WEBVTT 1 00:00:00.120 --> 00:00:02.550 In this lesson, we will learn about 2 00:00:02.550 --> 00:00:06.030 behavior baselines and analytics. 3 00:00:06.030 --> 00:00:09.900 Behavior baselines and analytics are used to establish 4 00:00:09.900 --> 00:00:14.900 normal patterns of activity for networks, systems, users, 5 00:00:15.090 --> 00:00:17.040 and applications. 6 00:00:17.040 --> 00:00:21.270 Only after understanding normal patterns can anomalies 7 00:00:21.270 --> 00:00:25.110 that indicate security threats be recognized. 8 00:00:25.110 --> 00:00:28.200 Behavior baselines and analytic concepts 9 00:00:28.200 --> 00:00:33.200 include network, systems, users, as well as applications 10 00:00:33.660 --> 00:00:36.630 and services' behavior baselines. 11 00:00:36.630 --> 00:00:40.950 Network behavior baselines track typical traffic patterns 12 00:00:40.950 --> 00:00:45.420 to identify unusual data flows or connections. 13 00:00:45.420 --> 00:00:49.920 System baselines monitor regular system resource usage 14 00:00:49.920 --> 00:00:54.920 such as CPU or memory to detect unexpected anomalies. 15 00:00:55.590 --> 00:01:00.570 User behavior analytics identify deviations from normal user 16 00:01:00.570 --> 00:01:04.170 actions, such as unusual login times 17 00:01:04.170 --> 00:01:06.720 or access to sensitive data. 18 00:01:06.720 --> 00:01:10.860 Finally, application and service baselines help detect 19 00:01:10.860 --> 00:01:14.940 anomalies in service usage or response times. 20 00:01:14.940 --> 00:01:18.600 Let's learn more about network systems, users 21 00:01:18.600 --> 00:01:23.460 as well as applications and services behavior baselines. 22 00:01:23.460 --> 00:01:26.730 First, we have network baselines. 23 00:01:26.730 --> 00:01:31.050 A network behavior baseline refers to the typical patterns 24 00:01:31.050 --> 00:01:34.980 of data traffic on a network, including the amount 25 00:01:34.980 --> 00:01:38.730 and types of data flowing, common connections, 26 00:01:38.730 --> 00:01:43.410 and the usual times for high or low network activity. 27 00:01:43.410 --> 00:01:47.400 Establishing a network baseline involves monitoring network 28 00:01:47.400 --> 00:01:51.780 traffic over time to understand what is normal. 29 00:01:51.780 --> 00:01:55.530 This might include looking at data transfer rates, 30 00:01:55.530 --> 00:01:59.010 common protocols used, and frequent sources 31 00:01:59.010 --> 00:02:01.530 and destinations of traffic. 32 00:02:01.530 --> 00:02:06.240 On a day-to-day basis, security tools such as Snort 33 00:02:06.240 --> 00:02:10.740 and Suricata may continuously monitor the network, 34 00:02:10.740 --> 00:02:14.460 comparing real-time traffic against this baseline 35 00:02:14.460 --> 00:02:16.920 to detect any deviations. 36 00:02:16.920 --> 00:02:19.830 In this example, Snort is an example 37 00:02:19.830 --> 00:02:24.090 of an intrusion detection system while Suricata can operate 38 00:02:24.090 --> 00:02:26.880 both as an intrusion detection system 39 00:02:26.880 --> 00:02:29.550 and intrusion prevention system, 40 00:02:29.550 --> 00:02:31.980 actively monitoring network traffic 41 00:02:31.980 --> 00:02:35.040 and identifying unusual patterns. 42 00:02:35.040 --> 00:02:38.700 At any rate, by analyzing network baselines, 43 00:02:38.700 --> 00:02:42.930 unusual behaviors such as a sudden surge in traffic 44 00:02:42.930 --> 00:02:47.340 or unexpected external connections can be detected. 45 00:02:47.340 --> 00:02:51.630 For instance, if a sudden spike in data is being sent 46 00:02:51.630 --> 00:02:54.660 to an unknown external IP address, 47 00:02:54.660 --> 00:02:58.830 this could indicate a potential data exfiltration attempt 48 00:02:58.830 --> 00:03:02.310 or malware trying to communicate with a command 49 00:03:02.310 --> 00:03:03.870 and control server. 50 00:03:03.870 --> 00:03:07.560 A significant increase in network traffic may also 51 00:03:07.560 --> 00:03:11.010 point to a distributed denial of service attack 52 00:03:11.010 --> 00:03:13.380 requiring immediate action. 53 00:03:13.380 --> 00:03:16.410 Second, we have system baselines. 54 00:03:16.410 --> 00:03:19.410 A system baseline tracks the normal usage 55 00:03:19.410 --> 00:03:23.910 of system resources such as CPU and memory 56 00:03:23.910 --> 00:03:26.400 and disc input and output. 57 00:03:26.400 --> 00:03:30.240 A system baseline reflects what regular system performance 58 00:03:30.240 --> 00:03:33.090 looks like under typical workloads. 59 00:03:33.090 --> 00:03:36.300 Establishing this baseline requires monitoring 60 00:03:36.300 --> 00:03:38.790 resource metrics over time 61 00:03:38.790 --> 00:03:40.920 and gathering data to determine 62 00:03:40.920 --> 00:03:45.630 what resource usage looks like during routine operations. 63 00:03:45.630 --> 00:03:49.170 Tools such as Windows PerfMon can be used 64 00:03:49.170 --> 00:03:51.300 to create system baselines 65 00:03:51.300 --> 00:03:54.840 by collecting performance metrics over time. 66 00:03:54.840 --> 00:03:58.650 Then, daily monitoring tools such as Datadog 67 00:03:58.650 --> 00:04:01.020 and Prometheus can be used 68 00:04:01.020 --> 00:04:04.830 to continuously compare real-time resource usage 69 00:04:04.830 --> 00:04:09.270 against the baseline, flagging any unexpected changes 70 00:04:09.270 --> 00:04:14.270 that could indicate a problem, such as a sudden spike in CPU 71 00:04:14.280 --> 00:04:16.800 usage or memory consumption. 72 00:04:16.800 --> 00:04:20.430 Now, once a system baseline is established, 73 00:04:20.430 --> 00:04:23.550 deviations can signal potential issues. 74 00:04:23.550 --> 00:04:28.230 For example, if a server's CPU usage suddenly spikes 75 00:04:28.230 --> 00:04:32.370 to 100% without reason, this could indicate malware 76 00:04:32.370 --> 00:04:35.520 running on the system or something consuming 77 00:04:35.520 --> 00:04:40.440 excessive resources, or a sustained high memory usage 78 00:04:40.440 --> 00:04:44.160 might suggest a memory leak in an application, 79 00:04:44.160 --> 00:04:46.890 which could eventually lead to a system crash 80 00:04:46.890 --> 00:04:48.420 if not addressed. 81 00:04:48.420 --> 00:04:53.100 So detecting anomalies early helps administrators respond 82 00:04:53.100 --> 00:04:56.520 before they escalate into bigger problems. 83 00:04:56.520 --> 00:04:59.730 Third, we have user baselines. 84 00:04:59.730 --> 00:05:04.230 User behavior, baselines capture normal user activities, 85 00:05:04.230 --> 00:05:08.850 such as typical login times, access to specific files 86 00:05:08.850 --> 00:05:13.230 or systems, and the devices users log in from. 87 00:05:13.230 --> 00:05:15.210 Establishing a baseline 88 00:05:15.210 --> 00:05:18.270 for user behavior involves observing 89 00:05:18.270 --> 00:05:22.290 and recording these daily habits for each user. 90 00:05:22.290 --> 00:05:24.600 By doing so, the system learns 91 00:05:24.600 --> 00:05:27.390 what constitutes regular behavior. 92 00:05:27.390 --> 00:05:32.310 Tools like Splunk User Behavior Analytics can help establish 93 00:05:32.310 --> 00:05:36.420 these baselines by tracking and analyzing user activities 94 00:05:36.420 --> 00:05:37.770 over time. 95 00:05:37.770 --> 00:05:40.050 Monitoring can then be conducted 96 00:05:40.050 --> 00:05:44.880 to analyze realtime user activities against pre-established 97 00:05:44.880 --> 00:05:47.910 patterns, detecting any deviations 98 00:05:47.910 --> 00:05:52.680 that may indicate suspicious behavior or security threats. 99 00:05:52.680 --> 00:05:55.980 So once a user baseline is set, 100 00:05:55.980 --> 00:05:59.550 it becomes much easier to detect anomalies 101 00:05:59.550 --> 00:06:02.400 that could indicate a security threat. 102 00:06:02.400 --> 00:06:05.940 For example, if a user who normally logs in 103 00:06:05.940 --> 00:06:10.320 during business hours from a desktop suddenly logs in late 104 00:06:10.320 --> 00:06:14.100 at night from a foreign IP address, it could be a sign 105 00:06:14.100 --> 00:06:17.190 that the user's credentials have been compromised. 106 00:06:17.190 --> 00:06:21.180 Similarly, if a user starts accessing sensitive files 107 00:06:21.180 --> 00:06:24.510 or systems they don't typically interact with, 108 00:06:24.510 --> 00:06:28.920 it may suggest an insider threat or a compromised account. 109 00:06:28.920 --> 00:06:33.920 Fourth and last, we have application and service baselines. 110 00:06:33.990 --> 00:06:36.810 Application and service baselines establish 111 00:06:36.810 --> 00:06:40.590 what typical usage patterns and performance metrics 112 00:06:40.590 --> 00:06:44.130 look like for the applications and services 113 00:06:44.130 --> 00:06:46.440 running in an environment. 114 00:06:46.440 --> 00:06:50.130 These baselines might include normal response times, 115 00:06:50.130 --> 00:06:53.790 the number of active users, typical error rates, 116 00:06:53.790 --> 00:06:57.060 and the resources consumed by the application 117 00:06:57.060 --> 00:06:59.430 under normal operations. 118 00:06:59.430 --> 00:07:02.550 These patterns are gathered over time 119 00:07:02.550 --> 00:07:05.100 to create a reliable baseline. 120 00:07:05.100 --> 00:07:09.150 Then monitoring tools continuously compare current 121 00:07:09.150 --> 00:07:12.030 performance against these standards. 122 00:07:12.030 --> 00:07:15.630 Tools like AppDynamics can be used to establish 123 00:07:15.630 --> 00:07:17.700 and monitor these baselines 124 00:07:17.700 --> 00:07:22.170 by tracking application performance metrics over time, 125 00:07:22.170 --> 00:07:26.430 helping to identify anomalies and potential issues 126 00:07:26.430 --> 00:07:29.040 before they impact users. 127 00:07:29.040 --> 00:07:31.080 So when an application 128 00:07:31.080 --> 00:07:34.830 or a service deviates from its established baseline, 129 00:07:34.830 --> 00:07:37.500 it could signal an underlying issue. 130 00:07:37.500 --> 00:07:39.780 For instance, if an application 131 00:07:39.780 --> 00:07:43.380 that normally processes a certain number of transactions 132 00:07:43.380 --> 00:07:47.610 per hour suddenly experiences a significant slowdown 133 00:07:47.610 --> 00:07:51.240 or increased error rate, it might indicate 134 00:07:51.240 --> 00:07:54.240 performance issues or even a security breach, 135 00:07:54.240 --> 00:07:56.550 like a denial of service attack. 136 00:07:56.550 --> 00:08:00.810 Similarly, a service consuming significantly more resources 137 00:08:00.810 --> 00:08:05.190 than usual may suggest malware is exploiting vulnerabilities 138 00:08:05.190 --> 00:08:09.660 within that service, requiring immediate investigation. 139 00:08:09.660 --> 00:08:14.660 So remember, behavior baselines and analytics are essential 140 00:08:15.000 --> 00:08:18.030 for establishing normal patterns of activity 141 00:08:18.030 --> 00:08:22.920 across networks, systems, users, and applications. 142 00:08:22.920 --> 00:08:25.710 Once normal patterns are understood, 143 00:08:25.710 --> 00:08:29.250 anomalies indicating potential security threats 144 00:08:29.250 --> 00:08:30.720 can be detected. 145 00:08:30.720 --> 00:08:35.190 Next, network baselines help track typical traffic patterns 146 00:08:35.190 --> 00:08:38.910 and connections while system baselines monitor regular 147 00:08:38.910 --> 00:08:42.630 resource usage like CPU and memory. 148 00:08:42.630 --> 00:08:47.220 Then user behavior baselines focus on capturing normal 149 00:08:47.220 --> 00:08:51.600 activities such as login times and file access, 150 00:08:51.600 --> 00:08:55.680 allowing unusual behavior to be identified. 151 00:08:55.680 --> 00:08:59.820 Finally, application and service baselines track usage 152 00:08:59.820 --> 00:09:03.630 and performance metrics, helping detect deviations 153 00:09:03.630 --> 00:09:07.020 in response times or resource consumption. 154 00:09:07.020 --> 00:09:11.670 In the end, monitoring baselines consistently helps security 155 00:09:11.670 --> 00:09:14.520 teams quickly spot potential threats 156 00:09:14.520 --> 00:09:18.933 or performance issues across the enterprise environment.