Monitor: systems, apps, infra

 4.2 Security alerting & monitoring

📘CompTIA Security+ (SY0-701)

Monitoring is a core part of security alerting and monitoring. The goal is to keep an eye on all parts of your IT environment to detect problems, security threats, or unusual activity as soon as possible. Think of it as continuously watching the health and activity of everything in your IT environment.

1. Systems Monitoring

Systems include computers, servers, laptops, and virtual machines (VMs). Monitoring systems helps you detect security threats, performance issues, or failures.

Key points for the exam:

  • Operating System Logs:
    • Windows Event Logs or Linux syslogs record system events (logins, crashes, errors).
    • Monitoring these logs helps detect unauthorized access or malware activity.
  • Performance Monitoring:
    • Track CPU usage, memory, disk space, and network activity.
    • Example: A sudden spike in CPU usage might indicate malware mining cryptocurrency.
  • Endpoint Monitoring Tools:
    • Tools like EDR (Endpoint Detection and Response) monitor endpoints for suspicious activity.
    • Detect malware, unauthorized software, or abnormal user behavior.
  • Health Checks:
    • Monitor whether systems are online, responsive, and patched.

2. Applications (Apps) Monitoring

Applications are the software you run on systems, like web servers, databases, or internal apps. Monitoring apps ensures they work correctly and are secure.

Key points for the exam:

  • Application Logs:
    • Track application events such as login attempts, errors, or failed transactions.
    • Example: A web application log showing repeated failed login attempts might indicate a brute-force attack.
  • Application Performance Monitoring (APM):
    • Monitor app performance metrics like response time, request errors, or database query times.
    • Tools like Dynatrace, New Relic, or AppDynamics help track performance.
  • Security Monitoring:
    • Check for vulnerabilities or exploits in applications.
    • Detect SQL injection attempts, cross-site scripting (XSS), or other attacks.
  • Patch Monitoring:
    • Ensure apps are up to date with security patches to prevent exploits.

3. Infrastructure Monitoring

Infrastructure is the underlying IT backbone that supports systems and applications. This includes networks, servers, storage, cloud services, and virtual environments.

Key points for the exam:

  • Network Monitoring:
    • Track network traffic for unusual patterns or high usage.
    • Tools: Wireshark, SolarWinds, PRTG, Nagios.
    • Detect anomalies like DDoS attacks or unauthorized data transfers.
  • Cloud Infrastructure Monitoring:
    • Monitor cloud resources for security and performance.
    • Example: Track CPU/memory usage of cloud VMs, check for unencrypted storage buckets, or excessive API calls.
  • Server & Storage Monitoring:
    • Track disk usage, backups, and server uptime.
    • Detect hardware failures or storage issues before they impact services.
  • Configuration Monitoring:
    • Ensure devices and infrastructure are configured according to security policies.
    • Detect misconfigurations in firewalls, routers, or cloud instances.

How These Monitoring Areas Work Together

Monitoring isn’t isolated. Security teams use monitoring to:

  1. Detect Threats Quickly:
    • For example, high CPU usage on a system combined with unusual network traffic might indicate ransomware.
  2. Understand the Impact:
    • If an app fails, monitoring infrastructure tells you whether it’s due to a server problem, network issue, or a bug in the application.
  3. Support Incident Response:
    • Logs and monitoring data help investigate and respond to incidents efficiently.
  4. Meet Compliance Requirements:
    • Regulations like GDPR, HIPAA, or PCI-DSS require continuous monitoring of systems, apps, and infrastructure.

Important Tools/Concepts to Remember for the Exam

  • SIEM (Security Information and Event Management):
    • Aggregates logs from systems, apps, and infrastructure into one platform.
    • Correlates events and raises alerts for potential security incidents.
  • NMS (Network Monitoring System):
    • Monitors network devices like routers, switches, and firewalls.
  • EDR (Endpoint Detection and Response):
    • Monitors endpoints for suspicious activities or malware.
  • Cloud Monitoring Tools:
    • AWS CloudWatch, Azure Monitor, Google Cloud Operations.

Exam Tip:

When the exam asks about monitoring, think: “Where am I watching? Systems, Apps, Infrastructure. What am I watching? Performance, security, errors, access.”

  • Systems: CPU, memory, login events.
  • Apps: Performance, logs, errors, vulnerabilities.
  • Infrastructure: Networks, servers, storage, cloud resources, configurations.

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by