Scanning, Monitoring, and Patching

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 49 minutes
Difficulty
Beginner
CEU/CPE
10
Video Transcription
00:00
>> We can't talk about network operations
00:00
in the day to day without
00:00
talking about the importance of
00:00
scanning and monitoring your network,
00:00
as well as patching.
00:00
We'll talk a bit about logger views and
00:00
scanning reports and other vulnerabilities,
00:00
we'll talk about managing patches,
00:00
distributing them, and being able
00:00
to roll back patches as necessary.
00:00
We'll look at the significance of baselines,
00:00
then talk about packet and traffic analysis.
00:00
One of the processes that we're always considering is
00:00
the possibility of events and
00:00
incidents materializing on the network.
00:00
When we talk about an event,
00:00
it's really just a measurable change in state.
00:00
DNS service started, DNS service stopped,
00:00
it's neither here nor there.
00:00
When we have events that are negative
00:00
or have a negative event on our network,
00:00
we consider that to be an incident.
00:00
A lot of times, we can associate that
00:00
and say that a threat has materialized.
00:00
We want to make sure that we use
00:00
our due diligence and stay knowledgeable
00:00
on the various types of attacks that are
00:00
current and on the horizon.
00:00
We also want to make sure that we
00:00
have the tools and place,
00:00
so that way we can detect those events.
00:00
When we talk about being knowledgeable
00:00
and doing our research,
00:00
usually consider that to be threat intelligence.
00:00
Making sure we have the tools
00:00
and expertise in place so that
00:00
we can make good decisions based on threats is important.
00:00
There are obviously going to be
00:00
other sources of information,
00:00
like lots of databases that
00:00
indicate common threats and vulnerabilities.
00:00
We can sign up for notifications from
00:00
these third-party resources and can also
00:00
configure notifications and alerts for
00:00
our own network to indicate that something has happened,
00:00
like percentage of network utilization
00:00
increasing or certain types
00:00
of traffic detected on the network.
00:00
It's all about detecting at any sort of
00:00
event that might have a negative impact.
00:00
We often think of SIEM systems in this case and that's
00:00
security incident and event manager or
00:00
a security information and event manager.
00:00
These are the systems have put it all together.
00:00
We have agents running on various firewalls,
00:00
routers, and honeypots,
00:00
all these different systems.
00:00
Ultimately, those agents report to
00:00
a central management console where we can
00:00
look at the big picture of what's happening on on
00:00
the network and try to correlate the details.
00:00
Activity on one server may seem very benign.
00:00
But when you see that same activity on multiple servers,
00:00
that might be an indication
00:00
that there's a greater threat.
00:00
Simple Network Management Protocol, SNMP,
00:00
is a protocol and a service that devices how
00:00
information is tracked within an organization,
00:00
specifically configuration and security-related issues.
00:00
Now, there's an SNMP manager tool that has
00:00
something called MIB, Management Information Base.
00:00
That's just a formatted text file
00:00
that is designed to collect
00:00
information on certain types of
00:00
threats or activities that I can scan for.
00:00
The SNMP manager takes
00:00
on information and it's ambulate to
00:00
translate it to more helpful information
00:00
that will be useful to a network manager.
00:00
You can see over on the right that might not be
00:00
particularly meaningful but ultimately,
00:00
with good reporting software,
00:00
I can pull out issues,
00:00
drop packets, different types of traffic on the network,
00:00
and different devices on the network.
00:00
SNMP provides a lot of
00:00
information for managing the network.
00:00
SNMP version 3 is the
00:00
latest and is also the only type that
00:00
transmits this information across
00:00
the network and encrypted fashion.
00:00
Everything else sends this information
00:00
that's been captured across the network
00:00
unencrypted and SNMP could be compromised and help
00:00
an attacker figure out what's on
00:00
your network and what vulnerabilities exist.
00:00
In addition to monitoring,
00:00
we have to know what we're looking for.
00:00
You can't just look, you have to look with a purpose.
00:00
Well, we've got to look at is
00:00
the various controls and systems that we
00:00
have in place and determine what our expectations are.
00:00
What amount of error rate is acceptable?
00:00
How much utilization is too much?
00:00
What about packets being dropped?
00:00
At what point in time does that become an issue?
00:00
None of those questions are ones that I can answer.
00:00
It really varies on your network
00:00
and the type of traffic that you transmit.
00:00
The bottom line is, these are
00:00
some things that we need to consider.
00:00
These metrics are frequently things that we
00:00
monitor along with a slew of other metrics.
00:00
The purpose here is knowing what we're
00:00
looking for and what
00:00
our network performance expectations are. Log review.
00:00
Many times we think we go to our logs after the fact.
00:00
We've had some sort of negative event happen,
00:00
so let's go check the logs.
00:00
If we're proactive in monitoring our logs,
00:00
many times we can see an event as it begins to
00:00
materialize and we don't
00:00
have to wait until after the fact.
00:00
Most devices have some sort of logging feature.
00:00
Again, these help us look at the big picture and spot
00:00
any anomaly or a thing that is
00:00
indicative or it's something
00:00
out of the normal is happening.
00:00
We want to make sure that our logs
00:00
are stored in such a way
00:00
that they can't be tampered with or modified.
00:00
That would involve using hashes that to
00:00
make sure that there's no modification.
00:00
We really want to be able to review
00:00
those logs and see if we can preemptively determinant
00:00
and hack it's happening or at least
00:00
identify some sort of suspicious activity.
00:00
We want to be able to correlate those facts across
00:00
multiple systems and we do that with SIEMs.
00:00
Port scanning goes hand in
00:00
hand with vulnerability scanning.
00:00
What we're looking for is known weaknesses.
00:00
When we're scanning for open ports,
00:00
airports that have services installed,
00:00
we have to remember that a port is
00:00
really just access into our system.
00:00
If my system is listening on port 80,
00:00
it's allowing web-based traffic to come in.
00:00
If we have too many ports or unexpected ports,
00:00
then we have unexpected pathways into our system.
00:00
The way you close the ports is to
00:00
remove the software that opens the port.
00:00
Port scans are usually
00:00
the first step in an attempted compromise.
Up Next