5.4.3. Security Monitoring Tools

💡 First Principle: Security monitoring tools process and analyze the data that monitoring activities collect. Each tool serves a specific purpose — the key is knowing which tool answers which question.

SIEM (Security Information and Event Management) — the central nervous system of security monitoring. SIEMs aggregate logs from all sources, correlate events using rules and analytics, generate alerts for suspicious patterns, and provide dashboards and reporting. Think of SIEM as the security operations air traffic control tower.

SCAP (Security Content Automation Protocol) — a standardized framework for automated vulnerability management, configuration checking, and compliance verification. SCAP tools use standardized data feeds (CVE, CVSS, CPE) to automate assessment.

Antivirus/anti-malware — endpoint protection that detects and removes known malicious software using signatures, heuristics, and behavioral analysis.

Data Loss Prevention (DLP) — monitors and controls data movement to prevent unauthorized exfiltration. Network DLP inspects traffic; endpoint DLP monitors file operations; cloud DLP protects data in cloud services.

SNMP traps — network devices send unsolicited alerts (traps) to management stations when predefined conditions occur (interface down, high CPU, authentication failure).

NetFlow/sFlow/IPFIX — network traffic metadata collection that captures who communicated with whom, how much data was exchanged, and when — without capturing packet contents. Essential for traffic analysis and anomaly detection.

Vulnerability scanners — automated tools that assess systems against known vulnerability databases and report findings with severity ratings.

Protocol analyzers (packet capture) — tools like Wireshark that capture and analyze individual network packets. Used for deep-dive troubleshooting, forensic analysis, and validating that encryption is properly implemented. Protocol analyzers show the actual bytes on the wire — they answer "what exactly happened?" when other tools only show summaries. In security investigations, packet captures provide definitive evidence of what data was transmitted and when.

⚠️ Exam Trap: SIEM correlates events from multiple sources to identify patterns. A single firewall log showing a blocked connection is noise; the same IP hitting 50 different ports across 20 minutes, correlated by SIEM, reveals a port scan. The correlation is what makes SIEM valuable.