WEBVTT 1 00:00:00.180 --> 00:00:03.750 In this lesson, we will learn about alerting. 2 00:00:03.750 --> 00:00:07.710 Alerting is the process of notifying security teams 3 00:00:07.710 --> 00:00:11.580 about potential threats or suspicious activities 4 00:00:11.580 --> 00:00:15.600 based on predefined rules and event triggers. 5 00:00:15.600 --> 00:00:17.790 Alerting concepts include 6 00:00:17.790 --> 00:00:20.850 alerts associated with vulnerabilities, 7 00:00:20.850 --> 00:00:25.230 false positives, false negatives, malware, 8 00:00:25.230 --> 00:00:27.270 and alert failures. 9 00:00:27.270 --> 00:00:31.350 Vulnerabilities in the system can only generate alerts 10 00:00:31.350 --> 00:00:33.210 if they are detected. 11 00:00:33.210 --> 00:00:35.760 Actual vulnerabilities that are detected 12 00:00:35.760 --> 00:00:38.280 are considered true positives. 13 00:00:38.280 --> 00:00:42.480 False positives are alerts for non-malicious activities 14 00:00:42.480 --> 00:00:44.940 wrongly flagged as threats. 15 00:00:44.940 --> 00:00:47.340 Next, false negatives occur 16 00:00:47.340 --> 00:00:50.370 when legitimate threats go undetected. 17 00:00:50.370 --> 00:00:54.510 Malware alerts notify the team of potential infections. 18 00:00:54.510 --> 00:00:58.770 And alert failures such as missed or delayed notifications, 19 00:00:58.770 --> 00:01:02.400 can lead to critical threats being overlooked. 20 00:01:02.400 --> 00:01:03.750 Let's learn more about 21 00:01:03.750 --> 00:01:06.660 alerts associated with vulnerabilities, 22 00:01:06.660 --> 00:01:10.620 false positives, false negatives, malware, 23 00:01:10.620 --> 00:01:12.690 and alert failures. 24 00:01:12.690 --> 00:01:17.610 First, we have alerts associated with vulnerabilities. 25 00:01:17.610 --> 00:01:20.580 Alerts related to vulnerabilities occur 26 00:01:20.580 --> 00:01:25.020 when potential security weaknesses in a system are detected, 27 00:01:25.020 --> 00:01:29.640 triggering a notification for security teams to take action. 28 00:01:29.640 --> 00:01:32.310 These alerts help prevent cyberattack 29 00:01:32.310 --> 00:01:35.970 by allowing the security team to address weaknesses 30 00:01:35.970 --> 00:01:38.430 before they can be exploited. 31 00:01:38.430 --> 00:01:39.660 For instance, 32 00:01:39.660 --> 00:01:43.320 if a web server has an unpatched vulnerability, 33 00:01:43.320 --> 00:01:48.120 a SIEM or a security information and event management system 34 00:01:48.120 --> 00:01:51.270 may generate an alert when suspicious behavior 35 00:01:51.270 --> 00:01:55.140 that could exploit this vulnerability is detected. 36 00:01:55.140 --> 00:01:59.280 This gives the security teams an opportunity to act, 37 00:01:59.280 --> 00:02:01.080 patch the vulnerability, 38 00:02:01.080 --> 00:02:03.270 and safeguard the network. 39 00:02:03.270 --> 00:02:06.150 Tools like file integrity monitoring 40 00:02:06.150 --> 00:02:08.970 can also help by generating alerts 41 00:02:08.970 --> 00:02:13.020 when critical system files change unexpectedly, 42 00:02:13.020 --> 00:02:16.500 helping to identify potential vulnerabilities 43 00:02:16.500 --> 00:02:19.080 and exploits early on. 44 00:02:19.080 --> 00:02:21.030 In an enterprise environment, 45 00:02:21.030 --> 00:02:25.560 attackers are constantly looking to exploit any weaknesses. 46 00:02:25.560 --> 00:02:27.450 So vulnerability 47 00:02:27.450 --> 00:02:31.590 such as unpatched software or misconfigured systems 48 00:02:31.590 --> 00:02:33.810 can be entry points for attackers 49 00:02:33.810 --> 00:02:36.660 aiming to compromise sensitive data 50 00:02:36.660 --> 00:02:39.270 or disrupt critical services. 51 00:02:39.270 --> 00:02:41.640 Without proper alerting systems, 52 00:02:41.640 --> 00:02:44.670 these vulnerabilities can go unnoticed, 53 00:02:44.670 --> 00:02:47.130 increasing the risk of breach. 54 00:02:47.130 --> 00:02:51.990 So by having a well configured alert system in place, 55 00:02:51.990 --> 00:02:53.700 enterprises can receive 56 00:02:53.700 --> 00:02:57.330 timely notifications of potential issues, 57 00:02:57.330 --> 00:03:00.090 allowing the security team to address them 58 00:03:00.090 --> 00:03:02.220 before they are exploited. 59 00:03:02.220 --> 00:03:05.190 These alerts ensure that vulnerabilities 60 00:03:05.190 --> 00:03:07.860 are prioritized and remediated 61 00:03:07.860 --> 00:03:11.400 as part of the overall security strategy. 62 00:03:11.400 --> 00:03:16.080 Vulnerability scanners focus on identifying weaknesses 63 00:03:16.080 --> 00:03:20.580 such as unpatched software or misconfigurations, 64 00:03:20.580 --> 00:03:25.580 while SIEM tools like Splunk or QRadar continuously monitor 65 00:03:25.650 --> 00:03:30.510 network traffic, system logs, and application activity 66 00:03:30.510 --> 00:03:34.650 for abnormal behavior or potential threats. 67 00:03:34.650 --> 00:03:39.210 SIEM tools can also integrate with other security systems 68 00:03:39.210 --> 00:03:42.300 such as file integrity monitoring 69 00:03:42.300 --> 00:03:44.400 and endpoint protection 70 00:03:44.400 --> 00:03:46.680 to provide a comprehensive view 71 00:03:46.680 --> 00:03:50.070 of the organization's security posture. 72 00:03:50.070 --> 00:03:50.970 Together, 73 00:03:50.970 --> 00:03:55.290 these systems can detect deviations from expected baselines, 74 00:03:55.290 --> 00:03:57.600 identify vulnerabilities, 75 00:03:57.600 --> 00:04:00.930 and trigger alerts when action is required, 76 00:04:00.930 --> 00:04:04.800 helping organizations stay ahead of potential threats 77 00:04:04.800 --> 00:04:08.610 and maintain compliance with regulatory standards 78 00:04:08.610 --> 00:04:12.330 like the Payment Card Industry Data Security Standard 79 00:04:12.330 --> 00:04:14.550 or PCI DSS 80 00:04:14.550 --> 00:04:18.630 and the Health Insurance Portability and Accountability Act 81 00:04:18.630 --> 00:04:19.860 or HIPAA. 82 00:04:19.860 --> 00:04:24.750 Second, we have false positives and false negatives. 83 00:04:24.750 --> 00:04:27.240 A false positive is when a system 84 00:04:27.240 --> 00:04:32.240 incorrectly identifies normal behavior as malicious activity 85 00:04:32.580 --> 00:04:36.000 resulting in unnecessary alerts. 86 00:04:36.000 --> 00:04:37.890 In large enterprises, 87 00:04:37.890 --> 00:04:41.490 false positives can overwhelm security teams 88 00:04:41.490 --> 00:04:43.440 causing alert fatigue 89 00:04:43.440 --> 00:04:46.920 and potentially distracting from real threats. 90 00:04:46.920 --> 00:04:50.430 Regular updates and the fine-tuning of tools 91 00:04:50.430 --> 00:04:53.520 like file integrity management databases 92 00:04:53.520 --> 00:04:56.220 or data loss prevention filters 93 00:04:56.220 --> 00:05:00.570 are necessary to reduce false positive occurrences, 94 00:05:00.570 --> 00:05:04.440 ensuring only legitimate risks are flagged. 95 00:05:04.440 --> 00:05:07.830 False negatives, on the other hand, are more dangerous 96 00:05:07.830 --> 00:05:12.750 because they occur when a legitimate threat goes undetected. 97 00:05:12.750 --> 00:05:15.630 This can leave a system vulnerable to an attack 98 00:05:15.630 --> 00:05:18.900 without any warning to the security team. 99 00:05:18.900 --> 00:05:20.250 For example, 100 00:05:20.250 --> 00:05:22.050 an intrusion detection system 101 00:05:22.050 --> 00:05:25.470 might fail to detect a sophisticated attack 102 00:05:25.470 --> 00:05:28.530 that does not match any known signatures, 103 00:05:28.530 --> 00:05:31.470 thus producing a false negative. 104 00:05:31.470 --> 00:05:35.370 So enterprises rely on continuous updates 105 00:05:35.370 --> 00:05:37.680 to intrusion detection system 106 00:05:37.680 --> 00:05:40.170 and intrusion prevention systems 107 00:05:40.170 --> 00:05:44.670 and anomaly detection to minimize false negatives. 108 00:05:44.670 --> 00:05:47.550 Third, we have malware. 109 00:05:47.550 --> 00:05:51.000 Malware alerts notify security teams 110 00:05:51.000 --> 00:05:53.880 when a system detects malicious software 111 00:05:53.880 --> 00:05:57.630 like viruses, worms, or ransomware. 112 00:05:57.630 --> 00:06:00.750 These alerts protect enterprise systems 113 00:06:00.750 --> 00:06:05.250 as malware can cause data breaches, disrupt services, 114 00:06:05.250 --> 00:06:07.710 or result in data loss. 115 00:06:07.710 --> 00:06:11.010 Antivirus and anti-malware solutions 116 00:06:11.010 --> 00:06:13.290 such as Windows Defender 117 00:06:13.290 --> 00:06:16.110 play a key role in detecting malware 118 00:06:16.110 --> 00:06:20.190 by using a combination of signature-based detection, 119 00:06:20.190 --> 00:06:24.330 heuristic analysis, and behavioral monitoring. 120 00:06:24.330 --> 00:06:26.640 Signature-based detection involves 121 00:06:26.640 --> 00:06:29.340 comparing files and processes 122 00:06:29.340 --> 00:06:33.210 against a known database of malware signatures. 123 00:06:33.210 --> 00:06:35.100 While heuristic analysis 124 00:06:35.100 --> 00:06:37.980 looks for suspicious patterns in code 125 00:06:37.980 --> 00:06:40.620 that resemble malicious behavior. 126 00:06:40.620 --> 00:06:43.410 Behavioral monitoring, on the other hand, 127 00:06:43.410 --> 00:06:46.410 detects unusual system activities 128 00:06:46.410 --> 00:06:49.980 such as unauthorized file modifications 129 00:06:49.980 --> 00:06:51.900 or network connections, 130 00:06:51.900 --> 00:06:55.410 which could indicate an active malware infection. 131 00:06:55.410 --> 00:06:58.290 So in an enterprise network, 132 00:06:58.290 --> 00:07:01.500 anti-malware systems continuously scan 133 00:07:01.500 --> 00:07:05.250 files, processes, and network traffic 134 00:07:05.250 --> 00:07:08.280 to identify malicious activity. 135 00:07:08.280 --> 00:07:10.380 When malware is detected, 136 00:07:10.380 --> 00:07:15.380 anti-malware tools generate alerts and log the incident, 137 00:07:15.420 --> 00:07:17.640 allowing the security team 138 00:07:17.640 --> 00:07:20.610 to investigate and contain the threat. 139 00:07:20.610 --> 00:07:25.610 Advanced anti-malware systems often use real-time scanning 140 00:07:25.950 --> 00:07:30.360 where files are checked as they are accessed or modified, 141 00:07:30.360 --> 00:07:31.830 and sandboxing 142 00:07:31.830 --> 00:07:34.230 where suspicious files are executed 143 00:07:34.230 --> 00:07:38.250 in a controlled environment to observe their behavior. 144 00:07:38.250 --> 00:07:43.020 For example, if ransomware is detected encrypting files, 145 00:07:43.020 --> 00:07:46.620 anti-malware solutions can immediately quarantine 146 00:07:46.620 --> 00:07:48.270 the affected system, 147 00:07:48.270 --> 00:07:52.110 stopping the spread of the infection across the network. 148 00:07:52.110 --> 00:07:55.590 This layered approach helps enterprises defend 149 00:07:55.590 --> 00:07:59.850 against both known malware and emerging threats, 150 00:07:59.850 --> 00:08:03.720 ensuring timely detection and remediation. 151 00:08:03.720 --> 00:08:07.920 Fourth and last, we have alert failures. 152 00:08:07.920 --> 00:08:12.030 Alert failures happen when an alert is either delayed, 153 00:08:12.030 --> 00:08:13.980 not generated at all, 154 00:08:13.980 --> 00:08:16.590 or missed by the security team, 155 00:08:16.590 --> 00:08:21.240 potentially allowing a threat to escalate unchecked. 156 00:08:21.240 --> 00:08:23.400 In an enterprise environment, 157 00:08:23.400 --> 00:08:25.680 missed alerts can be catastrophic 158 00:08:25.680 --> 00:08:29.790 if they involve critical systems or sensitive data. 159 00:08:29.790 --> 00:08:33.330 These failures can arise from several factors, 160 00:08:33.330 --> 00:08:38.220 including misconfiguration, poor prioritization of alerts, 161 00:08:38.220 --> 00:08:40.350 or overloaded security tools 162 00:08:40.350 --> 00:08:43.890 that struggle to handle large volumes of data. 163 00:08:43.890 --> 00:08:47.100 Misconfiguration of security tools result 164 00:08:47.100 --> 00:08:51.240 in a failure to trigger alerts for malicious activity. 165 00:08:51.240 --> 00:08:54.990 For example, a firewall might be misconfigured 166 00:08:54.990 --> 00:08:58.020 and allow traffic that should be blocked, 167 00:08:58.020 --> 00:09:02.790 or a SIEM could have incomplete or outdated rules, 168 00:09:02.790 --> 00:09:06.510 leading to missing key indicators of compromise. 169 00:09:06.510 --> 00:09:07.860 In these cases, 170 00:09:07.860 --> 00:09:10.710 the system may not generate an alert 171 00:09:10.710 --> 00:09:13.350 when malicious activity occurs, 172 00:09:13.350 --> 00:09:16.590 allowing threats to bypass detection. 173 00:09:16.590 --> 00:09:19.830 So ensuring proper configuration, 174 00:09:19.830 --> 00:09:21.540 updating rule sets, 175 00:09:21.540 --> 00:09:24.690 and testing alerting mechanisms regularly 176 00:09:24.690 --> 00:09:27.690 are necessary to avoid this issue. 177 00:09:27.690 --> 00:09:32.100 Next, core prioritization of alerts is another factor 178 00:09:32.100 --> 00:09:35.610 that can lead to missed or ignored threats. 179 00:09:35.610 --> 00:09:40.080 Security teams often receive thousands of alerts daily. 180 00:09:40.080 --> 00:09:41.430 And if these alerts 181 00:09:41.430 --> 00:09:44.550 are not properly categorized by severity, 182 00:09:44.550 --> 00:09:47.460 important alerts may be overlooked. 183 00:09:47.460 --> 00:09:48.780 For example, 184 00:09:48.780 --> 00:09:51.600 if alerts for suspicious network activity 185 00:09:51.600 --> 00:09:53.670 are given the same priority 186 00:09:53.670 --> 00:09:56.700 as routine administrative actions, 187 00:09:56.700 --> 00:10:00.510 a critical threat like a data exfiltration attempt 188 00:10:00.510 --> 00:10:04.950 might get buried among lower priority notifications. 189 00:10:04.950 --> 00:10:09.450 So implementing a robust prioritization system 190 00:10:09.450 --> 00:10:12.270 where alerts are ranked based on factors 191 00:10:12.270 --> 00:10:16.020 like threat severity, impact, and likelihood 192 00:10:16.020 --> 00:10:17.970 helps security teams focus 193 00:10:17.970 --> 00:10:21.210 on the most pressing issues first. 194 00:10:21.210 --> 00:10:24.330 Last, overloaded security tools 195 00:10:24.330 --> 00:10:28.140 are another major cause of alert failures. 196 00:10:28.140 --> 00:10:29.970 In large enterprises, 197 00:10:29.970 --> 00:10:34.350 the sheer volume of data generated by network traffic, 198 00:10:34.350 --> 00:10:37.680 system logs, and endpoint activity 199 00:10:37.680 --> 00:10:40.590 can overwhelm security systems, 200 00:10:40.590 --> 00:10:43.980 causing them to miss or delay alerts. 201 00:10:43.980 --> 00:10:45.360 For instance, 202 00:10:45.360 --> 00:10:49.290 a SIEM processing millions of events per second 203 00:10:49.290 --> 00:10:54.290 may struggle to analyze all incoming data in real time, 204 00:10:54.690 --> 00:10:59.370 leading to delays in alert generation or system crashes. 205 00:10:59.370 --> 00:11:01.650 So to address this, 206 00:11:01.650 --> 00:11:05.400 enterprises can deploy scalable architectures, 207 00:11:05.400 --> 00:11:09.780 use cloud-based SIEM solutions to handle large data volumes, 208 00:11:09.780 --> 00:11:11.400 and implement strategies 209 00:11:11.400 --> 00:11:14.850 like event filtering or data aggregation 210 00:11:14.850 --> 00:11:18.750 to reduce the load on their security tools. 211 00:11:18.750 --> 00:11:21.870 Overall, preventing alert failures 212 00:11:21.870 --> 00:11:25.740 helps ensure a secure enterprise environment, 213 00:11:25.740 --> 00:11:28.290 regular maintenance of SIEM systems, 214 00:11:28.290 --> 00:11:31.320 proper configuration of alert rules, 215 00:11:31.320 --> 00:11:35.160 and ensuring that alerts are correctly prioritized 216 00:11:35.160 --> 00:11:36.960 are the first steps. 217 00:11:36.960 --> 00:11:40.650 Next, enterprises can use automated tools 218 00:11:40.650 --> 00:11:42.900 like intrusion prevention systems 219 00:11:42.900 --> 00:11:45.450 to not only generate alerts, 220 00:11:45.450 --> 00:11:47.880 but also take immediate action, 221 00:11:47.880 --> 00:11:50.370 such as blocking malicious traffic 222 00:11:50.370 --> 00:11:54.000 in case an alert is delayed or missed. 223 00:11:54.000 --> 00:11:57.390 By ensuring redundancy in monitoring systems 224 00:11:57.390 --> 00:12:00.990 along with the continuous tuning of alert tools, 225 00:12:00.990 --> 00:12:02.760 organizations can reduce 226 00:12:02.760 --> 00:12:06.390 the likelihood of critical alert failures. 227 00:12:06.390 --> 00:12:08.670 So remember, 228 00:12:08.670 --> 00:12:12.930 alerting is the process of notifying security teams 229 00:12:12.930 --> 00:12:14.850 about potential threats 230 00:12:14.850 --> 00:12:18.510 based on predefined rules and triggers. 231 00:12:18.510 --> 00:12:22.020 Alerts can be associated with the vulnerabilities, 232 00:12:22.020 --> 00:12:25.740 false positives, false negatives, malware, 233 00:12:25.740 --> 00:12:27.750 and alert failures. 234 00:12:27.750 --> 00:12:30.630 Vulnerability alerts notify teams 235 00:12:30.630 --> 00:12:33.780 when weaknesses are detected in a system, 236 00:12:33.780 --> 00:12:38.100 allowing action to be taken before exploitation. 237 00:12:38.100 --> 00:12:40.530 Next, false positives occur 238 00:12:40.530 --> 00:12:43.800 when benign activity is flagged as malicious. 239 00:12:43.800 --> 00:12:46.260 While false negatives involve 240 00:12:46.260 --> 00:12:49.410 legitimate threats going undetected. 241 00:12:49.410 --> 00:12:53.070 Then malware alerts inform security teams 242 00:12:53.070 --> 00:12:55.050 of potential infections, 243 00:12:55.050 --> 00:12:58.770 enabling swift action to contain the threat. 244 00:12:58.770 --> 00:13:01.710 And finally, alert failures happen 245 00:13:01.710 --> 00:13:05.100 when notifications are delayed or missed, 246 00:13:05.100 --> 00:13:09.600 often due to misconfigurations, poor prioritization, 247 00:13:09.600 --> 00:13:12.540 or overwhelmed security tools, 248 00:13:12.540 --> 00:13:15.363 leading to unchecked threats.