Continuous Monitoring

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 58 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Welcome back to Cybrary insta course,
00:00
I'm your instructor, Brad Rhodes.
00:00
Let's talk about continuous monitoring.
00:00
In this lesson, we're going to talk about
00:00
continuous monitoring or what I
00:00
like to call the Conmon process.
00:00
We're going to talk about what Conmon is.
00:00
Then we're going to talk about the Common
00:00
Vulnerability Scoring System calculator,
00:00
which is something you should know as an SE.
00:00
Continuous monitoring is shown here.
00:00
It is where we take risk tolerance,
00:00
we map it to our needs and then we manage it actively.
00:00
Conmon is one of those things that
00:00
we do that looks
00:00
holistically at all the things
00:00
we do from a security perspective.
00:00
It's not just a security system
00:00
like a SIM or an IDS or a firewall.
00:00
It's the other controls that we do.
00:00
It's the people, process,
00:00
and technology that we talked about in secure operations.
00:00
When we do continuous monitoring,
00:00
we define a process,
00:00
we then establish what that is, we implement,
00:00
we analyze report, and most important,
00:00
we review and update over time.
00:00
Continuous monitoring once we've put that in
00:00
place for the entirety of our security systems and
00:00
security controls is SE is a cyclical process that goes
00:00
on and on because we know
00:00
that sometimes we put new controls in,
00:00
we take old controls out, we update things,
00:00
all of those things.
00:00
This is one of the things we do to make sure that
00:00
our systems and our organizations are secure.
00:00
Conmon is monitoring all of the controls,
00:00
those could be technical controls like a SIM,
00:00
a security information,
00:00
an event monitoring capability,
00:00
a solar system for automation,
00:00
it could be an IDS, it could be an IPS,
00:00
it could be network
00:00
security monitoring system like a security engine,
00:00
it could be, you name it,
00:00
and any of those technical controls we monitor it.
00:00
It can then be the non-technical controls.
00:00
For example onboarding and off boarding process is
00:00
incredibly important to do
00:00
that work and actually monitor that,
00:00
because let's say somebody walks out the door,
00:00
and from a non-technical perspective,
00:00
we don't get an e-mail from HR
00:00
that says to take these people off the system,
00:00
they still access them and
00:00
potentially are leaking out data so think about that.
00:00
We tie all of this to enterprise risks.
00:00
We want to know
00:00
as we've talked about in risk and management,
00:00
attitude, appetite, context,
00:00
the industry vertical, all of those things are tied here.
00:00
We have to understand what
00:00
we're going to do as an organization,
00:00
what type of tolerance of risk we have.
00:00
Then of course, we need to look at
00:00
threats, vulnerabilities and technologies.
00:00
Threats are constantly changing and evolving.
00:00
Vulnerabilities come, go,
00:00
and showing up at a much more frequent clip than
00:00
we ever thought possible in
00:00
the tunes have thousands and thousands a year,
00:00
if not more, depending on the technology.
00:00
Then obviously technology changes.
00:00
Who would have thought five years ago that we put in
00:00
a crock-pot and the
00:00
Internet so that we can monitor our rose from work.
00:00
Technology is going to change. Conmon,
00:00
we look at all of those things
00:00
holistically and track that over time.
00:00
When we think about Conmon,
00:00
especially tied to the vulnerability side of the house,
00:00
we need to have a good way to
00:00
communicate what our vulnerabilities are.
00:00
That is done via
00:00
the Common Vulnerability Scoring System calculator,
00:00
which was developed by NIST.
00:00
There's a couple of
00:00
iterations on that that you can use online.
00:00
I encourage you to take a look at that.
00:00
But really we'd look at three sections here;
00:00
base, temporal, environmental.
00:00
Specifically, we're talking about in the base metrics,
00:00
which I'm going to talk about real briefly,
00:00
is there's areas we're concerned about.
00:00
The ones that I want you to remember here are
00:00
the attack vector and
00:00
then the privileges our user interaction require.
00:00
Those are important in base metrics.
00:00
Why? Because if I can execute
00:00
an attack via the network
00:00
and I don't have to be in the network say,
00:00
on the WiFi network or somewhere closer,
00:00
something like that, that's extremely dangerous.
00:00
If I don't have to
00:00
have privileged access to a system and there's a lot
00:00
of zero days out there that
00:00
have come along in this year alone
00:00
that don't require any privileges
00:00
to execute them and get access to a system.
00:00
That's concerning.
00:00
Then if I don't ever have to talk to a user,
00:00
I'll say a Trojan horse or something like that,
00:00
I now have very dangerous attack,
00:00
a piece of malware on
00:00
network incursions, something like that.
00:00
Then I look at that across
00:00
the CIA triad as you see there.
00:00
Well, guess what? Here's what
00:00
happens with this vulnerability scores.
00:00
Organizations look at those 10 scores
00:00
as the highest level of score
00:00
for a vulnerability and they go,
00:00
"We should fix all of those, gosh
00:00
darn it." Well, guess what?
00:00
Maybe we need to think of it
00:00
differently when we think about vulnerabilities as an SE.
00:00
We maybe need to look at those medium and lows and see
00:00
where there are attacks that
00:00
don't require user interaction,
00:00
don't require privilege escalation.
00:00
Our low complexity end can be
00:00
done via a network connection.
00:00
Maybe those are the ones we should fix first
00:00
before we worry about the exotic,
00:00
'I'm going to throw eight zero days that you
00:00
attack that we've seen in the wild'.
00:00
Rare to see that happen, but it does happen.
00:00
But we're probably less
00:00
concerned about that happening depending on
00:00
our organization and industry
00:00
vertical and our risk tolerance
00:00
level than we are something that's
00:00
maybe a medium or low level,
00:00
a vulnerability, and risk.
00:00
Think about that when you're
00:00
looking at vulnerabilities as an SE.
00:00
What do we cover in this lesson?
00:00
We talked about the continuous monitoring
00:00
of the Conmon process.
00:00
We explained that Conmon is holistic looking at
00:00
technical and non-technical controls
00:00
across people, processes, and technologies.
00:00
Then we talked about the CVSS calculator,
00:00
which is something you should be familiar with
00:00
as an SE. We'll see you next time.
Up Next