Domain 4

4.4 Alerting & Monitoring

Explain security alerting and monitoring concepts and tools.

0% Complete

1

4.4.1 Monitoring Computing Resources

Monitoring computing resources involves the continuous oversight of hardware, software, and data assets to ensure availability, performance, and security across the enterprise. Effective monitoring allows IT professionals to manage the delicate balance between functionality and security while protecting the CIA triad (Confidentiality, Integrity, and Availability).

Resource Management and the CIA Triad Every network component—from routers to databases—exists to share resources. Monitoring ensures these resources remain available to legitimate users while preventing unauthorized access or misuse. - Functionality vs. Security: These are inversely proportional; increasing security measures often decreases user functionality and consumes more system resources. - Availability: The key pillar of the CIA triad focused on ensuring systems are up and running; monitoring helps identify downtime before it impacts the business. - Resource Constraints: Financial and hardware resources are finite; monitoring identifies where to allocate budget and processing power efficiently.

Identifying and Prioritizing Resources Not all resources carry the same weight. Security professionals must perform a Business Impact Analysis (BIA) to categorize assets. - Mission-Essential Functions: High-priority processes that the organization needs to survive; monitoring these is the highest priority. - Recovery Priorities: During a system failure, resources must be restored based on their criticality to the business mission. - Resource Dependency: Analyzing how resources like Internet access, power, and cooling interact to support critical applications.

Access Control and Authorization Monitoring Authorization determines what a user can do once they have been authenticated. Monitoring these permissions prevents "privilege creep." - Permissions: Specific to the resource type (e.g., a printer has "Manage Documents" permissions, while a web server may only have "Allow/Deny"). - Centralized Authentication: Using a single database (like Active Directory) to manage credentials across the enterprise; often enables Single Sign-On (SSO). - Decentralized Models: Managing users on a per-resource basis; this is harder to monitor and scale as the organization grows. - Lifecycle Management: Monitoring the creation, modification, and deletion of accounts as employees join, change roles, or leave the company.

Quick Recall - Inversely Proportional: Relationship between security and functionality. - SSO (Single Sign-On): A centralized method where one set of credentials accesses multiple resources. - BIA (Business Impact Analysis): The process used to identify and prioritize critical mission-essential resources. - Trigger words: Mission-essential, resource exhaustion, authorization vs. authentication, centralized database.

2

4.4.2 Activities

Log aggregation, alerting, scanning, archiving.

3

4.4.3 Tools

SIEM, antivirus, DLP, SNMP, NetFlow.