Tools: SCAP, benchmarks, agents/agentless, SIEM, antivirus, DLP, SNMP traps, NetFlow, vulnerability scanners

4.2 Security alerting & monitoring

📘CompTIA Security+ (SY0-701)

1. SCAP (Security Content Automation Protocol)

  • What it is: SCAP is a standard framework that helps security tools check systems for compliance with security rules.
  • Why it’s used: It automates the process of checking systems for vulnerabilities and configuration issues.
  • How it works in IT: SCAP includes standards like:
    • CVE (Common Vulnerabilities and Exposures): Identifies known vulnerabilities.
    • CPE (Common Platform Enumeration): Identifies operating systems and software.
    • CVSS (Common Vulnerability Scoring System): Scores vulnerabilities by severity.
    • OVAL (Open Vulnerability and Assessment Language): Defines how to check for vulnerabilities.
  • Exam tip: Know that SCAP is about automating compliance and vulnerability checks.

2. Benchmarks

  • What it is: Benchmarks are predefined security rules or standards that systems should follow.
  • Examples: CIS Benchmarks are widely used. They provide detailed instructions for securely configuring operating systems, applications, and network devices.
  • Exam tip: Benchmarks help ensure systems are configured securely and consistently.

3. Agents / Agentless Monitoring

  • Agents:
    • A small piece of software installed on a device to collect security and performance data.
    • Pros: Can collect detailed information, even offline events.
    • Cons: Uses system resources, requires installation and updates.
  • Agentless:
    • No software installed on the device; monitoring happens over the network (e.g., SNMP, WMI).
    • Pros: Easy to deploy, no extra software required.
    • Cons: Limited detail compared to agents.
  • Exam tip: Know the difference: Agent = installed software, Agentless = no software, remote collection.

4. SIEM (Security Information and Event Management)

  • What it is: SIEM is a centralized system that collects, analyzes, and alerts on security data from across the network.
  • What it does:
    • Collects logs from servers, firewalls, routers, applications, etc.
    • Correlates events to find patterns of attacks or unusual activity.
    • Sends alerts to security teams.
  • Exam tip: Remember SIEM = collect + analyze + alert.

5. Antivirus

  • What it is: Software that detects and removes malware (viruses, worms, trojans).
  • How it works: Uses signature-based detection (known threats) and sometimes behavior-based detection (unusual actions).
  • Exam tip: Antivirus is a first line of defense against malware.

6. DLP (Data Loss Prevention)

  • What it is: A tool that prevents sensitive data from leaving the network.
  • How it works: Monitors data in motion (emails, web traffic), data at rest (storage), and data in use (clipboard, USB devices).
  • Exam tip: DLP = protect sensitive data from leaving or being stolen.

7. SNMP Traps (Simple Network Management Protocol)

  • What it is: SNMP is used to monitor network devices like switches, routers, and servers.
  • SNMP traps: Are alerts sent automatically when a device experiences an event (e.g., high CPU usage, link down).
  • Exam tip: SNMP traps = automatic alerts from network devices.

8. NetFlow

  • What it is: NetFlow is a network monitoring tool that tracks traffic flows between devices.
  • How it works: It records which devices are talking to each other, for how long, and how much data is being transferred.
  • Exam tip: NetFlow = analyzing network traffic patterns for anomalies.

9. Vulnerability Scanners

  • What it is: Tools that scan systems, networks, and applications for known security weaknesses.
  • Examples: Nessus, OpenVAS, Qualys.
  • What it does:
    • Detects missing patches.
    • Finds misconfigurations.
    • Reports on vulnerabilities based on CVSS scores.
  • Exam tip: Vulnerability scanners = automated checks for weaknesses.

Summary Table for Exam

ToolPurpose
SCAPAutomates compliance and vulnerability checks
BenchmarksProvides standard secure configurations
Agents / AgentlessCollects monitoring data from devices
SIEMCollects, analyzes, and alerts on security events
AntivirusDetects and removes malware
DLPPrevents sensitive data loss
SNMP TrapsAutomatic network device alerts
NetFlowMonitors network traffic patterns
Vulnerability ScannersScans for security weaknesses

✅ Key Exam Tips:

  • Know what each tool does and why it’s used.
  • Don’t confuse SIEM with antivirus—SIEM analyzes many data sources, antivirus just targets malware.
  • Understand agent vs agentless monitoring.
  • Be able to identify which tool would detect, prevent, or alert for a given situation.

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by