4 hours 25 minutes
Hi. Welcome to module to lessen seven. In this lesson, we're gonna discuss monitoring. We've talked about a lot of things to this point in this course. So how do we monitor all of it?
I mean, we've talked about agents on the end points that can look at processes and changes in files. We've talked about Web application firewalls that prevent against application attacks, DLP that helps us look at access of our data itself. Proxies that can show how are in users interact with the Internet,
any of our solutions, firewalls that block certain network traffic ideas, and I ps that could look for commanding control activity. How do we possibly just make sense of all of this? It's just a lot. It's sometimes it's overwhelming.
Well, when it comes to security, and especially when it comes to monitoring, MAWR is better specifically with visibility. We want to get as much visibility as you possibly can in the environment, because part partial visibility is only gonna tell you part of the story.
Let's take an example of let's say we've got some malware on a system in our environment.
We've got some malicious process that kicks off and in that malware tries to connect to another system in our environment and tries to access a file.
And then the malware also tries to go and call out to the Internet to get further instructions on goes out through our proxy. You can see that along the way. We have different tools, the more tools we have in place, and the more monitoring and visibility we have in place, the more pieces of the puzzle we're going to get.
So in this case, maybe we got a log from the infected system about the malicious process. We got another log from the victim's system about, ah, you know, suspicious file access. We had a network tap in there that maybe we had some ideas I ps that were telling us that there's some see to communication or command and control communication.
And then we've got logs from our proxy server that
that showed that there was, ah, suspicious website access.
If we only had one of these pieces, let's say we only had the malicious process log that popped up on that system. We wouldn't see the rest of this picture. We wouldn't know that there's another system that got access, we wouldn't know that this thing tried to call out to command and control.
You know, we wouldn't be able to block things to prevent other systems from going and calling out, or maybe remediated other systems. That this one interacted with
some more is always better.
And the security monitoring world. There's a technology called Seem. It's pronounced either Seymour Sim, depending on who you ask. Ah, and it stands for security information and event management.
This system is a It's a behemoth. It's a major system. It takes a lot of tuning essentially what it does. It's designed to take in logs and packet data so you can have logs from all your different systems. Some of these seem devices can actually tap into packet data, so you can see you can see network traffic and look for anomalies within it, like an I. D. S.
It can also take alerts from all of your different systems. All of the other systems that you have that are generating alerts. Those alerts can be sent into your seem environment for further processing, and it can take in threat feats. So think about ah seem environment as a big I PS ideas right when we talked about
specifically an idea. It's not an I. P s it doesn't can block, but,
um, whenever it we talked about on ideas and ideas takes in threat feeds. It's looking at all the stuff going on, and it's taking in the threat feeds. And it's doing some sort of a you know, a match for network data looking for suspicious network traffic. Seem does the same thing, but it does it for your entire enterprise.
It's taking in data from all of your endpoints, all of your network devices.
You know, all of your security devices, all of the alerts. It's looking at threat feeds, and it's correlating all of that information, and it can output alerts based on what your security team needs to react to many, many times. The seam is the single pane of glass, if you will, that you're analysts are looking at
to determine what's going on in the environment, and then they pivot from here
into other tools. If they get an alert from, say, an I. D. S that gets fed into the seam and that alert matches up with some log from a system that says something's going on, Correlation can happen and other alerts can be sent from the same, and your analyst can start investigating there and dig all the way back down into that I. D. S or that individual workstation.
The same can also take actions. You can create scripts that execute from the same environment to go out and block things. If you've got some malicious things you see in the environment, you can have automation that goes out and blocks things in your firewall or in your proxy to prevent further spreading. You can also do things like host isolation if there's a
ah host in the environment that's very clearly
compromised and is trying to infect other hosts. Like in our previous example, your seemed can actually kick off a script that goes out and isolates that host on the network so it can't communicate with anybody else.
So the same environment is that comprehensive tool that analysts look at its where most investigations start
that takes us to the end of our monitoring section. Next up, we're gonna be talking about policy