Time
28 minutes
Difficulty
Intermediate
CEU/CPE
1

Video Transcription

00:00
Hello. My name is Dustin and welcome to monitoring network traffic. We're going to be learning what a sim is and how it works of why you need one will also learn about IOC's or indicators of compromise and how you can use a SIM to help hunt for these IOC's and see if you've been breached. Let's get started.
00:20
You've probably heard the term sin before, but what is it and how are they used in this section? We're going to discuss exactly that.
00:30
So what is a Sim?
00:31
Sim stands for security information and event management and combines the functions of both a sim or security information management and sem, or security event management,
00:43
Depending on the size of your organization, these can be rather expensive and pretty resource intensive, which often makes him difficult to manage unless you've got a dedicated team member or members.
00:59
So why uses him?
01:00
Like I said, Simms could be very expensive and difficult to manage. Why would anyone want that?
01:07
The Sims are a very important part of the security ecosystem. They're able to take data from a ton of different sources, including network devices like firewalls of routers, active directory servers and point protection software and vulnerability information and collect an aggregate all of that information.
01:26
So sure, you could log in to 20 different devices to get that information.
01:30
But wouldn't it be easier to have one central place that allows you to view and analyze all that data?
01:38
I think of the amount of time that could save, which is extremely valuable in the event of a breach or a malware breakout.
01:46
Sims can take all that information, analyze the data and create alerts based on IOC's or indicators of compromise or other behavioral analytics. They also allow you to generate reports with various bits of information that may be necessary for a certain team or division within the organization.
02:05
With all of this aggregated dan data, you'll be able to perform advanced threat detection,
02:14
so the same process is a relatively simple process.
02:19
Step one Collect data from various sources. This can include network devices, servers, domain controllers, vulnerability, scanners, anything you can think of that has valuable information.
02:34
Step two normal eyes and aggregate all of the collected information
02:38
and what this means is a good SIM has the ability to take all the data from many different sources and put it into something useful. If you've ever tried to go over server logs and compare them to firewall logs at the same time, it can be pretty confusing. They're not in the same four mount, and
02:57
maybe one's in UTC once in your actual time zone.
03:00
Ah, Sim will actually kind of normal. Eyes that and get it all into one human readable format.
03:07
Step three. Analyze the data to detect threats
03:12
so a good SIM product will have the ability to analyze data and look for certain information, automating basic threat hunting and alerting. Based on analytics that match certain rule sets. For example, you may be able to use behavior analysis to detect when the user has logged in from a different computer or during a strange time.
03:31
So if you've got a bob from accounting, he always works 8 to 5
03:35
logs and eight Long's out of five. Then, all of a sudden, he's logging in on a Saturday at 10 o'clock at night.
03:44
That might not be normal, so you'd actually get that alert
03:47
and step for pinpoint breeches and enable organizations to investigate alerts. So, taking the previous example, you may see an admin user log in after hours, but with your sin, You also see that several net for devices went down just before that.
04:04
This could explain why that admin was logging in at an unusual time. But you can't just dismiss it. Of course you want to do a full investigation to verify. But this way you've got all that information in one place.
04:19
So how does the same work
04:23
at its core? Assume is a data aggregator search and reporting system. It can take massive amounts of data from your network and consolidated into one source, making the data human readable. With this data now accessible by you and your team, you can research security issues with as much a dif
04:42
detailed information as possible,
04:44
allowing you to make quick and smart decisions about any incident.
04:48
Most Simms have a pretty robust rule set built in, and they should allow you to customize or Taylor. These rule sets to fit your environment, tuning out false positives. You can focus on the important events and tuning is really important. In the same. You don't want to get overloaded with a bunch of
05:08
kind of useless information, so it's something.
05:10
Um, we like to say it takes care and feeding every day. That's why you need that dedicated member, depending on the environment size, of course.
05:20
So any modern SIM will have many different capabilities and hear some of the most common and useful
05:30
riel time monitoring. So you want to be ableto modern. I'm sorry. Modern threats move extremely fast, and your security team needs to be able to monitor those threats and correlate events in real time so they can respond quickly.
05:45
Instant response. In order to respond to incidents effectively, there needs to be an organized way to address potential ist incidents as well as the aftermath of an attack. You want to be ableto limit that damage and reduce the amount of time to recover, which ultimately reduces the cost of a breach. If you're able to get the information,
06:04
um, and respond within an hour,
06:08
that's a lot. You won't lose much money. It takes you 24 hours to respond, or you have to take the whole network down to try and respond to that breach.
06:16
User monitoring. So what's the first thing in attacker will attempt to do once they're in your network
06:23
usually gain access to user accounts, so monitoring user activity is critical in order to pinpoint breeches and is often a compliance requirement as well. Depending on the organization,
06:34
Ah, good Sim will have, ah, good threat Intelligence good threat until can help your i t. Security team recognize abnormal activity and assess the risk to your organization.
06:46
What effects on one company might not affect you at all,
06:50
so this will help you prioritize your response capabilities. You're not spending a bunch of time trying to respond to something that may not even affect you.
07:00
Advanced Analytics Analytics are the key to get any value of the really insane amount of data your sin will be handling. Machine learning can help automate the analysis to identify threats you may have missed before
07:15
advanced threats detection in order to identify or detect the newest threats. It's important to have specialized tools and monitoring
07:24
and then last but not least, a use case library. In order to reduce your risk. It's important to understand and respond to threats in real time,
07:34
so there's ah ton of popular sins out there. But some of the most popular products include a Splunk along rhythm Ailey involved and IBM skew radar.
07:46
Choosing a SIM really depends on your organization's needs and really budget, so it's important to know exactly what you're looking for.

Up Next

Monitoring Network Traffic with SIEM

Monitoring Network Traffic with SIEM provides an in-depth practical application of a Security Information and Event Management (SIEM) system to provide robust network defense/monitoring capabilities. The module further elaborates on how SIEMs work, their capabilities, and explores some of the most popular SIEM options currently used today.

Instructed By

Instructor Profile Image
Dustin Parry
Network Security Engineer
Instructor