Welcome » IT Booklets » Information Security » Security Monitoring » Activity Monitoring
Activity monitoring consists of host and network data gathering,
and analysis. Host data is gathered and recorded in logs and
includes performance and system events of security
significance. Host performance is important to identify
anomalous behavior that may indicate an intrusion. Security
events are important both for the identification of anomalous
behavior and for enforcing accountability. Examples of security
events include operating system access, privileged access, creation
of privileged accounts, configuration changes, and application
access. Privileged access may be subject to keystroke
recording. Sensitive applications should have their own
logging of significant events.
Host activity recording is typically limited by the abilities of
the operating system and application.
Network data gathering is enabled by sensors that typically are
placed at control points within the network. For example, a
sensor could record traffic that is allowed through a firewall into
the DMZ, and another sensor could record traffic between the DMZ
and the internal network. As another example, a sensor could
be placed on a switch that controls a subnet on the internal
network and record all activity into and out of the subnet.
Network data gathering is governed by the nature of network
traffic. The activity recorded can range from parts of
headers to full packet content. Packet header information
supports traffic analysis and provides such details as the
endpoints, length, and nature of network communication.
Packet header recording is useful even when packet contents are
encrypted. Full packet content provides the exact
communications traversing the network in addition to supporting
traffic analysis. Full packet content recording allows for a
more complete analysis, but entails additional collection, storage,
and retrieval costs.
Many types of network sensors exist. Sensors built into
some popular routers record activity from packet headers.
Host-based sniffer software can be used on a device that does not
have an IP address. Some sensors are honeypots, or hosts configured
to respond to network communications similar to other hosts, but
exist only for the purpose of capturing communications. Other
sensors contain logic that performs part of the analysis task,
alerting on the similarity between observed traffic and
preconfigured rules or patterns. Those sensors are known as
"Intrusion Detection Systems."