Time
7 hours 33 minutes
Difficulty
Advanced
CEU/CPE
8

Video Transcription

00:00
Hello and welcome back the Cup. Tia Certified Van Security Practitioners Certification Preparation course.
00:09
This is Marge number nine and its title. Scanning the monitoring
00:13
here again are the objectives which encompasses this particular module.
00:18
What we can do now is turned out to tour, discussion off, operate and maintain monitoring systems.
00:25
Now let's take a look and learn objectives and the order would you be covered. Doing this particular presentation will begin by first discussing events of interest marking and lastly source systems.
00:36
Perhaps the best place. Begin this presentation by taking a look at a pre assessment question, and the question is as follows.
00:43
What is a predefined criteria? A threshold that says often, event entry call is a clipping. Levels
00:50
be source system.
00:52
See, trends are long management.
00:56
If you say like that, eh? Which stands for clipping Love was, you're absolutely correct because clipping levels are predefined cracked here, or thresholds that set often entry. For example, a security operation center does not want to be notified on every failed longer attempt because everyone miss type their passwords occasionally.
01:15
The first top of our agenda is events of interest, and you may ask why they're important first are taking a look at a dedication authorization.
01:23
The dedication is the main barrier and means of controlling access to today's systems, from simple passwords to tokens and cryptographic, aled mechanism
01:33
review and authentication actives across your organization, one of the key security activities,
01:38
the next Adamis systems and data change reports
01:42
information systems can lead to cause it crashes, and the loss of data may also indicate security incidents. On top of this attack offer modified your systems in order to enable the access in the future. Being diligent with track and changes will also improve your overall i t operations.
02:00
Then we look at network activity reports.
02:04
The network is a main vector for threats to arrive at an information assets. Obviously, the net was also remain with a steel. Infamous assets from today's organizations
02:15
then become to resource excess reports. Track and resource assets access can be used to reveal insider abuse and even fraud. They are valuable doing instant response for the Termini, which resourced attacker has access and possibly corrupted or modified.
02:32
Then we have the mayor where activity report
02:35
malicious software in various forms remains one of the key
02:39
threat vectors for today's organizations. Larger, small and embarrass tools have been losing efficiency for the technique and stopping there with over the last few years. Then we have failure and criteria error reports,
02:53
error and failure logs.
02:55
Mrs often present valuable early indications security threats, including advanced threats not captured by security specific devices such as your I. D. S and chooses the Texas system and intrusion prevention systems.
03:13
So we accept, begs the question we look at Log Man, but why is it important? Because we think about logs. They're very in purpose of I t. Security isn't being proactive,
03:23
and the bug measures make it much more difficult for someone to attempt to compromise the network. This might not be enough, and you need to be able to take the actual breaches as their attempted. This is what Log data really matters There. Other words we have our long generation storage locker protection as well as analysis
03:42
to expose an attacker identified the damage cause you need to analyze the log events on your network in real time by collecting. Analyze the logs. You can understand what transpired within your network. Each log file contains
03:54
very many pieces of information that could be invaluable, especially if you don't know how to read them. And and as, um, we're proper analysis of this actual data, you could identify and choosing attempts miss configuration equipment, many more
04:08
items as well.
04:11
This brings us to the topic of law generation when you look at love generation, some things that we have to consider, for example, be law configuration,
04:18
and what that sentence means is we need determine what we need to log.
04:24
We have these whole space activities. We look at changes to the system
04:28
in terms of access. Request performance. Start up a nice well, it's a shutdown network activities encompasses access traffic types, traffic patterns, male work, performance as well.
04:41
Clipping levels on hand are a predefined criteria. Ah, thrust hold that set off an event entry. For example, a security operation center does not want to be notified on every fill logging and Tim, because everyone miss type that passwords occasionally.
04:58
Thus set the clipping level two Onley create a log entry
05:01
after two failed password attempts. Tipping levels usedto have a time proper associate with them for the Logan process to not to have to keep track of every single failed password attempt, an off chance that the next time that that account is locked in the path was Miss Type sets the limit to reasonable amount of time.
05:20
For example,
05:24
30 minutes not assist. One only has to keep track off and embedded long attempt on a particular count for, for example, 30 minutes. If another invalid attempt attempts to try to come in on that account, the system can disregard the 1st 1
05:39
Clipping levels are great for reducing the amount of doubt accumulate and log files care must be taken to ensure important data is not skip.
05:47
And like everything else, the clipping level needs to be documented and protected because an attacker would gain an advantage knowing them.
05:56
We also had a look at what we call time synchronization, which is another important aspect. When we talk about the importance of having all the logs time synchronized. We wanna utilize network time protocol, which should have derive this time from a threshold or trust the time. In other words, they're trusted time sources out there on the Internet.
06:15
But the best trusted source is a GPS global positioning satellite
06:20
issue. Have yourself connected to the time server as well.
06:29
Next, they wanna take a look again. It's called log Storage.
06:31
We might want to consider having centralized storage. We have excessive log, and we want to make sure we look at stop blogging and we wanna make sure to be overwrite. The oldest long entries. Those are things we must consider, characteristically speaking, and also we must stop the law generator. Also, look at retention.
06:49
I see it. So it's important for you to have a policy for your long that well. It works for your particular organization
06:55
and also taken consideration the risk that your organization faces not ever owns. This has the same risk. Associate whips the security. There's some legal requirements for retention of logs based on industry that you work in. And there's some other reason as well. You might also see See you're out, then see, for example, you have an incident.
07:15
It had occurred six months later.
07:16
You might want to also mention you have that because it may be required that you met. Have a public records request you to make sure you have that information available
07:29
Law protection here. Some things that we need to look at. We want unlimited access to the log files would avoid recording unneeded. Since that data, we want to protect our archive log files security processes that generate the log interests. Critical systems should log to another system.
07:46
You need also configure each log source to behave appropriately when Logan errors occur.
07:55
Then we come to log analysis
07:58
some of the things we look at in terms that we look. Att event correlation
08:01
Again we made to consider status automation context. We might also want to also it engage what we call privatization in terms of entry type. We look at the newness of the Intertype, the long source, the source or destination. I p. Address the time of day or the day of the week and the frequency of the industry.
08:24
This brings us to our security information. An event management system was defined as a complex set of technology brought together to provide holistic view into the technical infrastructure.
08:33
What this device does, it looks at advance in law collection. It looks at a layer centric view,
08:39
also looks at normalization correlation. It has adaptability reporting in the loading as well as law management.
08:50
Modern information system state is one of the most important activity that a security practice I can't engage in to ensure that the infrastructure under their particular care is optimized cure in a proactive manner.
09:03
This brings us to our post assessment course in,
09:05
and the course of is as follows what is in our insides that seeks to make sense out of computer generated records. Call. Is it a long analysis?
09:16
Be trends see no protection or clipping levels?
09:20
The correct response Have been log analysis. During this particular presentation, we briefed the highlighted events of interests discussing Log in as well a source systems
09:31
in the upcoming presentation. We moving on and the terms are discussing, analyzing more entering results. Look forward to seeing your very next video.

Up Next

CompTIA CASP+

In this course, you will learn all of the domains and concepts associated with the CompTIA Advanced Security Practitioner CAS-003 CASP+ Exam. Through this course you will be fully prepared to sit for your CompTIA A+ Exam!

Instructed By

Instructor Profile Image
Jim Hollis
Independent Contractor
Instructor