Key Concepts 7.2 Conduct logging and monitoring activities Flashcards
Domain 7 (30 cards)
are a method used in event monitoring where only events surpassing a set threshold (the clipping level) trigger an alert or action are collected.
clipping levels
focuses on catching specific, significant events, rather
than about getting a representative sample of all data
nonstatisical sampling
tools monitor network traffic and system activities for signs of malicious activity and can
take automated actions to prevent or mitigate attacks.
Intrusion detection and prevention system (IDPS)
monitors traffic for any anomalies or changes when compared to
a baseline of what is considered normal. Creation of this baseline will generally take a
period of days or weeks of data collection and analysis by the system. Also called behavior-based or heuristics-based. Can be effective in identifying zero-day threats.
Anomaly-based IDPS
uses pattern-based detection, leveraging a collection/database
of signatures for known attacks. Also called knowledge-based
or pattern-based. Can only detect known threat for which a signature has been generated
Signature-based
attack exploits a previously unknown software vulnerability before a patch is available.
Zero Day Exploit
tools collect, aggregate,
and analyze log data from various sources to provide a centralized view of an organization’s
security posture.
Security information and event management (SIEM)
- Log centralization and aggregation. SIEM platforms can gather logs from operating
systems, applications, network appliances, user workstations, etc., providing a single
location to support investigations. This is often referred to as forwarding logs when
looked at from the perspective of individual hosts sending log files to the SIEM. - Data normalization. SIEMs can normalize incoming data to ensure that the data from a
variety of sources is presented in a consistent format, allowing diverse data sources to be
searched in a single query. - Data integrity. The SIEM Will generally be on a separate host be on a separate host
or cloud platform with access permissions unique from the rest of the environment,
preventing data tampering or unauthorized changes. - Automated or continuous monitoring. Sometimes referred to as correlation, SIEMs use
algorithms to evaluate data and identify potential attacks or compromises. - Alerting. SIEMs can automatically generate alerts such as emails or tickets when action
is required based on analysis of incoming log data - Manual investigation. When manual investigation is required, a SIEM will generally
provide support capabilities such as querying log files, generating reports.
Common features of SIEM solutions
- Collect log data from sources
- Aggregate and normalize data
- Discover and detect threats
- Investigate alerts, raise incidents
SIEM and SOAR Process Flow
- Log collection. Configuring the SIEM solution to collect and normalize log data from
relevant sources, such as identity platforms, servers, network devices, and security tools - Rule configuration. Defining correlation rules and alerts to detect potential security
incidents and anomalies. Many SIEM solutions come with preconfigure rules, but also the
capability to configure custom rules for alerting and detection. - Tuning and optimization. Conducting regular SIEM tuning and optimization to ensure
effective detection and response, minimizing false positive detections. - Integration. Integrating SIEM with other security tools and processes, such as threat
intelligence feeds/platforms, IDPS, and incident response automation (e.g., SOAR).
Key activities in SIEM setup and configuration
is a set of technologies and
processes designed to streamline and enhance an organization’s security operations. focuses on incident response automation, automating the process of detecting, triaging, and
responding to security incidents.
Security Orchestration, Automation, and Response (SOAR)
are documents or checklists that defines the process for verifying and responding
to a specific type of security incident. It serves as a guide for security analysts
and provides a standardized approach to incident handling.
Playbooks
are the implementation of a playbook’s data and processes into an automated
tool within the SOAR platform. It translates the manual steps outlined in a playbook into a
series of automated actions and workflows.
Runbooks
involve the ongoing assessment and adjustment of security controls
and processes to ensure their effectiveness and alignment with changing risks and requirements.
Important aspects include:
* Measurement. Establishing metrics and key performance indicators (KPIs) to measure
the effectiveness, such as number of false positives and true positives.
* Maintenance. Regularly reviewing and analyzing monitoring data to identify trends,
anomalies, and improvement opportunities.
* Assessment. Conducting periodic assessments and audits to validate the effectiveness of
security controls and processes
* Improvement. Implementing a continuous improvement process to address identified
gaps and enhance security posture.
Monitoring and tuning
involves the monitoring and control of outbound network traffic to detect and prevent unauthorized data exfiltration and other malicious activities, such as command and control.
Key considerations in monitoring include:
* Implementing egress filtering and monitoring controls, such as firewalls, data loss
prevention (DLP), and web proxies.
* Defining policies and rules to detect and block unauthorized data transfers (data
exfiltration) and communications (with known malicious IPs, etc.).
* Regularly reviewing and analyzing egress monitoring logs and alerts to identify potential
incidents and anomalies.
* Integrating threat intelligence into firewalls (where supported, such as with an NGFW)
will be useful in identifying traffic to potentially malicious external hosts.
* Integrating egress monitoring with other security tools and processes, such as SIEM and
SOAR.
Egress monitoring
involves the collection, storage, and analysis of log data from various
sources to support security monitoring, incident response, and compliance. Important aspects
include:
* Aggregation and collection. Establishing a centralized log management infrastructure
to collect and store log data from relevant sources, such as in a SIEM (covered in “7.2.2
Security information and event management (SIEM)”).
* Retention. Implementing log retention and archival policies to ensure the availability and
integrity of log data, which will be of elevated importance for organizations in regulated
industries.
* Integrity. Secure storage of logs is always important. In retention scenarios, storing logs
in an immutable (unchangeable) format is often desirable.
* Confidentiality. Ensuring the security and confidentiality of log data through access
controls, encryption, and other measures.
Log management
involves the collection, analysis, and sharing of information about current and emerging threats to support proactive defense and incident response
Threat intelligence
It is a continuous stream of data about potential cyber threats. This data is collected from
various sources and formatted to provide security professionals with actionable intelligence.
Think of it like a real-time news feed, but instead of news articles, it delivers updates on the
latest cyber threats
threat intelligence feed (threat feed)
It varies by provider, but can include indicators of compromise (IoCs), threat actor information,
and emerging threats.
threat feed
A Cybersecurity and Infrastructure Security Agency
(CISA) capability, enables the real-time exchange of machine-readable cyber threat
indicators and defensive measures. It’s provided free to help protect participants of the community and ultimately reduce the prevalence of cyberattacks
Automated Indicator Sharing (AIS).
defines how real-time cyber threat
information can be shared via services and message exchanges. “how” STIX formatted messages are
securely transferred between systems.
Trusted Automated eXchange of Intelligence Information (TAXII)
Defines a common language for
expressing cyber threat information. defines “what” is shared
Structured Threat Information eXpression (STIX)
is a proactive cybersecurity practice where security professionals actively
search for hidden threats or malicious activities within an organization’s network or systems.
It involves using knowledge and tools to analyze data for suspicious patterns, operating
continuously rather than reactively. It is an evidence-based approach aims to uncover threats
that evade standard security measures, thereby enhancing overall defensive capabilities and
response times.
Threat hunting
is a model used in cybersecurity to describe the stages of a cyberattack. Its purpose is to help security professionals understand and defend against complex cyber
threats by breaking down the attack process into distinct phases.
Cyber Kill Chain
