Alerting and Monitoring IT
and any other critical infrastructure
Monitoring Computing Resources
This process involves continuously
overseeing various components of the IT
infrastructure, including systems,
applications, and the broader infrastructure.
We will be covering:
 System Monitoring
 Applications Monitoring
 Infrastructure Monitoring
System Monitoring
Systems monitoring focuses on the health
and performance of individual computing
systems, such as servers, workstations, and
other endpoint devices.
 Key Aspects: This includes monitoring
for:
o Unusual or unauthorized changes in
system configurations
o Resource utilization (like CPU, memory,
and disk usage)
o System uptime
o Performance metrics
 Security Implications: By monitoring
these elements, organizations can detect
potential security incidents, such as a
system compromise or unauthorized
access, and respond quickly
Applications Monitoring
Application monitoring is concerned with the
performance and security of software
applications. It involves tracking:
 Application performance
 User activity
 Error logs
 Transaction times
This also includes monitoring for unusual
activity that might indicate a security breach,
such as unexpected data access patterns,
changes in user behavior, or anomalies in
transaction volumes
 Benefits: Effective application monitoring
helps in quickly identifying and
addressing performance bottlenecks,
software bugs, and potential security
vulnerabilities within applications.
Infrastructure Monitoring
Infrastructure monitoring refers to
overseeing the entire IT infrastructure of an
organization, which includes network
components, data centers, cloud services,
elements.
 Scope:
o Network traffic analysis
o Monitoring the health and status of
routers, switches, firewalls, and other
networking devices
o Performance and security of data
storage systems
 Objectives: The primary goal is to
ensure the infrastructure's integrity,
availability, and performance. This
includes identifying potential security
threats like network breaches, unusual
traffic patterns, or attempts to access
restricted areas of the network
Monitoring Activities
We will be covering the following critical
monitoring activities
 Log  Alerting
aggregation
 Scanning  Reporting
 Archiving  Alert Response
 Quarantine  Remediation/
 Alert Tuning Validation
Log Aggregation
Log aggregation involves collecting and
consolidating logs from various sources
within the IT environment, such as servers,
applications, network devices, and security
systems.
 Purpose: Aggregating logs in a central
location:
o Simplifies analysis
o Aids in detecting patterns or anomalies
o Is essential for comprehensive security
monitoring
Alerting
Alerting refers to the process of configuring
security systems to notify administrators or
security teams of potential security
incidents.
 Key Features: Effective alerting
systems should minimize false positives
and provide actionable insights. They
 typically include thresholds and rules to
trigger alerts for specific conditions.
Scanning
Scanning encompasses various types of
security scans, such as vulnerability scans,
network scans, and application scans
 Objective: The primary goal is to identify
vulnerabilities, misconfigurations, or other
security weaknesses that need to be
addressed.
Reporting
Reporting involves the generation of detailed
reports about the security status of the IT
environment.
 Components: These reports can include
details of identified vulnerabilities
incidents, and the outcome of security
scans, providing insights for decision-
makers and compliance purposes.
Archiving
Archiving is the process of securely storing
historical security data, such as logs and
incident reports, for future reference.
 Importance: It's crucial for compliance
with legal and regulatory requirements, as
well as for historical analysis and
investigating long term trends
Alert Response and
Remediation/Validation
 Quarantine: Involves isolating affected
systems or components to prevent the
spread of a threat or further damage.
Quarantining is often an immediate
response to a security alert
 Alert Tuning: Refers to refining alerting
mechanisms to reduce false positives and
ensure that alerts are relevant and
actionable. This might involve adjusting
thresholds, revising rules, or
implementing more sophisticated
detection algorithms
Security Alerting and Monitoring Tools
A variety of tools are utilized to ensure the
integrity and security of information systems.
We will be covering:
 Security Content Automation Protocol
(SCAP)
 Security Information and Event
Management (SIEM)
 Simple Network Management Protocol
(SNMP) traps
 Antivirus  Benchmarks
 Data loss  Agent/Agentless
prevention (DLP)
Security Content Automation Protocol
SCAP is a suite of standards for automating
the process of configuring and monitoring
network devices for compliance with security
policies.
 Use: It's used for vulnerability
management, measurement, and policy
compliance evaluation. SCAP can
automatically verify the installation of
patches, check system security
configurations, and examine software
flaws.
Benchmark
Benchmarks in security refer to standardized
sets of best practices and configurations that
are known to ensure a higher level of
security
 Use: Organizations use these
benchmarks to configure systems and
applications to an industry-accepted
standard to mitigate the risk of
vulnerabilities and attacks.
Agents/Agentless
Software agents are installed on servers or
devices to monitor, collect, and send data
back to a central server for analysis
 Agentless: In contrast, agentless
systems monitor devices without
installing dedicated software on them,
often using existing protocols and
services
 Comparison: Agent-based solutions can
provide more detailed data but can be
more resource-intensive. Agentless
 Log Management  Event Correlation
 Alerting  Reporting
solutions are easier to deploy but might
offer fewer comprehensive data
Security Information and Event
Management
SIEM is a solution that provides real-time
analysis of security alerts generated by
applications and network hardware. It is used
for:
SIEM is crucial for detecting, understanding,
and responding to security incidents.

Antivirus
Antivirus software is designed to detect,
prevent, and remove malware, including
viruses, worms, and trojans. It’s a
fundamental tool in any security setup,
providing a basic level of protection against
common threats.

Data Loss Prevention

DLP solutions identify, monitor, and protect
data in use, in motion, and at rest through
deep content inspection and contextual
security analysis. They help prevent sensitive
data from being lost, misused, or accessed
by unauthorized users.

Simple Network Management Protocol

Traps
SNMP traps are alerts sent by network
devices to a management station, indicating
that an event or a change in status has
occurred. They are used for managing and
monitoring network devices, helping
administrators stay informed about the
health and status of their networks.

NetFlow
NetFlow is a network protocol developed by
Cisco for collecting IP traffic information and
monitoring network flow data. It’s valuable
for network traffic analysis, helping in
understanding traffic patterns, usage trends,
and detecting anomalies.

Vulnerability Scanners
These are tools designed to assess
computers, networks, or applications for
known vulnerabilities. They are essential in a
security toolkit for identifying weaknesses
that could be exploited by attackers and for
verifying the efficacy of security measures.