Security Monitoring Tools and Techniques

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 15 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:00
>> Hi there and welcome to our next lesson,
00:00
security monitoring tools, and techniques.
00:00
In this lesson, we'll be
00:00
covering intrusion detection systems,
00:00
intrusion prevention systems, honeypots,
00:00
and honeynets, full network assessment reviews,
00:00
and security information and event management or SIEMs.
00:00
Let's begin. Now,
00:00
intrusion detection systems,
00:00
as the name would obviously suggest,
00:00
detect intrusions into your system.
00:00
They can be two types, either network-based IDSs
00:00
or host-based IDSs.
00:00
One is basically unusually a network appliance,
00:00
and another is actually is just
00:00
contained on a workstation or laptop.
00:00
A couple of components of IDSs.
00:00
It could be sensors,
00:00
which will actually detect any of the intrusions,
00:00
analyses, which will look at
00:00
analyzing and detect the information,
00:00
administration control, or end-user interfaces.
00:00
There are different IDS types just like
00:00
there are different antivirus types.
00:00
We have signature-based, which will rely upon
00:00
known information fed to the device by the company,
00:00
the vendor that produced it.
00:00
Statistical based, which will look
00:00
at analyzing the traffic and look at
00:00
anomalies based upon what it knows
00:00
should be a regular or a normal network traffic and
00:00
neural networks which are
00:00
relatively new and start to integrate
00:00
some artificial intelligence into
00:00
the detection mechanisms within IDSs.
00:00
Some of the features they will detect intrusions,
00:00
but they will also collect evidence.
00:00
Often cases you'll find IDSs will also contain
00:00
some network capture and protocol analysis.
00:00
They can be automated responses.
00:00
We can send out alerts to
00:00
various security administrators if something is detected.
00:00
It will also enable
00:00
security policy implementation and management.
00:00
As you define the security policy and procedures,
00:00
the IDS will enable you to make it to put
00:00
that policy and procedure into a technical control.
00:00
It will often interface with
00:00
other system tools that are used to manage your networks,
00:00
such as network capture devices.
00:00
IDS limitation.
00:00
It could come down to a weakness
00:00
in the policy definition.
00:00
If the policy is
00:00
not sufficient to protect the organization,
00:00
then the IDS won't do its job properly.
00:00
They could be application level vulnerabilities
00:00
within the IDS software itself.
00:00
It won't necessarily detect backdoors into applications,
00:00
which could be identified as legitimate traffic.
00:00
They could be weaknesses in the identification
00:00
and authentication schemes within the IDS itself.
00:00
Now, there's generally two policy options.
00:00
The IDS can either terminate
00:00
the axis or you can trace the axis.
00:00
Often cases that may be
00:00
desirable if it's part of a larger incident,
00:00
or larger investigation to determine tactics, techniques,
00:00
and procedures, and exactly what
00:00
the target of the attack necessarily is.
00:00
Now intrusion prevention systems.
00:00
Similar to IDSs, except as the name would very
00:00
much suggest these have
00:00
the capability to prevent intrusions.
00:00
They focus on prevention rather than just detection.
00:00
Although they can ultimately be configured to do both.
00:00
They can actively integrate
00:00
into other devices such as your firewall.
00:00
They can modify security policy in response to an attack.
00:00
If a denial of service attack
00:00
is coming through a specific port,
00:00
the intrusion prevention system could
00:00
potentially disable that port to prevent the attack.
00:00
Now, as with IDSs,
00:00
it needs strong policy definition.
00:00
An IPS or an IDS for that matter,
00:00
configured on your system will be ineffective unless,
00:00
of course the policy is set well.
00:00
Honeypots and honeynets.
00:00
This is basically a software application that
00:00
pretends to be a vulnerable server on the Internet.
00:00
What it's designed to do is act
00:00
as a decoy to lure in hackers.
00:00
If the hacker is attacking your honeypot or honeynet,
00:00
then they're not seeing or they're not attacking,
00:00
you will legitimate production systems.
00:00
It also enables you to collect
00:00
information and set tactics, techniques,
00:00
and procedures that you can then
00:00
deploy in your real system to make
00:00
those attacks unavailable or
00:00
prevent those attacks from the actual production systems.
00:00
Full network assessment review.
00:00
This is basically a full review of
00:00
all security policy and procedures.
00:00
It looks in-depth at network and firewall configuration,
00:00
all the logical access controls,
00:00
and the network segmentation by trust levels.
00:00
This is essentially a full order,
00:00
both technical and procedural
00:00
about the network assessment.
00:00
Now, security information and event management.
00:00
Security tools will generate a lot of data.
00:00
A large networks there is a lot of
00:00
events happening and security tools,
00:00
which collect those events will be
00:00
very busy and improves use,
00:00
a lot of information that needs to be disseminated.
00:00
As same will aggregate those data sources into
00:00
a single view and will also assist in
00:00
correlating events across an entire network.
00:00
For example, if logging information would
00:00
come in from a firewall and a server
00:00
and the same could basically aggregate
00:00
that information so that you can
00:00
basically correlate events that are happening
00:00
across any multiple devices on the network.
00:00
That's our lesson. We've looked at
00:00
intrusion detection systems,
00:00
intrusion prevention systems.
00:00
The differences and similarities between the two.
00:00
Honeypots and honeynets and
00:00
how they can be configured on your system.
00:00
A full network assessment reviews,
00:00
and security information and event
00:00
management systems (SIEMs),
00:00
and how they assist in correlating
00:00
different events within
00:00
the security logging off your system.
00:00
That's the end of our lesson. I hope you
00:00
enjoyed it and I will see you at the next one.
Up Next