmarks for a comprehensive range of platforms.
CIS (Center for Internet Security) Benchmarks
A library of free, community-validated security configuration standards published by the Center for Internet Security at cisecurity.org. CIS benchmarks define specific, actionable security settings for a wide range of platforms including Windows, Linux, macOS, iOS, Android, AWS, Azure, network devices, and more. A CIS benchmark for a mobile device might specify: disable screenshots, disable screen recordings, prevent voice calls when locked, force encrypted backups, disable additional VPN profiles. Applying a CIS benchmark converts a default-configured system into one that meets a recognized security standard.
Agent-Based Monitoring
A compliance and security monitoring approach that installs persistent software (an agent) directly on each managed device. The agent runs continuously, monitors the system in real time, and can send immediate alerts when configuration drift or policy violations are detected. Advantages: continuous coverage, real-time alerting, deep visibility into system activity. Disadvantages: requires installation on every device, and the agent software and its compliance definitions require ongoing maintenance and updates.
Agentless Monitoring
A compliance and security monitoring approach that performs checks without installing any permanent software on the target device. The check runs on demand — typically when a device connects to the network or authenticates through a VPN concentrator — executes in memory, performs its assessment, and then removes itself. Advantages: no installation required, no ongoing maintenance burden, easy to deploy across diverse device types. Disadvantages: no continuous monitoring, no real-time alerts unless a check is actively running. Not appropriate as the sole monitoring approach for high-risk systems requiring continuous oversight.
DLP (Data Loss Prevention)
A security technology that monitors and controls data in motion, at rest, and in use to prevent sensitive information from leaving the organization without authorization. DLP inspects content for patterns matching sensitive data categories (Social Security numbers, credit card numbers, medical records, confidential documents) and blocks or alerts on unauthorized transfers. Because sensitive data flows through many channels, comprehensive DLP requires multiple layers: endpoint clients, cloud-based monitoring, email inspection, and collaboration tool integration. DLP stops data exfiltration by attackers and accidental leakage by authorized users.
SNMP (Simple Network Management Protocol)
The foundational protocol for collecting operational metrics from network-connected devices. SNMP uses a Management Information Base (MIB) on each device — a structured database of metrics identified by Object Identifiers (OIDs). A network management station polls devices over UDP port 161, requesting current values for specific OIDs (interface traffic, CPU utilization, error counts). Polling at regular intervals builds a time-series record for historical graphing and trend analysis. Primarily focused on device-level metrics rather than traffic-flow details.
MIB (Management Information Base) and OID (Object Identifier)
Components of the SNMP framework. The MIB is the structured database of metrics maintained on each SNMP-managed device — it defines what data can be queried from that device. Each metric in the MIB is identified by an OID (Object Identifier), a numerical sequence (e.g., 1.3.6.1.2.1.1.1) that uniquely names that specific data point across all SNMP implementations. When a management station polls a device, it specifies the OID it wants; the device returns the current value for that OID from its MIB.
SNMP Trap
A proactive, unsolicited notification sent by an SNMP-monitored device to the management station when a configured threshold is exceeded — reversing the normal poll/response flow. SNMP traps use UDP port 162. Example: a server configured to send a trap if CRC errors increase by five will send the notification the moment that threshold is crossed, rather than waiting for the management station's next polling cycle. Traps enable real-time alerting and immediate automated response without the latency inherent in periodic polling. The management station receives the trap and can then fire alerts, send notifications, and trigger automated remediation.
NetFlow
A network traffic monitoring technology that collects flow-level statistics about communications across the network — who talks to whom, over what protocols, in what volumes, for how long. Uses a probe-and-collector architecture: a probe (built into a router/switch or external hardware connected via SPAN port or physical tap) observes traffic and compiles flow summaries; a collector receives and aggregates those summaries for reporting. NetFlow captures metadata, not full packet contents, making it storage-efficient. Used to identify top talkers, bandwidth consumers, anomalous traffic patterns, and potential exfiltration or DDoS activity.
SPAN Port (Switched Port Analyzer)
A switch feature that mirrors traffic from one or more source ports to a designated monitoring port, allowing a connected probe or sensor to observe network traffic without being inline. A NetFlow probe or network tap connected to a SPAN port receives a copy of all traffic flowing through the monitored ports. SPAN enables passive, non-disruptive network monitoring — the probe can observe traffic without being in the traffic path and without affecting normal network operations.
Vulnerability Scanner
A tool that probes systems to identify potential security weaknesses without actively exploiting them (distinguishing it from a penetration test). Performs: port scanning (identify open services), system identification (OS type and version), software version detection matched against CVE databases, and security configuration analysis. Findings rated Critical, High, Medium, Low, and Informational. Should be run both internally (simulating insider threat / attacker with network access) and externally (simulating perimeter attack). Not all findings are accurate — false positives require verification before remediation resources are spent.