WEBVTT

1
00:00:00.090 --> 00:00:01.470
In this lesson,

2
00:00:01.470 --> 00:00:04.650
we will learn about monitoring and detection.

3
00:00:04.650 --> 00:00:08.940
Monitoring and detection involves continuously observing

4
00:00:08.940 --> 00:00:11.610
network activities to identify

5
00:00:11.610 --> 00:00:15.270
and respond to security incidents, anomalies,

6
00:00:15.270 --> 00:00:17.040
and vulnerabilities.

7
00:00:17.040 --> 00:00:21.780
Monitoring and detection devices include test-access points

8
00:00:21.780 --> 00:00:26.040
or TAPs, collectors, and vulnerability scanners.

9
00:00:26.040 --> 00:00:29.520
Let's explore each of these tools in more detail.

10
00:00:29.520 --> 00:00:33.570
Then we'll have a demonstration of an advanced configuration

11
00:00:33.570 --> 00:00:36.210
of a network scanner, OpenVAS.

12
00:00:36.210 --> 00:00:40.110
First, we have test-access points, or TAPs.

13
00:00:40.110 --> 00:00:44.130
A TAP is a valuable tool for network administrators

14
00:00:44.130 --> 00:00:48.180
because it provides full visibility into network traffic,

15
00:00:48.180 --> 00:00:51.000
allowing them to monitor, analyze,

16
00:00:51.000 --> 00:00:55.320
and troubleshoot without interfering with the flow of data.

17
00:00:55.320 --> 00:00:59.190
TAPs work by making a copy of the data traveling

18
00:00:59.190 --> 00:01:01.860
between two points in the network,

19
00:01:01.860 --> 00:01:05.640
such as between an Internet service provider's modem

20
00:01:05.640 --> 00:01:07.080
and a border router.

21
00:01:07.080 --> 00:01:11.070
The data copy that is captured by the TAP is then sent

22
00:01:11.070 --> 00:01:14.310
to a monitoring device in real time.

23
00:01:14.310 --> 00:01:18.570
This setup is ideal for continuous traffic analysis,

24
00:01:18.570 --> 00:01:22.080
security monitoring, or implementing tools

25
00:01:22.080 --> 00:01:25.620
like a network-based intrusion-detection system

26
00:01:25.620 --> 00:01:28.410
to detect suspicious activity.

27
00:01:28.410 --> 00:01:32.040
A TAP is traditionally a hardware device.

28
00:01:32.040 --> 00:01:35.040
Physically, a TAP has three ports,

29
00:01:35.040 --> 00:01:38.250
two for connecting different parts of the network,

30
00:01:38.250 --> 00:01:40.350
such as a modem and a router,

31
00:01:40.350 --> 00:01:43.350
and one port for connecting to the monitoring

32
00:01:43.350 --> 00:01:45.090
or capture device.

33
00:01:45.090 --> 00:01:49.140
As data passes through the TAP, a copy is created

34
00:01:49.140 --> 00:01:51.510
and sent to the monitoring device,

35
00:01:51.510 --> 00:01:53.700
allowing network administrators

36
00:01:53.700 --> 00:01:56.670
to monitor all traffic in real time

37
00:01:56.670 --> 00:01:59.820
without disrupting network operations.

38
00:01:59.820 --> 00:02:03.600
There are two types of TAPs, passive and active.

39
00:02:03.600 --> 00:02:06.060
Passive TAPs are simple and reliable

40
00:02:06.060 --> 00:02:07.800
and don't require power.

41
00:02:07.800 --> 00:02:10.890
They simply split the signal they are monitoring

42
00:02:10.890 --> 00:02:13.950
and send a copy to the monitoring device.

43
00:02:13.950 --> 00:02:17.220
They don't add latency or alter the traffic,

44
00:02:17.220 --> 00:02:19.230
but if the connection fails,

45
00:02:19.230 --> 00:02:22.470
passive TAPs can't capture any data.

46
00:02:22.470 --> 00:02:26.490
Additionally, since passive TAPs aren't processing any data,

47
00:02:26.490 --> 00:02:30.480
malformed or damaged packets will also be sent

48
00:02:30.480 --> 00:02:32.430
to the monitoring device.

49
00:02:32.430 --> 00:02:36.060
Next, active TAPs physically interrupt the signal

50
00:02:36.060 --> 00:02:38.580
they are monitoring, regenerate it,

51
00:02:38.580 --> 00:02:42.180
and then send it to both the next communication node

52
00:02:42.180 --> 00:02:44.370
and the monitoring device.

53
00:02:44.370 --> 00:02:47.550
Active TAPs use their own power supply

54
00:02:47.550 --> 00:02:50.520
to ensure signal strength remains stable

55
00:02:50.520 --> 00:02:53.910
even during link issues or power failures,

56
00:02:53.910 --> 00:02:57.240
provided they have a backup power supply.

57
00:02:57.240 --> 00:03:02.130
Active TAPs can continue data during network failures,

58
00:03:02.130 --> 00:03:04.950
though they add a slight bit of latency

59
00:03:04.950 --> 00:03:07.200
and rely on electrical power.

60
00:03:07.200 --> 00:03:11.400
So if an active TAP doesn't have a backup power supply,

61
00:03:11.400 --> 00:03:15.480
it can become a single point of failure in the network.

62
00:03:15.480 --> 00:03:17.250
For permanent installation,

63
00:03:17.250 --> 00:03:21.510
such as deploying network-based intrusion detection systems,

64
00:03:21.510 --> 00:03:24.810
many administrators prefer using a TAP

65
00:03:24.810 --> 00:03:28.500
because it allows a real-time traffic monitoring

66
00:03:28.500 --> 00:03:30.480
across all devices.

67
00:03:30.480 --> 00:03:33.360
However, for temporary troubleshooting,

68
00:03:33.360 --> 00:03:37.290
a mirrored or SPAN port might be more convenient.

69
00:03:37.290 --> 00:03:41.040
In cloud environments, monitoring usually requires

70
00:03:41.040 --> 00:03:43.650
a virtual private cloud solution,

71
00:03:43.650 --> 00:03:47.430
as physical TAPs won't work in virtualized settings.

72
00:03:47.430 --> 00:03:49.620
Second, we have collectors.

73
00:03:49.620 --> 00:03:52.440
Collectors are devices or software

74
00:03:52.440 --> 00:03:57.000
that gather network traffic or log data for analysis.

75
00:03:57.000 --> 00:04:01.260
Collectors work by pulling in data from various sources

76
00:04:01.260 --> 00:04:04.740
such as servers, endpoints, and firewalls,

77
00:04:04.740 --> 00:04:08.550
and then forwarding it to monitoring tools for detection

78
00:04:08.550 --> 00:04:10.950
of any suspicious activity.

79
00:04:10.950 --> 00:04:13.320
For example, Wireshark is

80
00:04:13.320 --> 00:04:16.290
a popular network protocol analyzer

81
00:04:16.290 --> 00:04:18.930
that acts as a collector by capturing

82
00:04:18.930 --> 00:04:22.140
and analyzing packets in real time.

83
00:04:22.140 --> 00:04:25.440
Another example of a collector is Splunk.

84
00:04:25.440 --> 00:04:28.770
Splunk collects log data from various systems

85
00:04:28.770 --> 00:04:32.610
and devices, providing real-time insights

86
00:04:32.610 --> 00:04:37.290
and allowing security teams to detect anomalies or threats.

87
00:04:37.290 --> 00:04:41.430
Tools like SolarWinds Network Performance Monitor

88
00:04:41.430 --> 00:04:45.060
also use collectors to monitor network traffic,

89
00:04:45.060 --> 00:04:49.290
alerting administrators if anything unusual occurs,

90
00:04:49.290 --> 00:04:52.050
like spikes in bandwidth usage.

91
00:04:52.050 --> 00:04:55.950
Collectors form the backbone of an effective monitoring

92
00:04:55.950 --> 00:04:59.730
and detection strategy, ensuring data is captured

93
00:04:59.730 --> 00:05:02.970
and analyzed for possible risks.

94
00:05:02.970 --> 00:05:06.480
Third, we have vulnerability scanners.

95
00:05:06.480 --> 00:05:10.560
Vulnerability scanners identify potential weaknesses

96
00:05:10.560 --> 00:05:13.710
in systems before they can be exploited.

97
00:05:13.710 --> 00:05:17.226
One popular network vulnerability scanner is

98
00:05:17.226 --> 00:05:19.260
Greenbone's OpenVAS,

99
00:05:19.260 --> 00:05:22.260
an open-source scanner that scans networks

100
00:05:22.260 --> 00:05:26.640
and systems for security flaws and provides detailed reports

101
00:05:26.640 --> 00:05:30.360
to help administrators prioritize what needs fixing.

102
00:05:30.360 --> 00:05:33.960
Interestingly, OpenVAS was originally a fork

103
00:05:33.960 --> 00:05:37.260
of Tenable Nessus before Nessus transitioned

104
00:05:37.260 --> 00:05:40.740
from an open-source to a commercial model.

105
00:05:40.740 --> 00:05:43.200
Nessus, known for its ease of use

106
00:05:43.200 --> 00:05:46.320
and extensive plugin library, is now one

107
00:05:46.320 --> 00:05:50.160
of the most popular commercial vulnerability scanners.

108
00:05:50.160 --> 00:05:52.770
Nessus identifies vulnerabilities

109
00:05:52.770 --> 00:05:56.310
across various systems and applications,

110
00:05:56.310 --> 00:05:59.970
from outdated software to misconfigurations,

111
00:05:59.970 --> 00:06:04.500
and offers actionable recommendations to mitigate risks.

112
00:06:04.500 --> 00:06:08.700
Next, Qualys is a cloud-based vulnerability scanner

113
00:06:08.700 --> 00:06:11.730
that integrates with many security tools,

114
00:06:11.730 --> 00:06:14.910
offering not only vulnerability scanning

115
00:06:14.910 --> 00:06:19.260
but also compliance checking and continuous monitoring.

116
00:06:19.260 --> 00:06:22.170
Qualys is known for its scalability,

117
00:06:22.170 --> 00:06:26.160
making it a popular choice for larger organizations

118
00:06:26.160 --> 00:06:31.110
that need to secure extensive, complex cloud-based networks.

119
00:06:31.110 --> 00:06:33.870
Now let's have a look at OpenVAS

120
00:06:33.870 --> 00:06:38.550
and explore some of its advanced configuration capability.

121
00:06:38.550 --> 00:06:42.510
I am using a Kali Linux virtual machine,

122
00:06:42.510 --> 00:06:47.040
and I have started the Greenbone OpenVAS network scanner.

123
00:06:47.040 --> 00:06:49.980
Process of scanning machines with OpenVAS

124
00:06:49.980 --> 00:06:53.130
is fairly intuitive, with a built-in wizard

125
00:06:53.130 --> 00:06:55.110
to guide you through the steps.

126
00:06:55.110 --> 00:06:58.620
However, creating custom scan configurations

127
00:06:58.620 --> 00:07:02.640
can be highly valuable, as it allows you to tailor scans

128
00:07:02.640 --> 00:07:04.410
for greater efficiency

129
00:07:04.410 --> 00:07:08.130
and minimize disruption on your production network.

130
00:07:08.130 --> 00:07:12.660
Here on OpenVAS in the configuration menu,

131
00:07:12.660 --> 00:07:16.110
I am going to select scan configs.

132
00:07:16.110 --> 00:07:20.970
Here we see a list of pre-installed scan configurations,

133
00:07:20.970 --> 00:07:24.900
including a full and fast scan and others.

134
00:07:24.900 --> 00:07:28.590
Let's modify a full and fast configuration.

135
00:07:28.590 --> 00:07:31.470
To do this, we'll click the clone button

136
00:07:31.470 --> 00:07:34.290
over here on the right hand side.

137
00:07:34.290 --> 00:07:39.240
As you can see, we have now created a full and fast clone.

138
00:07:39.240 --> 00:07:42.780
Next, we can click the pencil icon

139
00:07:42.780 --> 00:07:46.080
to configure our new clone.

140
00:07:46.080 --> 00:07:49.980
Inside the cloned full and fast configuration,

141
00:07:49.980 --> 00:07:54.030
we see a list of network vulnerability test families.

142
00:07:54.030 --> 00:07:57.810
Specifically, there are 58 families.

143
00:07:57.810 --> 00:08:01.470
Network Vulnerability Tests, or NVT families,

144
00:08:01.470 --> 00:08:04.140
in OpenVAS are organized groups

145
00:08:04.140 --> 00:08:08.190
of vulnerability tests that focus on specific types

146
00:08:08.190 --> 00:08:11.400
of security risks or system areas.

147
00:08:11.400 --> 00:08:15.030
Each family contains a multiple individual test

148
00:08:15.030 --> 00:08:17.700
designed to detect vulnerabilities

149
00:08:17.700 --> 00:08:19.830
within a particular category,

150
00:08:19.830 --> 00:08:22.920
such as web servers, denial of service,

151
00:08:22.920 --> 00:08:26.310
general vulnerabilities, or databases.

152
00:08:26.310 --> 00:08:28.920
These families allow administrators

153
00:08:28.920 --> 00:08:32.430
to target specific aspects of their network

154
00:08:32.430 --> 00:08:36.600
or infrastructure based on their security needs.

155
00:08:36.600 --> 00:08:39.900
For example, if we are an organization

156
00:08:39.900 --> 00:08:42.870
that primarily operates web services,

157
00:08:42.870 --> 00:08:46.080
modifying our custom scan configuration

158
00:08:46.080 --> 00:08:49.260
to focus on the web server's family

159
00:08:49.260 --> 00:08:51.840
would make our scan more efficient

160
00:08:51.840 --> 00:08:54.450
while retaining searches for vulnerabilities,

161
00:08:54.450 --> 00:08:57.780
like SQL injection and Cross-site Scripting.

162
00:08:57.780 --> 00:09:02.760
By categorizing network vulnerability tests into families,

163
00:09:02.760 --> 00:09:06.270
OpenVAS makes it easier to customize scans

164
00:09:06.270 --> 00:09:09.840
and address specific security concerns efficiently,

165
00:09:09.840 --> 00:09:13.800
enabling tailored and relevant vulnerability assessments

166
00:09:13.800 --> 00:09:16.590
across various network assets.

167
00:09:16.590 --> 00:09:20.760
We can even look into each family of NVTs

168
00:09:20.760 --> 00:09:25.170
and view specific tests that are run by OpenVAS.

169
00:09:25.170 --> 00:09:28.500
Let's take a look at the web server's family,

170
00:09:28.500 --> 00:09:33.423
which runs 964 individual NVTs.

171
00:09:36.648 --> 00:09:41.220
An NVT is an individual test designed to check

172
00:09:41.220 --> 00:09:46.080
for a specific vulnerability on a system or network.

173
00:09:46.080 --> 00:09:50.250
Each NVT focuses on a particular risk,

174
00:09:50.250 --> 00:09:54.870
such as information-disclosure vulnerabilities

175
00:09:54.870 --> 00:09:58.200
or command-injection vulnerabilities.

176
00:09:58.200 --> 00:10:00.900
Other vulnerability examples include

177
00:10:00.900 --> 00:10:04.740
outdated software versions, misconfigurations,

178
00:10:04.740 --> 00:10:07.440
or a known security flaw.

179
00:10:07.440 --> 00:10:11.310
We can even open up a specific NVT

180
00:10:11.310 --> 00:10:13.443
and look at it in more detail.

181
00:10:18.000 --> 00:10:19.110
Let's take a look here

182
00:10:19.110 --> 00:10:23.010
at the command-injection network vulnerability test.

183
00:10:23.010 --> 00:10:27.300
Here we can see details like the vulnerability's name,

184
00:10:27.300 --> 00:10:31.170
a summary, and the CVSS score,

185
00:10:31.170 --> 00:10:33.540
which is a risk level, letting us know

186
00:10:33.540 --> 00:10:36.840
how critical this vulnerability is.

187
00:10:36.840 --> 00:10:39.750
By reviewing individual NVTs,

188
00:10:39.750 --> 00:10:42.390
administrators can understand the nature

189
00:10:42.390 --> 00:10:45.660
of the vulnerabilities present in their network

190
00:10:45.660 --> 00:10:48.270
and how to prioritize them.

191
00:10:48.270 --> 00:10:52.830
Within a family, we can even unselect specific NVTs

192
00:10:52.830 --> 00:10:55.650
to customize our search.

193
00:10:55.650 --> 00:10:59.553
Let's unselect this command-injection vulnerability.

194
00:11:04.050 --> 00:11:08.670
Now we can see that it will run 963

195
00:11:08.670 --> 00:11:13.530
of the 964 possible web server family's

196
00:11:13.530 --> 00:11:16.320
network vulnerability tests.

197
00:11:16.320 --> 00:11:19.710
So with a custom scan configuration,

198
00:11:19.710 --> 00:11:24.710
we can select specific families of NVTs to scan for,

199
00:11:24.780 --> 00:11:27.390
and we can even select specific tests

200
00:11:27.390 --> 00:11:30.870
to run within an NVT family.

201
00:11:30.870 --> 00:11:35.130
Tailoring our scans to focus on specific vulnerabilities

202
00:11:35.130 --> 00:11:38.250
that are most relevant to our environment

203
00:11:38.250 --> 00:11:43.250
reduces unnecessary checks and optimizes scan time.

204
00:11:43.290 --> 00:11:46.440
By selecting certain families of NVTs

205
00:11:46.440 --> 00:11:50.010
or even specific tests within those families,

206
00:11:50.010 --> 00:11:53.280
we can prioritize the search for vulnerabilities

207
00:11:53.280 --> 00:11:56.880
that pose the greatest risk to our network.

208
00:11:56.880 --> 00:12:00.210
This is the end of our demonstration,

209
00:12:00.210 --> 00:12:02.190
so remember,

210
00:12:02.190 --> 00:12:06.180
monitoring and detection are essential for identifying

211
00:12:06.180 --> 00:12:10.170
and responding to security incidents, anomalies,

212
00:12:10.170 --> 00:12:13.050
and vulnerabilities within a network.

213
00:12:13.050 --> 00:12:15.510
This process involves the use

214
00:12:15.510 --> 00:12:18.930
of tools like test access points, or TAPs,

215
00:12:18.930 --> 00:12:22.170
collectors, and vulnerability scanners.

216
00:12:22.170 --> 00:12:26.190
TAPs provide visibility into network traffic,

217
00:12:26.190 --> 00:12:28.590
allowing administrators to monitor

218
00:12:28.590 --> 00:12:31.560
and analyze data in real time.

219
00:12:31.560 --> 00:12:35.010
Next, collectors gather and forward traffic

220
00:12:35.010 --> 00:12:37.560
and log data to monitoring tools,

221
00:12:37.560 --> 00:12:40.380
which helps detect suspicious activity.

222
00:12:40.380 --> 00:12:43.830
Finally, vulnerability scanners identify

223
00:12:43.830 --> 00:12:48.060
potential security weaknesses before they can be exploited,

224
00:12:48.060 --> 00:12:49.950
providing detailed reports

225
00:12:49.950 --> 00:12:53.103
and recommendations for remediation.