Conducting Logging and Monitoring Activities
Start course

This course is the first of 4 modules of Domain 7 of the CISSP, covering Security Operations.

Learning Objectives

The objectives of this course are to provide you with the ability to:

  • Understand and support investigations
  • Understand requirements for investigation types
  • Conduct logging and monitoring activities
  • Secure the provisioning of resources through configuration management
  • Understand and apply foundational security operations concepts

Intended Audience

This course is designed for those looking to take the most in-demand information security professional certification currently available, the CISSP.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


So now we're going to move into section three, and we're going to discuss conducting the logging and monitoring activities in the security operations domain.

So in this section, we're going to talk about intrusion detection and prevention, the technology known as SIEM, the Security Information and Event Management, egress monitoring and DLP, the data leak or loss prevention.

So let's begin with our IDS and IPS, the Intrusion Detection System. Typically IDS, in its purest form, acts as a technology that alerts organizations to adverse or unwanted activities or penetrations. We have the Intrusion Prevention System. Like the IDS, this monitors and it has an alert function but unlike an IDS, it automatically takes preventive action if unacceptable, defined activity is detected.

The SIEM or Security Information and Event Management system is a combination of two technologies, Security Information Management, or SIM, and Security Event Management or SEM. These technologies aggregate information about access controls and system activities to store it for analysis and correlation of events across multiple platforms. The characteristics that SIEMs typically share are the ability to connect to remote devices, remote systems and draw the information from them out of their logs and then store this information in its raw form. Then they will aggregate the information by normalizing it to put it into a consistent form. Then there are analytical tools that the analyst will use to begin to correlate various events that are recorded in the information. And they have the alerting and reporting tools that will typically detect the unwanted, unknown, defined activity, alert the analyst and then allow him to take through all of these different steps to produce a report.

Egress monitoring is looking at things that are coming in and going out. Historically, we have been much more concerned with monitoring things on ingress. Hostile elements that are seeking to enter our intranet and then cause some sort of damaging effect but it has come to our attention in recent years that egress monitoring is nearly as important. It should seem, of course, to be obvious that once a hostile party has entered our intranet, found the informational elements that they're looking for, typically they have then to get them out in some way and by monitoring for the pattern that the desired data may have, we're able to detect not only the penetration but the attempt to remove it from our system and therefore put together countermeasures to stop that. So what we're going to do is we're going to look for ways to filter and restrict the flow of outbound information from our network out through our portal, typically through our firewall out onto the internet and then to the destination that the attacking individual or party wants to send it to. This is making sure that unauthorized or malicious traffic never leaves the internal network or that wanted and protected data never leaves the network as well.

We have, of course, our DLP, our data leak/loss type of protection. These things typically come as a suite of technologies to reduce the loss of sensitive information through a variety of means, provide both the prevention and the detective and recovery types of activities that we need. The DLP solutions that we're going to apply have to address the data in all the different forms that it takes. DLP needs to address data at rest. Typically one form of technology would be to encrypt the data at rest as long as that's not the only copy. Encrypting it would at least prevent it from being in a human-readable form and falling into the wrong hands.

Likewise, we have to treat the data in motion through our network or out through our portals onto the internet to a destination and again, encryption plays a key role in protecting the data from being exposed, trapped, or taken by unauthorized parties in any sort of a useful form. Then we have, of course, the data in use. This is where the data, as a file on a computer, is open and being manipulated by a data analyst or if it's physical, it's in paper form. In either case, data in use at the endpoint must be under the direct and continuous control of the authorized person in whose possession it rests.

Now, the benefits that can be derived from having a DLP solution include these. It allows us to protect critical business data and intellectual property of a variety of kinds. It can, of course, improve our ability to comply with any form of regulations. It reduces the data breach risk by putting the data into a form of encrypted transmission encrypted at rest so that it never ends up in unauthorized hands in a human-readable state.

To bolster the effectiveness of a DLP program, it needs to be used as part of an enhanced training program making sure that first, people are aware and second, that they know we have the third and in many cases, how they're used and what benefit we derived from them.

We need to be able to improve our business processes, thus in an institutional sort of a form, we reduce the opportunities for these losses or exposures to occur. By optimizing disk space and network bandwidth, we make preparations at the system and network level to help with the protection of this information. And then, of course, we have to have as part of this, tools that will detect rogue or malicious software that can result in a data loss.

Other forms of protection or indeed, a loss measure that can be inflicted against us, will be steganography and watermarking. Now, steganography is the science of formulating a technique through which information can be hidden, often in plain sight. Methods that can be used are covert channels. It can hide text within web pages. It can hide files in plain sight using a technique as simple as renaming a file. And there can be null ciphers. For example, if we embed a signature with sample images posted on a website, the signature can then later be used to prove ownership. But it won't be detected by anyone seeing it even though it's there in plain sight because they will not recognize what it is due to the fact that it's integrated with images on the website.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.