WEBVTT 1 00:00:00.050 --> 00:00:02.310 In this section of the course, we are going 2 00:00:02.310 --> 00:00:04.612 to discuss monitoring and response. 3 00:00:04.612 --> 00:00:07.215 The monitoring and response section 4 00:00:07.215 --> 00:00:10.207 of the course focuses on domain four, security operations, 5 00:00:10.207 --> 00:00:13.170 specifically objective 4.1. 6 00:00:13.170 --> 00:00:17.220 Objective 4.1 states that given a scenario, you must be able 7 00:00:17.220 --> 00:00:19.530 to analyze data to enable monitoring 8 00:00:19.530 --> 00:00:21.120 and response activities. 9 00:00:21.120 --> 00:00:23.010 Effective monitoring and response 10 00:00:23.010 --> 00:00:25.050 are critical to maintaining a secure 11 00:00:25.050 --> 00:00:26.350 and resilient system. 12 00:00:26.350 --> 00:00:28.650 By continuously analyzing data 13 00:00:28.650 --> 00:00:31.380 and comparing it against normal behavior patterns, 14 00:00:31.380 --> 00:00:33.780 organizations can quickly detect anomalies 15 00:00:33.780 --> 00:00:35.340 and potential threats. 16 00:00:35.340 --> 00:00:37.317 Additionally, threat intelligence 17 00:00:37.317 --> 00:00:40.640 and system logs provide valuable insights 18 00:00:40.640 --> 00:00:43.140 into emerging risks and alerting systems 19 00:00:43.140 --> 00:00:46.142 ensures that critical issues are flagged 20 00:00:46.142 --> 00:00:47.693 in real time for investigation. 21 00:00:47.693 --> 00:00:50.340 Finally, organizations may prioritize 22 00:00:50.340 --> 00:00:54.240 and act on alerts based on their own assessed risk factors 23 00:00:54.240 --> 00:00:57.630 to keep security efforts focused and proactive. 24 00:00:57.630 --> 00:00:59.280 As we go through this section, 25 00:00:59.280 --> 00:01:01.710 we will cover many topics related to monitoring 26 00:01:01.710 --> 00:01:05.250 and response, including aggregate data analysis, 27 00:01:05.250 --> 00:01:08.550 threat intelligence sources, system log sources, 28 00:01:08.550 --> 00:01:12.030 vulnerabilities and data security, behavior baselines 29 00:01:12.030 --> 00:01:15.291 and analytics, security information 30 00:01:15.291 --> 00:01:17.391 and event or SIEM event management, 31 00:01:17.391 --> 00:01:20.280 SIEM data management, alerting, 32 00:01:20.280 --> 00:01:22.440 alert prioritization factors, 33 00:01:22.440 --> 00:01:24.933 as well as reporting and metric. 34 00:01:24.933 --> 00:01:28.470 First, we will look at aggregate data analysis. 35 00:01:28.470 --> 00:01:31.020 Aggregate data analysis is the process 36 00:01:31.020 --> 00:01:32.490 of efficiently combining 37 00:01:32.490 --> 00:01:36.900 and examining large volumes of data from multiple sources 38 00:01:36.900 --> 00:01:39.330 to identify patterns, trends 39 00:01:39.330 --> 00:01:41.370 and potential security threats. 40 00:01:41.370 --> 00:01:44.316 Aggregate data analysis concepts 41 00:01:44.316 --> 00:01:45.930 include audit log reduction, 42 00:01:45.930 --> 00:01:49.350 correlation, prioritization and trends. 43 00:01:49.350 --> 00:01:52.911 Auto log reduction involves filtering out irrelevant 44 00:01:52.911 --> 00:01:55.920 or low priority logs to focus on critical events. 45 00:01:55.920 --> 00:01:57.660 Audit log reduction makes it easier 46 00:01:57.660 --> 00:02:00.600 to detect anomalies across a significant number 47 00:02:00.600 --> 00:02:02.490 of logs and devices. 48 00:02:02.490 --> 00:02:04.260 Correlation is the process 49 00:02:04.260 --> 00:02:07.560 of linking related events across different data sources. 50 00:02:07.560 --> 00:02:10.680 Correlation helps identify the root cause of incidents 51 00:02:10.680 --> 00:02:12.930 and detect coordinated attacks. 52 00:02:12.930 --> 00:02:14.850 Prioritization assigns importance 53 00:02:14.850 --> 00:02:18.330 to detected issues based on their potential impact. 54 00:02:18.330 --> 00:02:20.520 Prioritization enables security teams 55 00:02:20.520 --> 00:02:23.580 to address the most significant threats first. 56 00:02:23.580 --> 00:02:26.460 Finally, identifying trends over time 57 00:02:26.460 --> 00:02:29.601 helps teams spot recurring vulnerabilities 58 00:02:29.601 --> 00:02:32.490 or attack vectors that require long-term mitigation. 59 00:02:32.490 --> 00:02:35.430 For example, through aggregate data analysis, 60 00:02:35.430 --> 00:02:37.890 a security team might filter audit logs 61 00:02:37.890 --> 00:02:42.060 to isolate critical events such as repeated failed log-ons 62 00:02:42.060 --> 00:02:44.550 or unauthorized access attempts. 63 00:02:44.550 --> 00:02:46.710 They could then correlate these anomalies 64 00:02:46.710 --> 00:02:50.400 with other indicators such as unusual network traffic 65 00:02:50.400 --> 00:02:53.580 to identify a potential breach, based on the severity 66 00:02:53.580 --> 00:02:56.790 of the attack and the impact of affected systems, 67 00:02:56.790 --> 00:02:59.220 the team could prioritize their response, 68 00:02:59.220 --> 00:03:01.546 addressing the most critical threats first. 69 00:03:01.546 --> 00:03:05.130 This process helps the security team respond quickly 70 00:03:05.130 --> 00:03:07.080 and recognize attack patterns 71 00:03:07.080 --> 00:03:09.990 for preventive defense improvement. 72 00:03:09.990 --> 00:03:13.050 Next, we will explore threat intelligence sources. 73 00:03:13.050 --> 00:03:16.009 Threat intelligence sources are external 74 00:03:16.009 --> 00:03:17.190 or internal information streams 75 00:03:17.190 --> 00:03:19.920 that provide insights into emerging threats, 76 00:03:19.920 --> 00:03:22.530 vulnerabilities and attacker tactics. 77 00:03:22.530 --> 00:03:25.109 Threat intelligence source concepts 78 00:03:25.109 --> 00:03:26.490 include threat intelligence feed, 79 00:03:26.490 --> 00:03:28.560 common vulnerabilities and exposures 80 00:03:28.560 --> 00:03:31.620 or CVE details, bounty programs, 81 00:03:31.620 --> 00:03:34.170 as well as third party reports and logs. 82 00:03:34.170 --> 00:03:36.750 Threat intelligence feeds deliver real-time data 83 00:03:36.750 --> 00:03:38.380 on potential security risks. 84 00:03:38.380 --> 00:03:41.550 Potential security risks include indicators of compromise 85 00:03:41.550 --> 00:03:43.817 and demonstrated attacker behaviors. 86 00:03:43.817 --> 00:03:47.940 Next, CVEs are considered threat intelligence. 87 00:03:47.940 --> 00:03:50.460 A CVE is a standardized identifier 88 00:03:50.460 --> 00:03:53.220 for a publicly known cybersecurity vulnerability 89 00:03:53.220 --> 00:03:54.657 in software or hardware. 90 00:03:54.657 --> 00:03:58.620 CVE details provide information on known vulnerabilities, 91 00:03:58.620 --> 00:04:00.048 including their severity 92 00:04:00.048 --> 00:04:03.607 and exploitability, enabling security teams 93 00:04:03.607 --> 00:04:05.574 to prioritize patching efforts. 94 00:04:05.574 --> 00:04:06.630 Next, bug bounty programs 95 00:04:06.630 --> 00:04:09.750 encourage external security researchers to identify 96 00:04:09.750 --> 00:04:13.170 and report vulnerabilities to application owners. 97 00:04:13.170 --> 00:04:14.997 Finally, third party reports 98 00:04:14.997 --> 00:04:17.250 and logs offer additional context 99 00:04:17.250 --> 00:04:20.057 and data on specific threats or incidents. 100 00:04:20.057 --> 00:04:23.310 This proactive approach helps organizations discover 101 00:04:23.310 --> 00:04:24.930 and resolve security flaws 102 00:04:24.930 --> 00:04:28.050 before they can be exploited by malicious actors. 103 00:04:28.050 --> 00:04:29.880 In application, a security team 104 00:04:29.880 --> 00:04:31.634 might use threat intelligence feeds 105 00:04:31.634 --> 00:04:34.132 to detect a new exploit, 106 00:04:34.132 --> 00:04:35.610 targeting a specific CVE, 107 00:04:35.610 --> 00:04:38.137 cross-reference third party reports 108 00:04:38.137 --> 00:04:39.540 for further details and analysis 109 00:04:39.540 --> 00:04:42.900 and then prioritize mitigation based on the criticality 110 00:04:42.900 --> 00:04:45.406 of the vulnerability and affected asset. 111 00:04:45.406 --> 00:04:48.660 After that, we will look at system log sources. 112 00:04:48.660 --> 00:04:51.120 System log sources are the logs generated 113 00:04:51.120 --> 00:04:54.275 by network infrastructure and enterprise devices. 114 00:04:54.275 --> 00:04:58.396 System log sources provide detailed records of activities 115 00:04:58.396 --> 00:05:00.840 and events and include infrastructure device logs, 116 00:05:00.840 --> 00:05:03.300 endpoint logs, application logs 117 00:05:03.300 --> 00:05:06.630 and Cloud Security Posture Management tools. 118 00:05:06.630 --> 00:05:09.810 Infrastructure device logs capture data from routers, 119 00:05:09.810 --> 00:05:13.680 firewalls and switches, helping identify network anomalies 120 00:05:13.680 --> 00:05:15.300 and malicious traffic. 121 00:05:15.300 --> 00:05:18.450 Endpoint logs track activities on individual devices 122 00:05:18.450 --> 00:05:20.490 like computers or mobile devices. 123 00:05:20.490 --> 00:05:23.550 Endpoint logs offer insights into user actions 124 00:05:23.550 --> 00:05:26.790 or potential compromises, application logs 125 00:05:26.790 --> 00:05:29.400 document events within software applications, 126 00:05:29.400 --> 00:05:31.440 aiding in the detection of software issues 127 00:05:31.440 --> 00:05:33.510 or unauthorized access. 128 00:05:33.510 --> 00:05:37.275 Finally, Cloud Security Posture Management 129 00:05:37.275 --> 00:05:40.170 or CSPM tools monitor Cloud environments 130 00:05:40.170 --> 00:05:43.860 to identify misconfigurations or security risks. 131 00:05:43.860 --> 00:05:48.030 For example, a security team might analyze firewall logs 132 00:05:48.030 --> 00:05:49.980 to detect abnormal traffic, 133 00:05:49.980 --> 00:05:52.710 such as unexpected inbound connections 134 00:05:52.710 --> 00:05:54.720 from untrusted IP addresses. 135 00:05:54.720 --> 00:05:57.690 Then they might correlate this with logs 136 00:05:57.690 --> 00:06:00.180 to identify suspicious user behavior 137 00:06:00.180 --> 00:06:02.700 or unauthorized access attempts. 138 00:06:02.700 --> 00:06:06.117 Next, we will explore vulnerabilities and data security. 139 00:06:06.117 --> 00:06:07.980 Vulnerabilities and data security 140 00:06:07.980 --> 00:06:10.320 involve identifying system weaknesses 141 00:06:10.320 --> 00:06:13.095 and ensuring sensitive data is protected 142 00:06:13.095 --> 00:06:15.317 from unauthorized access or loss. 143 00:06:15.317 --> 00:06:16.710 Vulnerability and data security concepts 144 00:06:16.710 --> 00:06:21.270 include vulnerability scans and data loss prevention tools. 145 00:06:21.270 --> 00:06:23.880 Vulnerability scans are automated applications 146 00:06:23.880 --> 00:06:26.610 used to scan for and detect security flaws, 147 00:06:26.610 --> 00:06:29.520 misconfigurations or unpatched software 148 00:06:29.520 --> 00:06:31.290 on the enterprise network. 149 00:06:31.290 --> 00:06:33.930 Data loss prevention is a security strategy 150 00:06:33.930 --> 00:06:35.550 that monitors, detects 151 00:06:35.550 --> 00:06:38.370 and prevents unauthorized transmission 152 00:06:38.370 --> 00:06:40.590 or exposure of sensitive data. 153 00:06:40.590 --> 00:06:43.620 Data loss prevention systems monitor data flows 154 00:06:43.620 --> 00:06:45.990 to prevent the unauthorized transmission 155 00:06:45.990 --> 00:06:48.780 of sensitive information, ensuring compliance 156 00:06:48.780 --> 00:06:50.290 with security policies. 157 00:06:50.290 --> 00:06:55.288 For example, a security team might run vulnerability scans 158 00:06:55.288 --> 00:06:57.090 to detect outdated software on a server, 159 00:06:57.090 --> 00:06:59.550 then use data loss prevention tools 160 00:06:59.550 --> 00:07:02.010 to monitor for any suspicious attempts 161 00:07:02.010 --> 00:07:04.140 to export sensitive data. 162 00:07:04.140 --> 00:07:05.760 Following that, we will look 163 00:07:05.760 --> 00:07:08.130 at behavior baselines and analytics. 164 00:07:08.130 --> 00:07:09.900 Behavior baselines and analytics 165 00:07:09.900 --> 00:07:12.180 are used to establish normal patterns 166 00:07:12.180 --> 00:07:16.810 of activity for networks, systems, users and applications. 167 00:07:16.810 --> 00:07:18.930 Only after understanding normal patterns 168 00:07:18.930 --> 00:07:22.260 can anomalies that indicate security threats be recognized. 169 00:07:22.260 --> 00:07:24.510 Behavior baselines and analytic concepts 170 00:07:24.510 --> 00:07:27.270 include network systems users 171 00:07:27.270 --> 00:07:31.050 as well as applications and services behavior baselines. 172 00:07:31.050 --> 00:07:34.350 Network behavior baselines track typical traffic patterns 173 00:07:34.350 --> 00:07:37.170 to identify unusual data flows or connection. 174 00:07:37.170 --> 00:07:40.920 System Baselines monitor regular system resource usage 175 00:07:40.920 --> 00:07:45.390 such as CPU or memory to detect unexpected anomalies. 176 00:07:45.390 --> 00:07:48.570 User behavior analytics identify deviations 177 00:07:48.570 --> 00:07:52.560 from normal user actions, such as unusual login times 178 00:07:52.560 --> 00:07:54.480 or access to sensitive data. 179 00:07:54.480 --> 00:07:56.328 Application and service baselines 180 00:07:56.328 --> 00:07:58.890 help detect anomalies in service usage 181 00:07:58.890 --> 00:08:00.540 or response times. 182 00:08:00.540 --> 00:08:02.010 By monitoring baselines, 183 00:08:02.010 --> 00:08:04.500 security teams can detect anomalies 184 00:08:04.500 --> 00:08:07.110 like a sudden spike in resource usage, 185 00:08:07.110 --> 00:08:10.230 indicating potential issues such as a denial 186 00:08:10.230 --> 00:08:13.781 of service attack or malware causing excessive CPU load. 187 00:08:13.781 --> 00:08:17.580 In practice, a security team might detect an abnormal spike 188 00:08:17.580 --> 00:08:18.780 in network traffic 189 00:08:18.780 --> 00:08:21.750 combined with an unexpected system resource load, 190 00:08:21.750 --> 00:08:25.260 prompting them to investigate and identify a user account 191 00:08:25.260 --> 00:08:28.110 that has suddenly started accessing restricted areas 192 00:08:28.110 --> 00:08:32.007 of an application, potentially indicating a security breach. 193 00:08:32.007 --> 00:08:36.083 Then we will explore security information 194 00:08:36.083 --> 00:08:39.030 and event management or SIEM event management. 195 00:08:39.030 --> 00:08:42.720 A SIEM system is a platform that collects, analyzes 196 00:08:42.720 --> 00:08:46.260 and correlates security event data from various sources 197 00:08:46.260 --> 00:08:49.770 to detect and respond to potential threats in real time. 198 00:08:49.770 --> 00:08:52.920 SIEM event management is collecting, analyzing 199 00:08:52.920 --> 00:08:56.160 and responding to security events in real time 200 00:08:56.160 --> 00:08:58.560 to identify and mitigate threats. 201 00:08:58.560 --> 00:09:02.280 SIEM event management concepts include event parsing, 202 00:09:02.280 --> 00:09:05.700 event duplication, as well as the identification 203 00:09:05.700 --> 00:09:08.880 of event false positives and false negatives. 204 00:09:08.880 --> 00:09:11.280 Event parsing refers to the process 205 00:09:11.280 --> 00:09:15.090 of breaking down raw event data into structured formats 206 00:09:15.090 --> 00:09:16.770 for easier analysis. 207 00:09:16.770 --> 00:09:19.440 Event duplication filters out repeated alerts 208 00:09:19.440 --> 00:09:23.806 to reduce noise and enable focus on unique incidents. 209 00:09:23.806 --> 00:09:28.085 Event false positives occur when benign activity 210 00:09:28.085 --> 00:09:29.430 is mistakenly flagged as a threat 211 00:09:29.430 --> 00:09:33.482 and false negatives occur when actual threats go undetected. 212 00:09:33.482 --> 00:09:37.657 For example, a SIEM system might parse logs 213 00:09:37.657 --> 00:09:39.300 to detect a potential security event, 214 00:09:39.300 --> 00:09:42.330 remove duplicate entries for efficiency, 215 00:09:42.330 --> 00:09:45.300 enable the security team to investigate further 216 00:09:45.300 --> 00:09:47.700 and determine if the potential security event 217 00:09:47.700 --> 00:09:50.399 is a false positive or an actual incident 218 00:09:50.399 --> 00:09:52.167 that requires a response. 219 00:09:52.167 --> 00:09:55.260 Next, we will look at security information 220 00:09:55.260 --> 00:09:58.980 and event management or SIEM data management. 221 00:09:58.980 --> 00:10:02.880 Again, a SIEM is a system that collects, analyzes 222 00:10:02.880 --> 00:10:06.240 and correlates security event data from various sources 223 00:10:06.240 --> 00:10:09.834 to detect and respond to potential threats in real time. 224 00:10:09.834 --> 00:10:12.690 SIEM data management includes organizing 225 00:10:12.690 --> 00:10:14.820 and maintaining security event data 226 00:10:14.820 --> 00:10:18.422 for effective analysis detection and long-term storage. 227 00:10:18.422 --> 00:10:21.388 SIEM data management concepts include data 228 00:10:21.388 --> 00:10:24.480 from non-reporting devices and data retention. 229 00:10:24.480 --> 00:10:26.903 Non-reporting devices refer to systems 230 00:10:26.903 --> 00:10:31.200 or endpoints that fail to send logs or data to the SIEM. 231 00:10:31.200 --> 00:10:33.750 Non-reporting devices create blind spots 232 00:10:33.750 --> 00:10:35.340 in security monitoring. 233 00:10:35.340 --> 00:10:37.599 Data retention policies 234 00:10:37.599 --> 00:10:39.810 determine how long security event data is stored, 235 00:10:39.810 --> 00:10:42.180 ensuring compliance with regulations 236 00:10:42.180 --> 00:10:44.430 and assisting in forensic analysis. 237 00:10:44.430 --> 00:10:48.780 For example, if a critical firewall stops sending logs 238 00:10:48.780 --> 00:10:50.850 to the SIEM due to a misconfiguration, 239 00:10:50.850 --> 00:10:52.590 this could go unnoticed, 240 00:10:52.590 --> 00:10:54.840 leaving a gap in security monitoring. 241 00:10:54.840 --> 00:10:58.230 However, with proper data retention policies in place, 242 00:10:58.230 --> 00:11:00.240 logs retained from before 243 00:11:00.240 --> 00:11:03.630 and including the misconfiguration could be reviewed 244 00:11:03.630 --> 00:11:07.530 to help identify and address the cause of the issue. 245 00:11:07.530 --> 00:11:10.186 After that, we will explore alerting. 246 00:11:10.186 --> 00:11:12.173 Alerting is the process 247 00:11:12.173 --> 00:11:14.250 of notifying security teams about potential threats 248 00:11:14.250 --> 00:11:18.318 or suspicious activities based on predefined rules 249 00:11:18.318 --> 00:11:19.151 and event triggers. 250 00:11:19.151 --> 00:11:22.230 Alerting concepts include alerts associated 251 00:11:22.230 --> 00:11:24.750 with vulnerabilities, false positives, 252 00:11:24.750 --> 00:11:28.680 false negatives, malware and alert failures. 253 00:11:28.680 --> 00:11:31.560 Vulnerabilities in this system can only generate alerts 254 00:11:31.560 --> 00:11:32.910 if they are detected. 255 00:11:32.910 --> 00:11:34.140 Actual vulnerabilities 256 00:11:34.140 --> 00:11:36.720 that are detected are considered true positives. 257 00:11:36.720 --> 00:11:38.230 False positives are alerts 258 00:11:38.230 --> 00:11:41.482 for non-malicious activities wrongly flagged as threats. 259 00:11:41.482 --> 00:11:45.240 False negatives occur when legitimate threats go undetected. 260 00:11:45.240 --> 00:11:48.960 Malware alerts notify the team of potential infection 261 00:11:48.960 --> 00:11:50.940 and alert failures such as missed 262 00:11:50.940 --> 00:11:52.560 or delayed notifications 263 00:11:52.560 --> 00:11:55.410 can lead to critical threats being overlooked. 264 00:11:55.410 --> 00:11:58.650 For example, a SIEM might generate an alert 265 00:11:58.650 --> 00:12:01.320 for detected malware on a critical server, 266 00:12:01.320 --> 00:12:03.725 prompting the security team to investigate. 267 00:12:03.725 --> 00:12:07.710 However, if the alert is identified as a false positive 268 00:12:07.710 --> 00:12:09.750 or an alert failure occurs, 269 00:12:09.750 --> 00:12:12.660 the security team could waste valuable time 270 00:12:12.660 --> 00:12:14.880 chasing a non-existent threat 271 00:12:14.880 --> 00:12:17.850 or miss the actual threat altogether. 272 00:12:17.850 --> 00:12:20.010 Therefore, ensuring the accuracy 273 00:12:20.010 --> 00:12:22.360 and reliability of alerts is crucial 274 00:12:22.360 --> 00:12:24.191 to prevent missed threats 275 00:12:24.191 --> 00:12:26.670 and mitigate security risks effectively. 276 00:12:26.670 --> 00:12:30.390 Then we will look at alert prioritization factors. 277 00:12:30.390 --> 00:12:33.468 Alert prioritization factors enable determining the urgency 278 00:12:33.468 --> 00:12:36.420 of security alerts based on criteria 279 00:12:36.420 --> 00:12:39.466 to ensure the most critical threats are addressed first. 280 00:12:39.466 --> 00:12:43.410 Alert prioritization concepts include alert criticality, 281 00:12:43.410 --> 00:12:47.220 alert impact, asset type, residual risk 282 00:12:47.220 --> 00:12:49.320 and data classification. 283 00:12:49.320 --> 00:12:52.620 Criticality refers to how essential the affected system 284 00:12:52.620 --> 00:12:55.200 or process is to the organization. 285 00:12:55.200 --> 00:12:57.412 Impact assesses the potential damage 286 00:12:57.412 --> 00:12:59.850 that a threat could cause if not mitigated. 287 00:12:59.850 --> 00:13:03.656 Asset type considers whether the compromised asset 288 00:13:03.656 --> 00:13:06.226 is of high value, such as a production server 289 00:13:06.226 --> 00:13:07.434 or a critical database. 290 00:13:07.434 --> 00:13:09.390 Residual risk is the remaining risk 291 00:13:09.390 --> 00:13:12.330 after mitigating controls have been applied. 292 00:13:12.330 --> 00:13:15.150 Data classification refers to the sensitivity 293 00:13:15.150 --> 00:13:18.390 of the data involved with higher priority alerts 294 00:13:18.390 --> 00:13:21.090 being raised for systems handling confidential 295 00:13:21.090 --> 00:13:23.340 or highly classified information. 296 00:13:23.340 --> 00:13:27.150 For example, an alert affecting a critical financial server 297 00:13:27.150 --> 00:13:31.020 storing classified data would be prioritized over an alert 298 00:13:31.020 --> 00:13:33.960 on a low impact system due to the combination 299 00:13:33.960 --> 00:13:37.535 of high criticality, impact and data sensitivity. 300 00:13:37.535 --> 00:13:41.367 Finally, we will look at reporting and metrics. 301 00:13:41.367 --> 00:13:43.503 Reporting and metrics are the collecting 302 00:13:43.503 --> 00:13:44.790 and presenting of security data 303 00:13:44.790 --> 00:13:47.640 to measure performance, identify trends 304 00:13:47.640 --> 00:13:49.156 and guide decision making. 305 00:13:49.156 --> 00:13:51.875 Reporting and metrics concepts 306 00:13:51.875 --> 00:13:53.970 include visualization and dashboards. 307 00:13:53.970 --> 00:13:57.240 Visualization products include the use of charts, graphs 308 00:13:57.240 --> 00:13:59.070 and other visualization tools 309 00:13:59.070 --> 00:14:01.710 to display complex security information 310 00:14:01.710 --> 00:14:03.890 in an easily understandable format. 311 00:14:03.890 --> 00:14:07.191 Dashboards aggregate key metrics 312 00:14:07.191 --> 00:14:08.850 in a real time centralized view, 313 00:14:08.850 --> 00:14:11.370 allowing security teams to track incidents 314 00:14:11.370 --> 00:14:13.410 and responses efficiently. 315 00:14:13.410 --> 00:14:15.007 Both visualization products 316 00:14:15.007 --> 00:14:18.270 and dashboards help teams quickly assess the status 317 00:14:18.270 --> 00:14:21.570 of security operations, identify potential threats 318 00:14:21.570 --> 00:14:24.420 and evaluate the effectiveness of defenses. 319 00:14:24.420 --> 00:14:28.200 For example, a security team might use a dashboard 320 00:14:28.200 --> 00:14:30.125 to monitor the number 321 00:14:30.125 --> 00:14:32.737 of detected malware instances over time, 322 00:14:32.737 --> 00:14:33.951 using visualizations 323 00:14:33.951 --> 00:14:35.940 to spot a unique spike in observed incidents 324 00:14:35.940 --> 00:14:39.480 and prompting further investigation and action. 325 00:14:39.480 --> 00:14:41.880 To finish things off, we'll take a short quiz 326 00:14:41.880 --> 00:14:44.970 to see what you learned during this section of the course 327 00:14:44.970 --> 00:14:48.540 and we will review each of those quiz questions fully 328 00:14:48.540 --> 00:14:51.540 to ensure you can explain why the right answers were right 329 00:14:51.540 --> 00:14:53.340 and the wrong answers were wrong. 330 00:14:53.340 --> 00:14:55.950 So let's get ready to dive into monitoring 331 00:14:55.950 --> 00:14:58.563 a response in this section of the course.