WEBVTT

1
00:00:00.180 --> 00:00:02.040
In this lesson, we will learn

2
00:00:02.040 --> 00:00:04.740
about monitoring and response.

3
00:00:04.740 --> 00:00:08.100
Monitoring and response is continuously observing

4
00:00:08.100 --> 00:00:10.919
system activities to detect, analyze,

5
00:00:10.919 --> 00:00:13.140
and respond to threats.

6
00:00:13.140 --> 00:00:16.639
Monitoring and response concepts include event logging

7
00:00:16.639 --> 00:00:21.600
and monitoring, as well as endpoint detection and response.

8
00:00:21.600 --> 00:00:24.857
Event logging and monitoring is the process of recording

9
00:00:24.857 --> 00:00:28.063
and tracking system and application activities

10
00:00:28.063 --> 00:00:31.080
to identify abnormal behavior.

11
00:00:31.080 --> 00:00:34.440
Endpoint detection and response, or EDR,

12
00:00:34.440 --> 00:00:38.460
offers individual endpoints real-time visibility,

13
00:00:38.460 --> 00:00:42.270
automated threat detection, and remediation to isolate

14
00:00:42.270 --> 00:00:46.530
and quarantine malicious activity as quickly as possible.

15
00:00:46.530 --> 00:00:49.950
Let's learn more about event logging and monitoring,

16
00:00:49.950 --> 00:00:53.550
as well as endpoint detection and response.

17
00:00:53.550 --> 00:00:56.640
First, we have logging and monitoring.

18
00:00:56.640 --> 00:00:57.810
Logging and monitoring

19
00:00:57.810 --> 00:01:00.870
are essential components of cybersecurity.

20
00:01:00.870 --> 00:01:04.463
In enterprise networks, computers and network devices

21
00:01:04.463 --> 00:01:07.740
constantly perform actions that are invisible

22
00:01:07.740 --> 00:01:09.270
to the human eye.

23
00:01:09.270 --> 00:01:11.820
To understand what is happening on a system,

24
00:01:11.820 --> 00:01:13.868
network device, or firewall,

25
00:01:13.868 --> 00:01:18.868
information system professionals like us rely on log files.

26
00:01:19.380 --> 00:01:23.610
These logs capture system events, application events,

27
00:01:23.610 --> 00:01:26.820
user actions, and network activities.

28
00:01:26.820 --> 00:01:30.540
Network defenders monitor and analyze these logs

29
00:01:30.540 --> 00:01:34.650
to identify indicators of attack, indicators of compromise,

30
00:01:34.650 --> 00:01:37.397
and to reconstruct attack timelines

31
00:01:37.397 --> 00:01:39.840
during incident response.

32
00:01:39.840 --> 00:01:42.510
But despite its importance,

33
00:01:42.510 --> 00:01:45.240
logging presents a major challenge.

34
00:01:45.240 --> 00:01:47.221
We cannot log everything.

35
00:01:47.221 --> 00:01:51.780
Each log requirement consumes a valuable processing power,

36
00:01:51.780 --> 00:01:54.390
memory, and hard drive space.

37
00:01:54.390 --> 00:01:58.752
So if we log too much, we risk degrading the performance

38
00:01:58.752 --> 00:02:02.130
of the devices we are trying to protect.

39
00:02:02.130 --> 00:02:04.607
On the flip side, logging too little

40
00:02:04.607 --> 00:02:08.640
can leave us without critical information that we might need

41
00:02:08.640 --> 00:02:12.330
to fully understand and audit a malicious event.

42
00:02:12.330 --> 00:02:15.990
The need for balance is why we must carefully design

43
00:02:15.990 --> 00:02:18.522
our logging and auditing mechanisms,

44
00:02:18.522 --> 00:02:21.150
making deliberate decisions

45
00:02:21.150 --> 00:02:24.930
about what to log and what not to log.

46
00:02:24.930 --> 00:02:28.181
So to maintain an effective logging system,

47
00:02:28.181 --> 00:02:32.160
we need a solid audit log management plan.

48
00:02:32.160 --> 00:02:35.520
This plan needs to define what is logged,

49
00:02:35.520 --> 00:02:39.900
how long logs are kept, and how logs are backed up.

50
00:02:39.900 --> 00:02:41.670
Additionally, we need to plan

51
00:02:41.670 --> 00:02:44.167
for how often logs will be reviewed.

52
00:02:44.167 --> 00:02:48.031
Protecting log files against unauthorized deletion

53
00:02:48.031 --> 00:02:50.160
is equally important.

54
00:02:50.160 --> 00:02:54.420
We may even require controls such as two-person approval

55
00:02:54.420 --> 00:02:57.270
for any log modification or deletion

56
00:02:57.270 --> 00:03:02.100
to help ensure the integrity and availability of our logs.

57
00:03:02.100 --> 00:03:05.346
These controls become particularly important

58
00:03:05.346 --> 00:03:08.807
when logs are needed in incident response.

59
00:03:08.807 --> 00:03:11.160
Building on log management.

60
00:03:11.160 --> 00:03:13.470
Audit trails play a vital role

61
00:03:13.470 --> 00:03:17.610
in capturing detailed records of system transactions.

62
00:03:17.610 --> 00:03:21.677
An audit trail is a detailed record of all transactions

63
00:03:21.677 --> 00:03:26.130
and system activities, documenting the sequence of events,

64
00:03:26.130 --> 00:03:29.400
actions taken, and any changes made.

65
00:03:29.400 --> 00:03:33.780
Audit trails help in tracking and analyzing user behavior

66
00:03:33.780 --> 00:03:38.160
and system performance for security and compliance purposes.

67
00:03:38.160 --> 00:03:42.450
Audit trails may also specify whether attempted events

68
00:03:42.450 --> 00:03:45.330
were successful or if they failed.

69
00:03:45.330 --> 00:03:49.740
This can be directly used to detect misuse or attack,

70
00:03:49.740 --> 00:03:53.790
including attacks on the logging systems themselves.

71
00:03:53.790 --> 00:03:57.990
By monitoring and analyzing logs for unusual behavior,

72
00:03:57.990 --> 00:04:01.617
professionals can quickly spot indicators of attack.

73
00:04:01.617 --> 00:04:04.725
So when setting up a logging strategy,

74
00:04:04.725 --> 00:04:07.500
deciding what to log is critical.

75
00:04:07.500 --> 00:04:11.160
Establishing thresholds for logging specific actions

76
00:04:11.160 --> 00:04:12.990
is also important.

77
00:04:12.990 --> 00:04:17.250
For example, should every failed login attempt be logged,

78
00:04:17.250 --> 00:04:21.360
or should we only log it after the third failed attempt?

79
00:04:21.360 --> 00:04:24.960
Logging every attempt might flood the system with data,

80
00:04:24.960 --> 00:04:27.480
especially if the event is simply a user

81
00:04:27.480 --> 00:04:29.760
mistyping their password a few times.

82
00:04:29.760 --> 00:04:33.316
However, logging too little could mean missing signs

83
00:04:33.316 --> 00:04:35.430
of a brute force attack.

84
00:04:35.430 --> 00:04:39.240
Similarly, logging actions like user additions,

85
00:04:39.240 --> 00:04:43.490
modifications, or deletions can help us maintain visibility

86
00:04:43.490 --> 00:04:47.704
because these types of changes are often made by attackers

87
00:04:47.704 --> 00:04:50.220
after they breach a system.

88
00:04:50.220 --> 00:04:53.160
It's also important to consider that attackers

89
00:04:53.160 --> 00:04:57.030
might try to cover their tracks by manipulating logs,

90
00:04:57.030 --> 00:05:01.530
a tactic known as scrubbing the logs or covering tracks.

91
00:05:01.530 --> 00:05:05.070
Missing time entries or unexplained gaps in logs

92
00:05:05.070 --> 00:05:07.350
are often signs of tampering.

93
00:05:07.350 --> 00:05:11.550
So to enhance our logging systems, we can use automation

94
00:05:11.550 --> 00:05:13.830
to trigger alerts or notifications

95
00:05:13.830 --> 00:05:16.170
when specific events occur.

96
00:05:16.170 --> 00:05:19.000
For instance, if a user account is elevated

97
00:05:19.000 --> 00:05:22.465
to an administrative level, the system can send an alert

98
00:05:22.465 --> 00:05:26.010
to a system administrator for verification.

99
00:05:26.010 --> 00:05:28.767
With such a volume of logs to manage,

100
00:05:28.767 --> 00:05:31.413
organizations often turn to tools

101
00:05:31.413 --> 00:05:34.833
like a security information and event management system,

102
00:05:34.833 --> 00:05:37.170
also known as a SIEM.

103
00:05:37.170 --> 00:05:39.270
At work, you might hear this pronounced

104
00:05:39.270 --> 00:05:41.520
as either SIEM or SEIM.

105
00:05:41.520 --> 00:05:44.550
In this lesson, I will be pronouncing it SIEM.

106
00:05:44.550 --> 00:05:47.010
SIEMs combine security event management

107
00:05:47.010 --> 00:05:51.150
and security information management into one platform,

108
00:05:51.150 --> 00:05:52.651
and they are typically used

109
00:05:52.651 --> 00:05:56.220
by security operation centers, or SOCs.

110
00:05:56.220 --> 00:06:00.180
SIEMs provide real-time monitoring, automated alerts,

111
00:06:00.180 --> 00:06:04.590
and notifications when activities deviate from the norm.

112
00:06:04.590 --> 00:06:08.367
Well-known SIEM tools like ArcSight, AlienVault,

113
00:06:08.367 --> 00:06:12.480
and QRadar are widely used across the industry.

114
00:06:12.480 --> 00:06:15.150
One of the key strengths of SIEMs

115
00:06:15.150 --> 00:06:18.180
is their ability to perform data aggregation

116
00:06:18.180 --> 00:06:20.040
and data correlation.

117
00:06:20.040 --> 00:06:22.766
Data aggregation involves collecting logs

118
00:06:22.766 --> 00:06:25.468
from various devices, servers,

119
00:06:25.468 --> 00:06:29.820
and applications into a centralized database,

120
00:06:29.820 --> 00:06:32.307
making it easier for security professionals

121
00:06:32.307 --> 00:06:36.570
to access and analyze logs in one place.

122
00:06:36.570 --> 00:06:39.150
For instance, instead of an operator

123
00:06:39.150 --> 00:06:42.840
manually retrieving logs from individual devices

124
00:06:42.840 --> 00:06:46.410
like DHCP servers, DNS servers,

125
00:06:46.410 --> 00:06:51.180
routers, firewalls, and intrusion detection systems,

126
00:06:51.180 --> 00:06:53.040
SIEMs gather all this data

127
00:06:53.040 --> 00:06:56.520
into one accessible platform for analysis.

128
00:06:56.520 --> 00:06:58.358
Following data aggregation,

129
00:06:58.358 --> 00:07:00.970
data correlation helps connect the dots

130
00:07:00.970 --> 00:07:03.090
between the different logs,

131
00:07:03.090 --> 00:07:06.030
revealing the bigger picture of an attack.

132
00:07:06.030 --> 00:07:10.113
For example, if an attack occurs at 3:01 AM,

133
00:07:10.113 --> 00:07:13.950
a SIEM can automatically align all relevant logs

134
00:07:13.950 --> 00:07:17.670
to a standard time, such as coordinated universal time,

135
00:07:17.670 --> 00:07:21.000
making it much easier to compare apples to apples

136
00:07:21.000 --> 00:07:23.760
and oranges to oranges in the logs.

137
00:07:23.760 --> 00:07:27.180
This makes it possible to analyze all related events

138
00:07:27.180 --> 00:07:29.130
across multiple devices,

139
00:07:29.130 --> 00:07:32.100
and it eliminates the time-consuming process

140
00:07:32.100 --> 00:07:35.070
of manually downloading logs from each device,

141
00:07:35.070 --> 00:07:39.300
normalizing time zones, and piecing together a timeline.

142
00:07:39.300 --> 00:07:41.040
Beyond daily monitoring.

143
00:07:41.040 --> 00:07:44.250
SIEMs are invaluable for regulatory audits

144
00:07:44.250 --> 00:07:46.050
and forensic analysis.

145
00:07:46.050 --> 00:07:48.189
They act as a central repository

146
00:07:48.189 --> 00:07:50.734
that demonstrates compliance during audits

147
00:07:50.734 --> 00:07:55.200
and facilitates forensic investigations after an incident.

148
00:07:55.200 --> 00:07:57.625
Second, we have endpoint detection

149
00:07:57.625 --> 00:08:00.360
and response, or EDR.

150
00:08:00.360 --> 00:08:03.570
EDR solutions are designed to give professionals

151
00:08:03.570 --> 00:08:07.260
better visibility over endpoints such as computers,

152
00:08:07.260 --> 00:08:10.380
laptops, and servers, and to help detect

153
00:08:10.380 --> 00:08:13.350
and respond cyber threats and exploits.

154
00:08:13.350 --> 00:08:16.080
Unlike simple anti-malware solutions,

155
00:08:16.080 --> 00:08:19.560
which mainly focus on identify and blocking known threats,

156
00:08:19.560 --> 00:08:24.360
EDR tools can identify previously unknown attack patterns

157
00:08:24.360 --> 00:08:27.480
and ongoing attacks on a device.

158
00:08:27.480 --> 00:08:30.769
To achieve this, EDR continuously monitors

159
00:08:30.769 --> 00:08:35.130
the processes running on a computer, keeps track of files

160
00:08:35.130 --> 00:08:39.510
being accessed and detects any suspicious network activity.

161
00:08:39.510 --> 00:08:42.870
It also notices changes to the device's baseline,

162
00:08:42.870 --> 00:08:45.930
such as unexpected software installations

163
00:08:45.930 --> 00:08:49.230
or unauthorized setting modifications.

164
00:08:49.230 --> 00:08:53.826
This monitoring capability gives EDR a distinct advantage

165
00:08:53.826 --> 00:08:56.350
in spotting unusual activities

166
00:08:56.350 --> 00:08:59.550
that could be early signs of an attack.

167
00:08:59.550 --> 00:09:02.818
A critical aspect of EDR is its ability

168
00:09:02.818 --> 00:09:05.940
to act quickly when a threat is detected.

169
00:09:05.940 --> 00:09:08.384
And one of its most powerful features

170
00:09:08.384 --> 00:09:10.984
is isolating compromised endpoints

171
00:09:10.984 --> 00:09:14.091
to prevent the spread of malicious activity.

172
00:09:14.091 --> 00:09:17.256
When an EDR identifies suspicious behavior,

173
00:09:17.256 --> 00:09:20.700
it can immediately disconnect the affected device

174
00:09:20.700 --> 00:09:24.060
from the network while still allowing remote access

175
00:09:24.060 --> 00:09:26.400
to it for investigation,

176
00:09:26.400 --> 00:09:29.167
stopping threats like malware, ransomware,

177
00:09:29.167 --> 00:09:31.860
or unauthorized data transfers

178
00:09:31.860 --> 00:09:35.580
from spreading to other devices and IT systems.

179
00:09:35.580 --> 00:09:36.978
Beyond isolation.

180
00:09:36.978 --> 00:09:41.723
EDR enhances overall security by cross-correlating data

181
00:09:41.723 --> 00:09:45.461
across the organization and integrating techniques

182
00:09:45.461 --> 00:09:50.361
like allowlisting and denylisting with behavioral analysis.

183
00:09:50.361 --> 00:09:54.536
This allows EDR to observe endpoint activities

184
00:09:54.536 --> 00:09:58.824
without telegraphing that it knows about ongoing attacks.

185
00:09:58.824 --> 00:10:02.310
An important element that sets EDR apart

186
00:10:02.310 --> 00:10:04.080
from other security tools

187
00:10:04.080 --> 00:10:07.762
is its use of machine learning to identify threats.

188
00:10:07.762 --> 00:10:11.659
Machine learning, which is a type of artificial intelligence

189
00:10:11.659 --> 00:10:14.557
that enables the systems to learn from data patterns

190
00:10:14.557 --> 00:10:18.660
on their own and improve on their own over time,

191
00:10:18.660 --> 00:10:21.469
significantly enhances EDR's ability

192
00:10:21.469 --> 00:10:24.210
to detect advanced threats.

193
00:10:24.210 --> 00:10:27.503
By analyzing large volumes of past behavior,

194
00:10:27.503 --> 00:10:31.430
machine learning models can identify subtle anomalies

195
00:10:31.430 --> 00:10:35.349
and patterns that traditional security tools might miss.

196
00:10:35.349 --> 00:10:39.570
For example, if a user's computer starts performing

197
00:10:39.570 --> 00:10:42.793
out of the ordinary tasks, such as connecting

198
00:10:42.793 --> 00:10:47.280
to unfamiliar networks or running unauthorized scripts,

199
00:10:47.280 --> 00:10:49.620
EDR's machine learning algorithms

200
00:10:49.620 --> 00:10:52.770
can flag these activities as potential threats

201
00:10:52.770 --> 00:10:55.890
even if they've never been observed before.

202
00:10:55.890 --> 00:11:00.600
Next, the data collected by EDR is important not only

203
00:11:00.600 --> 00:11:04.170
during an act of attack, but also afterward.

204
00:11:04.170 --> 00:11:07.170
Historical data provides critical insights

205
00:11:07.170 --> 00:11:10.740
for incident responders and forensic investigators

206
00:11:10.740 --> 00:11:13.890
by offering clues on how an attack started,

207
00:11:13.890 --> 00:11:15.600
which files were affected,

208
00:11:15.600 --> 00:11:19.140
and the steps the attacker took within the network.

209
00:11:19.140 --> 00:11:23.117
For example, if ransomware has infected a device,

210
00:11:23.117 --> 00:11:26.192
EDR can provide a detailed timeline

211
00:11:26.192 --> 00:11:28.950
showing when the malware was downloaded,

212
00:11:28.950 --> 00:11:32.940
which files were encrypted, and how the attack spread.

213
00:11:32.940 --> 00:11:36.048
Finally, once an endpoint is isolated,

214
00:11:36.048 --> 00:11:38.880
EDR tools allow security teams

215
00:11:38.880 --> 00:11:43.050
to conduct a thorough analysis of the affected device.

216
00:11:43.050 --> 00:11:46.650
Responders can identify the attack's entry point,

217
00:11:46.650 --> 00:11:49.320
determine if other systems were impacted,

218
00:11:49.320 --> 00:11:53.460
and ensure the threat is fully contained and removed.

219
00:11:53.460 --> 00:11:56.447
Then once the threat has been eradicated,

220
00:11:56.447 --> 00:11:59.707
the isolated device can be safely reconnected

221
00:11:59.707 --> 00:12:01.202
to the network.

222
00:12:01.202 --> 00:12:04.173
In the end, the proactive nature of EDR

223
00:12:04.173 --> 00:12:05.713
is what sets it apart

224
00:12:05.713 --> 00:12:09.000
from traditional anti-malware solutions.

225
00:12:09.000 --> 00:12:12.990
EDR tools not only detect and block known threats,

226
00:12:12.990 --> 00:12:15.918
but also offer real-time capabilities

227
00:12:15.918 --> 00:12:18.780
to isolate compromised devices,

228
00:12:18.780 --> 00:12:22.140
leverage machine learning for advanced threat detection

229
00:12:22.140 --> 00:12:24.570
and swiftly contain threats.

230
00:12:24.570 --> 00:12:28.560
These features enable security teams to act quickly,

231
00:12:28.560 --> 00:12:31.366
minimizing damage, and preventing the spread

232
00:12:31.366 --> 00:12:34.800
of malicious activity across the network.

233
00:12:34.800 --> 00:12:36.840
Beyond detection and response.

234
00:12:36.840 --> 00:12:41.550
EDR also plays a critical role in remediation

235
00:12:41.550 --> 00:12:44.340
and capturing detailed attack information

236
00:12:44.340 --> 00:12:47.062
to provide a clear roadmap for cleanup.

237
00:12:47.062 --> 00:12:50.580
This makes it easier to remove malicious files,

238
00:12:50.580 --> 00:12:53.958
restore affected systems, and address vulnerabilities,

239
00:12:53.958 --> 00:12:56.760
also ensuring that the recovery process

240
00:12:56.760 --> 00:12:59.490
is both thorough and efficient.

241
00:12:59.490 --> 00:13:03.360
So remember, monitoring and response

242
00:13:03.360 --> 00:13:07.110
involves continuously observing system activities

243
00:13:07.110 --> 00:13:11.220
to detect, analyze, and respond to threats.

244
00:13:11.220 --> 00:13:14.700
Key concepts include event logging and monitoring,

245
00:13:14.700 --> 00:13:19.080
as well as endpoint detection and response, or EDR.

246
00:13:19.080 --> 00:13:21.690
Event logging and monitoring track system

247
00:13:21.690 --> 00:13:26.460
and application activities to identify abnormal behavior,

248
00:13:26.460 --> 00:13:30.030
while EDR provides real-time visibility

249
00:13:30.030 --> 00:13:33.960
and automated threat detection at the endpoint level.

250
00:13:33.960 --> 00:13:37.800
Furthermore, EDR stands out by quickly isolating

251
00:13:37.800 --> 00:13:40.380
and quarantining malicious activity,

252
00:13:40.380 --> 00:13:43.020
enhancing an organization's ability

253
00:13:43.020 --> 00:13:45.573
to prevent the spread of threats.