3.1 How Do I Use SIEM Tools?

00:00

welcome to module to How do you seem? Tools?

00:06

In the last video we discussed seemed tools what they are and why they should be used

00:12

in this video. We'll expand on this and discuss further end up. How do you seem tools for logging and other activities

00:21

for your next pre assessment question.

00:23

True or false, you need an understanding of the incident response process and order to effectively use seem tools.

00:32

If you enter. True, you're correct

00:35

on understanding of the incident response processes Pair Mountain Using seem tools. It's important to be able to discern which logging data matters and when something doesn't look quite right.

00:45

Learning to apply the cyber killed shade and encouraging organization to establish triage stops are some critical steps in utilizing Seems effectively.

00:55

So how do I you seem? Tools.

00:57

It's important to know which data matters. If all operational data is collected, we'd have an information overload consisting of hundreds of thousands of events per second.

01:07

This would be exhausting and nearly impossible to sift through.

01:11

Therefore, wanting to determine what assets are critical that we need to pull Information from.

01:15

This can include different servers, routers and switches, firewalls, anti virus intrusion detection systems. Active directory logs, et cetera,

01:25

seems typically offer customized dashboards per analyst. Ah, good habit is to create a view that suits your needs.

01:32

Avoid the common pitfall of becoming a log report depository for your organization.

01:38

Another important part of knowing how do you seem tools is to know when certain data is generated. This is understanding patterns and the impact that there might have on your organization. It's important to be able to discern whether a piece of log data is benign, a threat or an incident.

01:53

When you encounter a piece of log data, it will often be tagged with an event coat and have other information included, such as time frequency, user information, etcetera.

02:04

Based on this information, you should be able to look back through log activity and determine whether this is normal activity for the network or user or process, or if it's unusual.

02:14

If it's unusual activity he needs surrounding logs and data to gather clues and evidence to further investigate

02:20

logging events in temporal proximity of events of interest is extraordinarily helpful when needing to escalate events, Most seems support base lines, which can be helpful in identifying event that do not occur frequently but do occur consistently

02:34

seems often include alarms and alerts that can also be configured to alert on key events. For example, if a administrator log in and a production machine happens at an unusual time outside of what normally happens, get old set off an alarm or you can configure it to set an alarm off so that you're notified.

02:52

More complex events and related events can be condensed into correlated events, which will discuss leader on in some of the labs.

03:00

Another important part of knowing how to use seem tools is understanding the incident response process.

03:06

This is a process that begins with preparation and has six steps that lead the lessons learned.

03:12

Preparation is where most of the legwork needs to be done when responding to an incident,

03:15

a lot of incident responses and making sure that employees and staff are trained to handle when an incident arises. For example, if a person on a surgical table in a hospital setting where the code, then you would want the doctors and nurses to be trained in resuscitation, right

03:30

information security response is very much the same. Ah, well documented plan and trained team will make a huge impact.

03:39

Identification will be how you determine whether or not you have been breached. The stage relies largely largely on asking questions and gathering relevant information in order to determine the scope and kind of white systems might have been affected by the breach.

03:57

The third step containment is to keep the scope of the breacher attack as small as possible.

04:02

This could include removing connected devices, updating and patching systems, reviewing remote access protocols, changing user and admin credentials and just general system hardening as well. Anything that could be dying in order to mitigate what is going on with the breach of the attack, etcetera

04:21

is going to be helpful in the stage.

04:27

Number four Eradication is where the action kind of happens. This is once the issue is contained. The root cause of the breach needs to be explored, and it needs to be removed in all pieces of this need to be removed. Think of it as cancer in your system minutes.

04:43

It just every piece needs to be gone, or else it's gonna continue to grow and spread and just disease your system. So, um,

04:51

entire removal of anything that is lending itself to the breach or the attack, etcetera is going to be necessary of the stage.

05:02

Number five recovery is the practice of returning systems to production and receiving businesses usual once the threat is eliminated.

05:12

And finally, number six is lessons learned. This is so important. It's so important to analyze and document what was learned during the breach as well. A CZ to review plans and revise them is needed to make sure that future responses air just as, if not more efficient.

05:27

I am a firm believer that something can be learned from every incident response. Rarely is anything foolproof.

05:35

And now, for a brief summary in today's lecture, we discussed, How do you seem tools and the importance of which dated a target and one certain types of data are generated.