Welcome » IT Booklets » Information Security » Security Monitoring » Activity Monitoring
Activity monitoring consists of host and network data gathering, and analysis. Host data is gathered and recorded in logs and includes performance and system events of security significance. Host performance is important to identify anomalous behavior that may indicate an intrusion. Security events are important both for the identification of anomalous behavior and for enforcing accountability. Examples of security events include operating system access, privileged access, creation of privileged accounts, configuration changes, and application access. Privileged access may be subject to keystroke recording. Sensitive applications should have their own logging of significant events.
Host activity recording is typically limited by the abilities of the operating system and application.
Network data gathering is enabled by sensors that typically are placed at control points within the network. For example, a sensor could record traffic that is allowed through a firewall into the DMZ, and another sensor could record traffic between the DMZ and the internal network. As another example, a sensor could be placed on a switch that controls a subnet on the internal network and record all activity into and out of the subnet.
Network data gathering is governed by the nature of network traffic. The activity recorded can range from parts of headers to full packet content. Packet header information supports traffic analysis and provides such details as the endpoints, length, and nature of network communication. Packet header recording is useful even when packet contents are encrypted. Full packet content provides the exact communications traversing the network in addition to supporting traffic analysis. Full packet content recording allows for a more complete analysis, but entails additional collection, storage, and retrieval costs.
Many types of network sensors exist. Sensors built into some popular routers record activity from packet headers. Host-based sniffer software can be used on a device that does not have an IP address. Some sensors are honeypots, or hosts configured to respond to network communications similar to other hosts, but exist only for the purpose of capturing communications. Other sensors contain logic that performs part of the analysis task, alerting on the similarity between observed traffic and preconfigured rules or patterns. Those sensors are known as "Intrusion Detection Systems."