Scanning, Monitoring and Patching

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 50 minutes
Difficulty
Beginner
CEU/CPE
8
Video Transcription
00:00
>> We can't talk about network operations
00:00
>> in the day-to-day
00:00
>> without talking about the importance of
00:00
scanning and monitoring your network,
00:00
as well as patching.
00:00
We'll talk a bit about log reviews and
00:00
scanning for ports and other vulnerabilities.
00:00
We'll talk about managing patches,
00:00
distributing them, and being
00:00
able to roll back patches as necessary.
00:00
We'll look at the significance of baselines
00:00
then talk about packet and traffic analysis.
00:00
One of the processes that we're always considering is
00:00
the possibility of events and
00:00
incidents and materializing on the network.
00:00
We talk about an event,
00:00
it's really just a measurable change in state.
00:00
DNS service started, DNS service stopped.
00:00
It's neither here nor there.
00:00
When we have events that are negative
00:00
or have a negative event on our network,
00:00
we consider that to be an incident.
00:00
A lot of times we can associate that
00:00
and say that a third has materialized.
00:00
We want to make sure that we use
00:00
our due diligence and stay knowledgeable on
00:00
the various types of attacks that are
00:00
current and on the horizon.
00:00
We also want to make sure that we have tools and
00:00
police so that way we can detect those events.
00:00
When we talk about being knowledgeable
00:00
and doing our research,
00:00
we usually consider that to be threat intelligence,
00:00
making sure we have the tools and
00:00
expertise in place so that
00:00
way we can make good decisions
00:00
based on threats is important.
00:00
They're obviously going to be
00:00
other sources of information,
00:00
like lots of databases that
00:00
indicate common threats and vulnerabilities.
00:00
We can sign up for notifications from
00:00
these third-party resources and can also
00:00
configure notifications and alerts for
00:00
our network to indicate that something has happened,
00:00
like percentage of network utilization
00:00
increasing or certain types
00:00
of traffic detected on the network.
00:00
It's all about detecting at any sort of
00:00
event that might have a negative impact.
00:00
We often think of SIEMs systems in this case.
00:00
That security incident and event manager
00:00
or a security information and event manager.
00:00
These are the systems I put it all together.
00:00
We have agents running on various firewalls,
00:00
routers and honeypots, all these different systems.
00:00
Ultimately, those agents report
00:00
to a central management console where we can
00:00
look at the big picture of what's happening on
00:00
the network and try to correlate the details.
00:00
Activity on one server may seem very benign.
00:00
But when you see that same activity on
00:00
>> multiple servers, that might be an indication
00:00
>> that there's a greater threat.
00:00
Simple Network Management Protocol.
00:00
SNMP [NOISE] is a protocol and a service that
00:00
devices or information is
00:00
tracked within our organization.
00:00
Specifically, configuration and security-related issues.
00:00
Now, there's an SNMP manager tool that I
00:00
something called a MIB, management information base.
00:00
That's just a formatted text file
00:00
that is designed to collect
00:00
information on certain types of
00:00
thoughts or activities that I can scan for.
00:00
The SNMP manager takes on information and is able to
00:00
translate it to more helpful information
00:00
that will be useful to a network manager.
00:00
You can see over on the right that might not be
00:00
particularly meaningful but ultimately,
00:00
with good reporting software,
00:00
it could pull out issues,
00:00
drop packets, different types of traffic on
00:00
the network and different devices on the network.
00:00
SNMP provides a lot of
00:00
information for managing the network.
00:00
SNMP version 3 is the latest and is also the only type
00:00
that transmits this information
00:00
across the network in encrypted fashion.
00:00
Everything else census information
00:00
that's been captured across the network,
00:00
unencrypted and SNMP could be compromised and help
00:00
an attacker figure out what's on
00:00
your network and what vulnerabilities exist.
00:00
In addition to monitoring,
00:00
we have to know what we're looking for.
00:00
You can't just look, you have to look with a purpose.
00:00
What we've got to look at is
00:00
the various controls and systems that we have in place
00:00
>> and determine what our expectations are.
00:00
>> What amount of error rate is acceptable?
00:00
How much utilization is too much?
00:00
What about packets being dropped?
00:00
At what point in time does that become an issue?
00:00
None of those questions are ones that I can answer.
00:00
It really varies on your network
00:00
and the type of traffic that you transmit.
00:00
The bottom line is, these are
00:00
some things that we need to consider and
00:00
these metrics are frequently things that we
00:00
monitor along with a slew of other metrics.
00:00
The purpose here is knowing what we're
00:00
looking for and what
00:00
our network performance expectations are. Log review.
00:00
Many times we think we go to our logs after the fact.
00:00
We've had some negative event happen,
00:00
so let's go check the logs.
00:00
If we're proactive in monitoring our logs,
00:00
many times we can see an event as it begins to
00:00
materialize and we don't
00:00
have to wait until after the fact.
00:00
Most devices have some logging feature.
00:00
Again, these help us look at the big picture and
00:00
>> spot any anomaly or thing that is
00:00
>> indicative for it's something
00:00
on to the normal is happening.
00:00
We want to make sure that our
00:00
logs are stored in such a way
00:00
that they can't be tampered with or modified.
00:00
That would involve using hashes that to
00:00
make sure that there's no modification.
00:00
We really want to be able to review
00:00
those logs and see if we can preemptively determinant
00:00
that hack is happening or
00:00
at least the diaphysis and suspicious activity.
00:00
We want to be able to correlate this fox across
00:00
multiple systems and we do that with SIEMs.
00:00
Port scanning goes hand in
00:00
hand with vulnerability scanning.
00:00
What we're looking for is known weaknesses.
00:00
When we're scanning for open ports,
00:00
those are points that have services installed.
00:00
We have to remember that a port is
00:00
really just access into our system.
00:00
If my system is listening on port 80,
00:00
it's allowing web-based traffic to come in.
00:00
If we have too many ports or unexpected ports,
00:00
then we have unexpected pathways into our system.
00:00
The way you close the ports is to
00:00
remove the software that opens the port.
00:00
Port scans are usually
00:00
the first step in an attempted compromise.
Up Next