7 hours 35 minutes
Hey, guys, Welcome to another episode of the S S C P Exam prep.
I'm your host, Peter Simple.
This is the sixth and last lesson off domain free.
So far in domain three, we've looked at the risk management process, which is simply how to assess the amount of risk in organization faces. We've looked at four acceptable ways of handling that.
We looked at auditing, which is the evaluation of a security framework for an organization. And we've looked at vulnerability, scanning and announced, which is monitoring the system, searching for weaknesses. We've also taken welcome penetration test,
which is the active exploitation off those weaknesses we found during vulnerability scanning
and finally, in today's lesson, we're gonna look at operating and maintaining monitoring systems. Monitoring systems
are great because they have the desire to give us live data in real time through the use off logs, network sensors and other things like that.
Let's get started.
Every system security certified practitioner should assume it's some pulling that all systems are susceptible to attack and at some point will be attacked.
The sooner you accept that fact is, the better you can prepare for it to happen, right this mindset helped prepare for any inevitable system compromises. In order to prepare for that, you gotta have your procedures and policies in place to deal with these system incidents.
security monitoring techniques are excellent mitigation strategies for stemming the effectiveness of attacks. Now, in order to talk about security monitoring, we gotta talk a little bit about the terminology.
So these are a bunch of words that you will see
when talking about security monitoring. So the first, the safeguard, which is a built in proactiv security control, implemented to provide protection against threats.
So this is any kind of thing that might prevent on attack from even happening. So an example of this would be a type of control. Either one of the managerial, technical or operational control
countermeasures were added on reactive security controls. These are things that will help final infinite tax that things like security in depth
or defense and death or he's privileged
vulnerability. We looked at this in the last
lesson. This is simply a system weakness and exploit is a particulary attack.
A signature is a string of characters found within processes
or data communications that describes a known system attack This is how vulnerability scanners even pick up on the fact that there is a type of malware or a virus on your system through the use of the signature.
Tuning is an actual word for just customizing a monitoring system to your environment. Normally, when you buy intrusion detection system,
oh, out of the box is very noisy. But there's a lot of false positives that thinks everything's a problem when really we're in reality, it's not nearly as bad. So you just want to kind of tweak it to your organization. So there aren't as many false positives
promiscuous interface, a network interface that collects and processes all of the packet sent. Do it regardless of the destination Mac address.
Now there's a false, positive, false, negative, true, positive and true negative
thes are These can be tricky to think about it very easy to get tripped up or confused on them. So I like to put them in a little bit of a table, which is very easy for me to remember. I have that tested positive, tested negative and then whether or not the event actually occurred and then based on that, I can figure out
which is the true positive, false, positive, false, negative
or true Negative
I V s and I DPS
yes is a passive systems stands for intrusion detection system, right? Only signal with signals An alarm. So is it just says, Hey, there's a problem and then does nothing
i d. P s on the organs on intrusion detection and prevention cyst.
And this is actresses.
So this system not only signals the arm, but it tries to stop the incident from actually happening.
There are two main types off Ivy s and I. D. P s
devices on their located on different areas. So it's the 1st 1 is needs that network based I. D. S. This one, folks, is a laundering network. Traffic so focuses on activity. Your firewall focuses on packets going back and forth through the rattles in between who's and this really should be pleased
at all network entrances. So
issue placed on edge routers. It should be placed on maybe some border gateways. Any where that information flows in, it should be there. The other one is known as it heads a host base. I. D. S. This monitor system calls, and normally
ah, stays local two servers and computers.
Moreover, protection is mandated but really doesn't deal with the whole network. Is the hole it really willing? Concerns itself with the computer
implementation issues, collecting data for incident response, intrusion detection systems? They they generate a lot of David Wright. The organizations need to have a policy in a plan for dealing with all this data on defense as they occur and the corresponding forensics of any incidents.
So usually things
security practitioners think about or, you know, how does the organization plan to collect all of this data that's being generated by these never devices? How would the organizational spawned two just events in general? And then how will they respond to
incident so often? Event turns out to be a security incident.
What is the organization's plan for moving forward
to monitor response techniques? The first is passive response. He's a pretty self explained to her passive response, notes the event, but does not take evasive action. Basic. Just says
there's a problem. I'm gonna write this down, and then that's it, right. An active response. It knows the event and performs of reaction. So it says, Hey, there's a problem look at this, let's try to stop it.
Just a couple of examples of passive and active response pastor responses. Longing the event to a file displaying a word or maybe sending an alert text message or an email to administrator
actor response is to do things such as block transactions for happening,
uh, this allow access to anything system calls. So if the operating system is randomly trying to
access data on an active response, can block that request,
and it can drop and reset any type of network connection.
It's a couple types of monitoring. The first. It's real time monitoring. This is alive, you know, up to up to the second monitoring for immediately identifying and sometimes even stopping Coover and over events.
Young time is non real time monitoring. This is where important information is saved,
but it doesn't get alerted right away. It just doesn't.
Every once in a while it'll check to see if anything happens, and then it'll keep track of all of the important system. Events, basically is monitoring more for the integrity of system configuration.
The last type is continuous or compliance. Monitoring this rose is the desire to have real time risk information available at any given time to make organizational decisions. So this is constantly monitoring, keeping track of the risk. So if an organization wants to say, you know, hey, we're about to do this
This thing, we want to make this decision.
You know, what's our risk looking like right now? They walk and it's there for them.
log files are beefing these massive amounts of files that keep track of all the system activity that goes on right walk falls very cumbersome on well, the itjust contained masses amounts of information. They also contain critical information, non critical information.
And these things usually generated
bye intrusion detection and prevention devices. Every good security framework needs to have policies and procedures set in place to cover log files specifically, since they can be unwieldy and really, really big, but at the same time taken
be holding a whole lot of important
A couple of things as security practitioners needs to think about reviewing incident logs any time on incident happens, you always want to check in the log file to see exactly how the incident occurred. Based on one event after the other,
all right. These need These logs also need to be kept for a lot longer than normal logs, which may get raised after you know a week or two
lot anomalies. These are very important because these show anything that's out of the ordinary. So if there's something weird takes place is weird. Event happened and against log, this could be the signal or the start off an attack or something bigger.
Log management. Don't let your logs get control is very easy for them to just completely get out of control. You want to clip it, clip your logs after a certain point.
Clipping levels are just a predefined criteria or a threshold that sets off an event entry. So after you want to, you don't want to log every single thing down to the mouse, collect so
you know it gets to a certain point. It won't be concerned then, and then it will be considered that
filtering you doesn't want a map. Reduce the amount of data reviewed just because there's just there's just too much David lo que and most of it's not important. So you really want to condense the log so you can look at the things that actually matter.
Law consolidation happens on CM systems, and it's good for tracking devices across systems.
Logs don't Why? So, no matter what happens to information or what a system does, what the voice on the system does, it most likely will be locked.
Log protection. How long should the laws be kept? Standard logs?
Probably not that long. If it's not important. If it's like infinite logged in your I don't want to keep on. Keep that for a much longer period. Time
centralized log. He want to ensure all the logs or in one place, right? If you have,
he's huge. Massive logs spread out, you know, in multiple spots without without good tools, it could be very difficult to find incidents. Track incidents across these massive logs,
event configuration and correlation
s. So we have the net flow. This collects network traffic which can be analyzed to create a picture off the traffic flow.
We had s flow, which is a technology which monitors trafficking data networks containing routers and switches. It provides the means for exporting truncated packets together with interface counters. Do you have
security event management? So what this does is analyzing the events in real time to provide monitoring, event correlation and incident response.
That's pretty cool. And then you also have security information management. Sin
collects and analyzes on long data to support compliance and threat management.
So you have two different management's here. You have the event management and information management
be really cool if someone decided to combine them.
And what do you know someone did? Here we go. We have seen we have system information event management.
What this is is a comprehensive management system for compliance that mixes on event
and monitoring together with law. So basically, it's enhanced American security. It's very good at correlating many different events, and all the events are in one spot.
It also supports full packet capture so it can capture every single packet out of fines and piece things together for a full picture. It also offers the analytics metrics and trends to help you understand and comprehend all of the information that you are looking at.
In today's lecture, we discussed operating and maintaining monitoring system.
It is done.
The system has not recognized benign traffic as cause for concern
with this. Be a true positive,
be true. Negative.
See false, positive
or D false? Negative.
If you said be true Negative, then you are correct.
Remember, true negative means that
the system did not test positive for something that didn't happen. So it said A. There's nothing to be worried about here, and there was nothing to be actually worried about.
Thanks for watching guys. I hope you weren't a lot in this domain, and I'll see you next time.