Network endpoints and network devices have different security considerations and implications. A user workstation implies certain security issues that remain in the user domain while network implications remain part of the LAN or LAN-to-WAN domain. However, during the course of investigating an intrusion, you may have to source data from logs kept in routing devices and end-user systems.

Suppose an attacker intrudes upon one of your servers. How do you reconstruct the events of a crime? Log files are the first place to check for administrative issues and security activity. Log files help you put together a timeline of events surrounding everything from a performance problem to a security incident.

You can also identify bad system or network activities by observing anomalies from baseline behavior or identifying certain suspicious actions. Testing ensures that your control and monitoring facilities work as intended and maintain proper operation. Monitoring ensures that you capture evidence when your testing procedures fail to examine all possibilities or legitimate behavior permits unauthorized activity.

Always consider that even legitimate traffic can be used in illegitimate ways, and sometimes, legitimate traffic can appear illegitimate. Protected services can be attacked from the inside or accessed externally through loopholes in firewall rules. Vulnerabilities may remain unidentified by intrusion detection system (IDS) or intrusion prevention system (IPS) signatures and evade detection. Monitoring helps you capture pieces of the puzzle that creates a timeline of events.

Answer the following questions:

How do you obtain a baseline of system or network behavior?

What is an anomaly in relation to baseline behavior?

What do log files help you learn that filtering systems overlook?

Why can legitimate traffic sometimes seem suspicious?