Time
57 minutes
Difficulty
Beginner
CEU/CPE
1

Video Transcription

00:00
welcome to module for a day in the life of a stock analyst.
00:06
In the last video, we discussed different seem vendors and tools and how they're utilized.
00:11
Then we went over a lab that showed you how to create steam reports with one of the vendor tools. ***
00:16
in this video will go into a day in the life of a stock analyst.
00:22
So first it's important to understand threat assessment.
00:26
They're certain thresholds and rules you can set on your seems software and even inter native system. Kind of like we filtered events out in the Manual Vulnerability Assessment Lab
00:35
in order to avoid looking at extraneous events or system noise that might not matter.
00:40
For example, you may not care about three Miss password attempts because, honestly, how many times have you entered an incorrect password multiple times?
00:48
Getting an alert every time a user enters their password incorrectly a few times would create a lot of unnecessary noise, especially on larger networks.
00:55
However, we may care about 10 incorrectly under passwords because that might indicate a larger issue. Our signal on attempted brute force attack,
01:03
knowing what rules to set in what thresholds to uphold is an important part of this rule.
01:11
Another important day to day activity is investigating.
01:14
Everything a system does creates a log each of these logs with the number, code account, name, timestamp, et cetera.
01:21
You can quit for certain logs if you want to know more about an event or check for logs within a certain time frame. If you need to view other events logged surrounding a target event, et cetera,
01:30
knowing which codes and events are related to others or being able to assess temporal relation. This super helpful when it comes to successfully investigating alert.
01:42
All right, so we have an event code. Now what
01:46
from there. Once you've begun your investigation, you'll have to begin to examine
01:49
what the event code is in what it signals.
01:53
Let's go with the previous example entering incorrect passwords. For example,
01:57
Windows event cold for a failed log on is 46 to 5.
02:02
If you see one or two of those codes, you'll recognize them and be able to say, OK, maybe someone enter the incorrect password or is having a bad day and can't remember There's etcetera.
02:14
However, if you see that cold repeatedly in a short time, frame, say 10 to 15 times you may want to investigate further,
02:21
the frequency of a seemingly benign code can make a situation suddenly less innocuous.
02:25
This is where interpretation comes in. You need to look at these items and say, Is this a real threat?
02:32
Then we can begin to correlate events.
02:36
You already have alarm bells ringing in your head saying Okay,
02:38
I know this code means failed log on, but as a legitimate user failing to log on that many times.
02:45
Sure, this coat has sprung up before, and obviously people have failed to log on before.
02:49
But at what point does it go from being a legitimate activity to something with malicious intent?
02:53
Be able to look at events, and the frequency in time in which they occur can provide huge clues in your investigation.
03:01
At this point, you may wanna potentially escalate the activity for further investigation
03:07
in a sock. As a beginner, you'll most likely start as a tier one analyst coming. Do triage was we just discussed and determine when an item needs further, more advanced review.
03:17
Tier two will be an incident responder. Generally,
03:21
this team will usually try to determine the root cause of the event and initiate re mediation and recovery of efforts if needed.
03:29
Two or three. The threat hunters will generally provide support for incident response as well as proactively conduct pen tests and other vulnerability assessments.
03:38
Your four will be your stock manager
03:39
who will direct and monitor activity and communicate as needed to executive leadership.
03:46
Now for a learning check.
03:49
Question.
03:50
What are the main activities of a stock analyst
03:53
One. Threat hunting digital forensics incident response
03:58
to threat assessment investigation, event. Correlation in escalation
04:02
or three. Contesting ethical hacking system hardening and evaluation.
04:13
The correct answer is to threat assessment, investigation, event correlation, an escalation
04:19
While the other activities are important for
04:21
normal operation in a suck, they're not necessarily the correct activities for a stock analyst, especially in the entry level position.
04:32
In today's brief lecture, we discussed with the normal day to day activities of a stock analyst might look like
04:39
thanks for joining me for introducing tools, and I hope to see you next time

Introduction to SIEM Tools

In this SIEM training course, you will learn the basics of a Security Information Event Manager (SIEM) and how and why these are used in a SOC.

Instructed By

Instructor Profile Image
Gabrielle Hempel
Instructor