Alerting and Monitoring IT components, data centers, cloud services,

and any other critical infrastructure

elements.
Monitoring Computing Resources
This process involves continuously
 Scope:
overseeing various components of the IT
o Network traffic analysis
infrastructure, including systems,
o Monitoring the health and status of
applications, and the broader infrastructure.
We will be covering: routers, switches, firewalls, and other
 System Monitoring networking devices
 Applications Monitoring o Performance and security of data
 Infrastructure Monitoring storage systems
System Monitoring  Objectives: The primary goal is to
Systems monitoring focuses on the health ensure the infrastructure's integrity,
and performance of individual computing availability, and performance. This
systems, such as servers, workstations, and includes identifying potential security
other endpoint devices. threats like network breaches, unusual
 Key Aspects: This includes monitoring traffic patterns, or attempts to access
for: restricted areas of the network
o Unusual or unauthorized changes in
system configurations Monitoring Activities
o Resource utilization (like CPU, memory, We will be covering the following critical
monitoring activities
and disk usage)
 Log  Alerting
o System uptime
aggregation
o Performance metrics  Scanning  Reporting
 Security Implications: By monitoring  Archiving  Alert Response
these elements, organizations can detect  Quarantine  Remediation/
potential security incidents, such as a  Alert Tuning Validation
system compromise or unauthorized
access, and respond quickly
Applications Monitoring Log Aggregation
Application monitoring is concerned with the Log aggregation involves collecting and
performance and security of software consolidating logs from various sources
applications. It involves tracking: within the IT environment, such as servers,
 Application performance applications, network devices, and security
 User activity systems.
 Error logs  Purpose: Aggregating logs in a central
 Transaction times location:
This also includes monitoring for unusual o Simplifies analysis
activity that might indicate a security breach, o Aids in detecting patterns or anomalies
such as unexpected data access patterns, o Is essential for comprehensive security
changes in user behavior, or anomalies in monitoring
transaction volumes
 Benefits: Effective application monitoring Alerting
helps in quickly identifying and Alerting refers to the process of configuring
addressing performance bottlenecks, security systems to notify administrators or
software bugs, and potential security security teams of potential security
vulnerabilities within applications. incidents.
Infrastructure Monitoring  Key Features: Effective alerting
Infrastructure monitoring refers to systems should minimize false positives
overseeing the entire IT infrastructure of an and provide actionable insights. They
organization, which includes network
 typically include thresholds and rules to  Security Information and Event
trigger alerts for specific conditions. Management (SIEM)
 Simple Network Management Protocol
Scanning (SNMP) traps
Scanning encompasses various types of
 Antivirus  Benchmarks
security scans, such as vulnerability scans,
 Data loss  Agent/Agentless
network scans, and application scans
prevention (DLP)
 Objective: The primary goal is to identify
vulnerabilities, misconfigurations, or other
security weaknesses that need to be
addressed.
Security Content Automation Protocol
Reporting SCAP is a suite of standards for automating
Reporting involves the generation of detailed the process of configuring and monitoring
reports about the security status of the IT network devices for compliance with security
environment. policies.
 Components: These reports can include  Use: It's used for vulnerability
details of identified vulnerabilities management, measurement, and policy
incidents, and the outcome of security compliance evaluation. SCAP can
scans, providing insights for decision- automatically verify the installation of
makers and compliance purposes. patches, check system security
configurations, and examine software
Archiving flaws.
Archiving is the process of securely storing
historical security data, such as logs and Benchmark
incident reports, for future reference. Benchmarks in security refer to standardized
 Importance: It's crucial for compliance sets of best practices and configurations that
with legal and regulatory requirements, as are known to ensure a higher level of
well as for historical analysis and security
investigating long term trends  Use: Organizations use these
benchmarks to configure systems and
Alert Response and applications to an industry-accepted
Remediation/Validation standard to mitigate the risk of
 Quarantine: Involves isolating affected vulnerabilities and attacks.
systems or components to prevent the
spread of a threat or further damage. Agents/Agentless
Quarantining is often an immediate Software agents are installed on servers or
response to a security alert devices to monitor, collect, and send data
 Alert Tuning: Refers to refining alerting back to a central server for analysis
mechanisms to reduce false positives and  Agentless: In contrast, agentless
ensure that alerts are relevant and systems monitor devices without
actionable. This might involve adjusting installing dedicated software on them,
thresholds, revising rules, or often using existing protocols and
implementing more sophisticated services
detection algorithms  Comparison: Agent-based solutions can
provide more detailed data but can be
Security Alerting and Monitoring Tools more resource-intensive. Agentless
A variety of tools are utilized to ensure the
integrity and security of information systems.  Log Management  Event Correlation
We will be covering:  Alerting  Reporting
 Security Content Automation Protocol solutions are easier to deploy but might
(SCAP) offer fewer comprehensive data
Security Information and Event
Management
SIEM is a solution that provides real-time
analysis of security alerts generated by
applications and network hardware. It is used
for:
SIEM is crucial for detecting, understanding,
and responding to security incidents.

Antivirus
Antivirus software is designed to detect,
prevent, and remove malware, including
viruses, worms, and trojans. It’s a
fundamental tool in any security setup,
providing a basic level of protection against
common threats.

Data Loss Prevention

DLP solutions identify, monitor, and protect
data in use, in motion, and at rest through
deep content inspection and contextual
security analysis. They help prevent sensitive
data from being lost, misused, or accessed
by unauthorized users.

Simple Network Management Protocol

Traps
SNMP traps are alerts sent by network
devices to a management station, indicating
that an event or a change in status has
occurred. They are used for managing and
monitoring network devices, helping
administrators stay informed about the
health and status of their networks.

NetFlow
NetFlow is a network protocol developed by
Cisco for collecting IP traffic information and
monitoring network flow data. It’s valuable
for network traffic analysis, helping in
understanding traffic patterns, usage trends,
and detecting anomalies.

Vulnerability Scanners
These are tools designed to assess
computers, networks, or applications for
known vulnerabilities. They are essential in a
security toolkit for identifying weaknesses
that could be exploited by attackers and for
verifying the efficacy of security measures.