Conduct Logging and Monitoring Activities
This topic includes the methods or procedures that help to conduct the logging and monitoring activities. Event logging is an essential part of an organization’s IT operations.
Intrusion Detection and Prevention
These technologies can use to detect and prevent intrusions. The important thing is that both should be used because none of them work well on their own. So, some solutions combine them into a single software package or appliance.
Note: We discussed about IDS and IPS in Communication & Network Security Domain in past.
Intrusion Detection System (IDS)
IDS is a technology or a detective device that is designed to identify the malicious actions on a network. In fact, Intrusion detection looks for known attacks and/or anomalous behavior on a network or host. Today, three types of IDSs used are:
- Network-based intrusion detection (NIDS): Consists of a separate device attached to a LAN that listens to all network traffic to detect anomalous activity.
- Host-based intrusion detection (HIDS): In fact, HDIS is a subset of NIDS. The difference is that HDIS monitor only the network traffic destined for a particular host.
- Wireless intrusion detection (WIDS): This is another type of network intrusion detection that focuses on wireless intrusion by scanning for rogue access points.
Both NDIS and HDIS use a couple of methods:
- Signature-based: A signature-based IDS compares network traffic that is observed with a list of patterns in a signature file. If an intruder is able to change the patterns that he uses in his attack, then his attack may be able to slip by the IDS without being detected. The other downside of signature-based IDS is that the signature file must be frequently updated.
- Reputation-based: A reputation-based alerting is all about detecting when communications and other activities involve known-malicious domains and networks.
- Anomaly-based: An anomaly-based IDS monitors all the traffic over the network and builds traffic profiles. Over time, the IDS will report deviations from the profiles that it has built. One disadvantage of this method is that it may record a large volume of false-positive.
Intrusion prevention system (IPS)
IPS is designed to detect and block intrusions. IPS can block an attack before it gets inside network.
An IPS is typically placed in line on the network so it can analyze traffic coming into or leaving the network.
In other words, an IPS is an IDS that prevent a system when an intrusion is detected by dropping a connection or blocking a port.
Security Information and Event Management (SIEM)
SIEM solutions provide real-time collection, analysis, correlation, and presentation of security logs and alerts generated by various network sources. What do network sources mean? Devices such as firewalls, IDS/IPS, routers, switches, servers, and workstations.
The purpose of data correlation is to arrive at a greater understanding of risk within the organization due to activities being noted across various security platforms.
In fact, correlation of security related data is the primary utility provided by the SIEM.
A SIEM combs through millions, or even billions, of events daily, and presents only the most important few, actionable events so that security teams can take appropriate action.
A SIEM solution can be software- or appliance-based, and even may be hosted and managed either internally or by a managed security service provider.
Continuous monitoring on information process streamed in real time or close to real time. Some SIEM solutions are proposing continuous monitoring or features of continuous monitoring. Continuous monitoring components may include:
- Discovery: Ongoing inventory of network and information assets.
- Assessment: Automatic scanning and based on information assets to identify and prioritize vulnerabilities.
- Threat intelligence: Feeds from one or more outside organizations that produce high-quality, actionable data.
- Audit: Nearly real-time evaluation of device configurations and compliance with established policies and regulatory requirements.
- Patching: Automatic security patch installation and software updating.
- Reporting: Aggregating, analyzing and correlating log information and alerts.
This is the process of monitoring outbound traffic to discover potential data leakage (or loss). The two main reason of Egress monitoring:
1- To ensure the malicious traffic doesn’t leave the network: for example in a situation in which a computer is infected and trying to spread malware to hosts on the internet.
2- To ensure that sensitive data does not leave the network unless authorized.
The following strategies can help with egress monitoring:
- Data Loss Prevention (DLP): These solutions focus on reducing or eliminating sensitive data leaving the network. (In e-mail messages, data uploads, PNG or JPEG images, and other forms of communication). DLP solutions usually perform deep packet inspection (DPI) to decrypt and inspect outbound traffic that is TLS encrypted. Also Static DLP tools used to discover sensitive and proprietary data in databases, file servers, and other data storage systems.
- Steganography: This is the art of hiding data inside another file or message. For example, hide a text message inside a picture file such as jpg, png.
- Watermarking: It is the act of embedding an identifying marker in a file. For example, embedded a company logo in a customer database file or add a watermark to a picture file with copyright information.