Monitoring

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Let's look at our next section,
00:00
which is monitoring for risks.
00:00
Of course, we've put
00:00
our internal controls or external controls in place.
00:00
Now what we're looking for is to
00:00
determine if our controls are meeting
00:00
their objectives and if we're properly mitigating risk.
00:00
We know that no matter how
00:00
good our preventive deterrent controls are,
00:00
that risks still materialize.
00:00
We look at event logs or
00:00
we monitor for events on the network.
00:00
We're trying to examine these activities.
00:00
Are they within baseline performance?
00:00
Are there abnormalities?
00:00
Are they justifiable or are they
00:00
an indication that there's some malicious activity?
00:00
We look to our logs.
00:00
We'll look at honeypot systems,
00:00
intrusion detection and prevention systems,
00:00
and what we call CEIM systems,
00:00
which are computer event
00:00
and information monitoring systems.
00:00
Or you may see them as SIEM,
00:00
system information and event monitoring system.
00:00
Sometimes folks will move the E
00:00
or I around, doesn't matter.
00:00
These are aggregation systems
00:00
we'll look at in just a second.
00:00
If we do go ahead and talk about log reviews,
00:00
unfortunately, we think to
00:00
look at logs sometimes after the fact.
00:00
But if we have a proactive st rategy
00:00
where we're monitoring,
00:00
we're reviewing our logs on a regular basis.
00:00
Many times you can see the malicious activity at
00:00
the beginning and ideally terminate
00:00
any actions before they become serious.
00:00
You can start to see certain access or attempted access.
00:00
I might see an increase in
00:00
attempted logins to the network
00:00
or failed logins to the network.
00:00
Or I may see attempted access to a folder
00:00
to share that is protected.
00:00
Lots of things that I can see if I
00:00
review my logs proactively.
00:00
Now one of the things about logs is
00:00
an attacker knows that you can look at
00:00
logs sometimes and be able to
00:00
indicate there to see that there was an attack.
00:00
One of the things that attackers like to
00:00
do before they carry out their payload,
00:00
is they like to go in and sweep up the audit logs.
00:00
They like to go in and modify the records,
00:00
erase any indication of their presence.
00:00
We want to make sure that our logs
00:00
can't be tampered with.
00:00
We want to log to an offsite location.
00:00
We want to use one-way communication,
00:00
replicate those logs, send it to right
00:00
once media so that we know it's not being rewritten,
00:00
it's not being modified.
00:00
Hashing, now we don't get technical in this class,
00:00
so we don't go into a lot of aspects of cryptography.
00:00
But hashing creates a fingerprint of a file.
00:00
If the file is modified,
00:00
then the fingerprint doesn't match.
00:00
We can use software in order to create,
00:00
generate a hash,
00:00
show that we can detect if
00:00
any modification has been made.
00:00
Now I'd also referenced honeypots.
00:00
Honeypots are decoy systems.
00:00
This is a system you would set up.
00:00
Usually, you're going to put this in your DMC.
00:00
It's a system you put out that
00:00
looks desirable to an attacker.
00:00
It looks like an unpatched system
00:00
with services that are known to be vulnerable.
00:00
If an attacker is on your DMC and he's
00:00
looking around for some trouble to cause,
00:00
here's this honeypot that looks enticing.
00:00
As a matter of fact, sometimes network admins will set up
00:00
a collection of honeypots called a hunting net.
00:00
Its job is to be a decoy.
00:00
Its job is to distract
00:00
an attacker and pull attention away to itself.
00:00
The honeypot actually additionally has recording
00:00
software that basically tracks
00:00
the activities of the attacker.
00:00
I don't want to say recording
00:00
software, but monitoring software,
00:00
detective software that a network admin
00:00
or security admin can look at
00:00
after the fact and see what tools
00:00
the attacker was using and what their actions were.
00:00
A lot of times you can tell motivation and
00:00
skill from analyzing the honeypot logs.
00:00
Now are honeypot logs should be enticing.
00:00
They should look desirable without entrapping.
00:00
Entrapping means we're going to
00:00
trick somebody into committing
00:00
a breach of trust or to breaking the law.
00:00
I don't want a website that says Click here for
00:00
free downloads and then try to
00:00
process somebody for clicking.
00:00
Honeypots appear welcoming,
00:00
not even welcoming, they appear vulnerable.
00:00
If an attacker is looking to attack a system,
00:00
that's going to be the first one they try for.
00:00
Some other network detective devices,
00:00
intrusion detection systems,
00:00
and then we also have intrusion prevention systems.
00:00
Today, most systems you would buy would do the same,
00:00
would be the same.
00:00
They are IDS and IPS systems.
00:00
But there are ones that are
00:00
just detective and there are ones that are preventive.
00:00
Like I said, most of the systems
00:00
you buy today have both functions.
00:00
Now, your systems can be network-based or host-based.
00:00
You can have software you install on
00:00
a single host and the IDS will
00:00
monitor that one system for suspicious activity.
00:00
Or you can have an IDS,
00:00
that's a network-based IDS that monitors traffic on
00:00
a network connection and acts a lot like a sniffer,
00:00
except it has an analysis engine that can
00:00
evaluate whether the traffic is good or bad.
00:00
IDS and IPS, these are very useful tools.
00:00
With an IDS, it would send an alert to
00:00
a security admin or
00:00
login entry that an attack has happened.
00:00
It's a passive device.
00:00
Whereas your intrusion prevention systems can actually
00:00
terminate that the connection.
00:00
They can send a reset to the host that's
00:00
initiating the connection or
00:00
even reconfigure the firewall.
00:00
You get an addition to detection.
00:00
You can actually have some protection
00:00
and some prevention of further attack.
00:00
Then last, these SIEM systems that we want to talk about,
00:00
system information and event viewer, or like I said,
00:00
you may see him event and
00:00
information viewer, it doesn't matter.
00:00
But these are systems that provide aggregation.
00:00
I've just talked about we want log reviews.
00:00
Well, all systems
00:00
create and generate logs that would be helpful to us.
00:00
Servers, but also those honeypots,
00:00
those intrusion detection systems,
00:00
firewalls, all sorts of devices.
00:00
What are some system is going to do is,
00:00
it's going to retrieve that information from all of
00:00
these different sources and allow you
00:00
to analyze on a single machine.
00:00
That's what I mean when I say aggregation.
00:00
You'll configure it to pull
00:00
information from certain types of systems and then
00:00
you'll have a central location on which
00:00
you can analyze the information.
00:00
There are all sorts of
00:00
analysis tools that come with most siem systems.
00:00
Being able to see the big picture
00:00
is really the point of using one of these.
00:00
You can analyze your data,
00:00
something that would appear meaningless on
00:00
a single system when you see it
00:00
repeated multiple times on your network.
00:00
It has a totally different meaning.
00:00
Also, we can use these for forecasting, trend analysis.
00:00
Very useful tools especially on our larger networks.
Up Next