WEBVTT

1
00:00:00.000 --> 00:00:01.290
<v Instructor>In this lesson,</v>

2
00:00:01.290 --> 00:00:05.520
we will learn about detection and threat-hunting enablers.

3
00:00:05.520 --> 00:00:08.408
Detection and threat-hunting enablers are the tools

4
00:00:08.408 --> 00:00:11.931
and infrastructure that facilitate the discovery

5
00:00:11.931 --> 00:00:15.900
and investigation of threats within a network.

6
00:00:15.900 --> 00:00:18.824
Detection and threat-hunting enabler concepts

7
00:00:18.824 --> 00:00:23.070
include sensor placement, continuous monitoring,

8
00:00:23.070 --> 00:00:26.010
alerting, and centralized logging.

9
00:00:26.010 --> 00:00:28.785
Sensor placement involves strategically positioning

10
00:00:28.785 --> 00:00:32.130
monitoring devices across the network

11
00:00:32.130 --> 00:00:34.050
to capture critical data.

12
00:00:34.050 --> 00:00:35.637
Continuous monitoring ensures

13
00:00:35.637 --> 00:00:39.221
that all network activities are consistently tracked

14
00:00:39.221 --> 00:00:42.270
for any signs of malicious behavior.

15
00:00:42.270 --> 00:00:45.639
Next, alerting is used to trigger notifications

16
00:00:45.639 --> 00:00:48.300
based on predefined criteria.

17
00:00:48.300 --> 00:00:51.556
And finally, centralized logging aggregates logs

18
00:00:51.556 --> 00:00:54.974
from various sources into a single platform

19
00:00:54.974 --> 00:00:58.440
for easier and more efficient analysis.

20
00:00:58.440 --> 00:01:00.990
Let's learn more about sensor placement,

21
00:01:00.990 --> 00:01:05.280
continuous monitoring, alerting, and centralized logging.

22
00:01:05.280 --> 00:01:07.530
First, we have sensor placement.

23
00:01:07.530 --> 00:01:10.392
Sensor placement refers to the strategic deployment

24
00:01:10.392 --> 00:01:15.392
of monitoring devices, such as intrusion detection systems

25
00:01:15.540 --> 00:01:18.060
or intrusion prevention systems.

26
00:01:18.060 --> 00:01:20.940
These sensors act as digital eyes,

27
00:01:20.940 --> 00:01:22.813
continuously collecting data

28
00:01:22.813 --> 00:01:25.575
from various segments of the network,

29
00:01:25.575 --> 00:01:29.910
such as endpoints, firewalls, and data centers,

30
00:01:29.910 --> 00:01:33.270
and analyzing them for malicious activity.

31
00:01:33.270 --> 00:01:36.600
By positioning these sensors at key locations,

32
00:01:36.600 --> 00:01:38.790
such as on the network perimeter

33
00:01:38.790 --> 00:01:43.119
or within internal segments, security teams can ensure

34
00:01:43.119 --> 00:01:48.119
that no suspicious traffic or activity goes unnoticed.

35
00:01:48.540 --> 00:01:52.161
The importance of sensor placement lies in its ability

36
00:01:52.161 --> 00:01:56.447
to provide visibility into different network layers,

37
00:01:56.447 --> 00:02:00.660
allowing for faster detection of potential threats.

38
00:02:00.660 --> 00:02:03.030
Without properly placed sensors,

39
00:02:03.030 --> 00:02:05.538
attackers can slip through undetected,

40
00:02:05.538 --> 00:02:08.040
leading to security breaches.

41
00:02:08.040 --> 00:02:09.990
In an enterprise environment,

42
00:02:09.990 --> 00:02:13.320
tools like Zeek, which was formerly named Bro,

43
00:02:13.320 --> 00:02:16.320
can be placed at critical network junctions

44
00:02:16.320 --> 00:02:17.940
to monitor traffic.

45
00:02:17.940 --> 00:02:20.409
For instance, a sensor might be installed

46
00:02:20.409 --> 00:02:23.932
between the corporate network and the internet

47
00:02:23.932 --> 00:02:27.510
to monitor inbound and outbound traffic.

48
00:02:27.510 --> 00:02:31.489
Similarly, internal network segments, like server zones,

49
00:02:31.489 --> 00:02:35.024
may have sensors that capture east-west traffic,

50
00:02:35.024 --> 00:02:39.420
which is communication between devices inside the network.

51
00:02:39.420 --> 00:02:40.417
You might think about this

52
00:02:40.417 --> 00:02:42.608
like setting up surveillance cameras

53
00:02:42.608 --> 00:02:46.020
at entry points along hallways in a building,

54
00:02:46.020 --> 00:02:47.979
where each camera, which is a sensor,

55
00:02:47.979 --> 00:02:52.350
is capturing valuable data from different perspectives.

56
00:02:52.350 --> 00:02:55.085
In all cases, the effectiveness of monitoring

57
00:02:55.085 --> 00:02:58.013
relies on strategically placing sensors

58
00:02:58.013 --> 00:03:01.009
to capture critical traffic flows,

59
00:03:01.009 --> 00:03:03.470
giving security teams the ability

60
00:03:03.470 --> 00:03:06.900
to detect suspicious patterns early.

61
00:03:06.900 --> 00:03:09.359
Second, we have continuous monitoring.

62
00:03:09.359 --> 00:03:11.746
Continuous monitoring is the practice

63
00:03:11.746 --> 00:03:15.692
of maintaining a constant watch over the network,

64
00:03:15.692 --> 00:03:17.674
systems, and endpoints

65
00:03:17.674 --> 00:03:21.660
to detect abnormal activities in real-time.

66
00:03:21.660 --> 00:03:24.761
Instead of relying on periodic reviews,

67
00:03:24.761 --> 00:03:29.487
continuous monitoring ensures that any unauthorized access

68
00:03:29.487 --> 00:03:34.140
or changes to the environment are flagged instantly.

69
00:03:34.140 --> 00:03:36.420
This is important for threat-hunting

70
00:03:36.420 --> 00:03:39.300
because cyber threats evolve quickly,

71
00:03:39.300 --> 00:03:43.500
and real-time insight allows for immediate investigation

72
00:03:43.500 --> 00:03:46.860
and response, limiting potential damage.

73
00:03:46.860 --> 00:03:50.055
Continuous monitoring also provides the capability

74
00:03:50.055 --> 00:03:53.580
to spot deviations from normal behavior,

75
00:03:53.580 --> 00:03:57.169
which could indicate the early stages of an attack.

76
00:03:57.169 --> 00:03:59.370
In an enterprise environment,

77
00:03:59.370 --> 00:04:02.400
continuous monitoring may be implemented

78
00:04:02.400 --> 00:04:04.560
using tools like Splunk

79
00:04:04.560 --> 00:04:07.740
or security information and event management

80
00:04:07.740 --> 00:04:09.360
or SIEM systems.

81
00:04:09.360 --> 00:04:12.920
These platforms gather data from various sources

82
00:04:12.920 --> 00:04:16.740
such as firewalls, antivirus software,

83
00:04:16.740 --> 00:04:18.659
and network traffic logs,

84
00:04:18.659 --> 00:04:23.190
and they apply rules to detect suspicious behavior.

85
00:04:23.190 --> 00:04:27.580
For example, continuous monitoring may detect a sudden surge

86
00:04:27.580 --> 00:04:32.160
in outbound traffic from an internal database server,

87
00:04:32.160 --> 00:04:35.580
potentially indicating data exfiltration.

88
00:04:35.580 --> 00:04:39.480
In a physical security example, in a security control room

89
00:04:39.480 --> 00:04:42.476
where guards are constantly watching surveillance feeds,

90
00:04:42.476 --> 00:04:46.671
continuous monitoring allows the security team to spot

91
00:04:46.671 --> 00:04:50.550
and react to threats immediately as they happen.

92
00:04:50.550 --> 00:04:52.591
Third, we have alerting.

93
00:04:52.591 --> 00:04:57.041
Alerting involves setting up predefined rules or thresholds

94
00:04:57.041 --> 00:04:59.100
that trigger notifications

95
00:04:59.100 --> 00:05:02.250
when suspicious events are detected.

96
00:05:02.250 --> 00:05:06.000
For instance, when something out of the ordinary happens,

97
00:05:06.000 --> 00:05:08.550
like multiple failed login attempts,

98
00:05:08.550 --> 00:05:10.740
unusual outbound traffic,

99
00:05:10.740 --> 00:05:15.030
or access to sensitive files from an unusual location,

100
00:05:15.030 --> 00:05:18.720
the system sends an alert to the security team.

101
00:05:18.720 --> 00:05:22.050
Alerting allows the team to prioritize incidents

102
00:05:22.050 --> 00:05:26.160
and investigate them before a threat escalates.

103
00:05:26.160 --> 00:05:28.650
So, without timely alerts,

104
00:05:28.650 --> 00:05:31.770
suspicious activities might go unnoticed

105
00:05:31.770 --> 00:05:34.590
until significant damage has been done.

106
00:05:34.590 --> 00:05:37.110
In the real world, tools like Splunk

107
00:05:37.110 --> 00:05:41.730
or Palo Alto Networks can be configured to generate alerts

108
00:05:41.730 --> 00:05:43.920
when certain conditions are met.

109
00:05:43.920 --> 00:05:46.761
For example, an alert might be set to trigger

110
00:05:46.761 --> 00:05:49.649
if there are multiple failed login attempts

111
00:05:49.649 --> 00:05:51.810
within a short timeframe,

112
00:05:51.810 --> 00:05:54.930
indicating a potential brute force attack.

113
00:05:54.930 --> 00:05:56.731
In a physical implementation,

114
00:05:56.731 --> 00:06:00.060
this is similar to a fire alarm in a building.

115
00:06:00.060 --> 00:06:01.441
It won't put out the fire,

116
00:06:01.441 --> 00:06:04.920
but it will sound the alarm when smoke is detected,

117
00:06:04.920 --> 00:06:08.910
giving people time to react before the fire spreads.

118
00:06:08.910 --> 00:06:10.080
In the same way,

119
00:06:10.080 --> 00:06:13.160
alerting gives security teams the heads up they need

120
00:06:13.160 --> 00:06:16.487
to investigate and respond to potential threats

121
00:06:16.487 --> 00:06:19.457
before they cause significant harm.

122
00:06:19.457 --> 00:06:22.980
Fourth and last, we have centralized logging.

123
00:06:22.980 --> 00:06:27.540
Centralized logging refers to the aggregation of log data

124
00:06:27.540 --> 00:06:30.412
from various network devices, servers,

125
00:06:30.412 --> 00:06:35.340
applications, and security tools in one location.

126
00:06:35.340 --> 00:06:39.412
This consolidated log data then allows for easier

127
00:06:39.412 --> 00:06:41.511
and more efficient analysis

128
00:06:41.511 --> 00:06:45.996
as it provides a complete view of the network's activity.

129
00:06:45.996 --> 00:06:50.160
Centralized logging enables threat detection and hunting

130
00:06:50.160 --> 00:06:53.609
because it helps identify patterns and correlations

131
00:06:53.609 --> 00:06:56.640
across different parts of the network.

132
00:06:56.640 --> 00:06:59.423
So, by having all logs in one place,

133
00:06:59.423 --> 00:07:03.089
security teams can more easily spot anomalies

134
00:07:03.089 --> 00:07:06.690
that might indicate an attack in progress

135
00:07:06.690 --> 00:07:09.000
or an ongoing compromise.

136
00:07:09.000 --> 00:07:12.893
An example of centralized logging in an enterprise

137
00:07:12.893 --> 00:07:16.430
could involve a SIEM tool like ELK Stack,

138
00:07:16.430 --> 00:07:19.200
which stands for Elastic Search,

139
00:07:19.200 --> 00:07:22.811
Log Stash in Kibana, where logs from firewalls,

140
00:07:22.811 --> 00:07:24.783
intrusion detection systems,

141
00:07:24.783 --> 00:07:28.350
intrusion prevention systems, web servers,

142
00:07:28.350 --> 00:07:31.623
and endpoint protection systems are all funneled

143
00:07:31.623 --> 00:07:35.370
into a central location and platform.

144
00:07:35.370 --> 00:07:39.330
In a physical example, this is like having a central hub

145
00:07:39.330 --> 00:07:41.490
for security camera footage

146
00:07:41.490 --> 00:07:44.970
across an entire building or campus.

147
00:07:44.970 --> 00:07:46.935
So, rather than having to check

148
00:07:46.935 --> 00:07:49.615
each camera's individual feed,

149
00:07:49.615 --> 00:07:52.936
the footage can be pulled to one location.

150
00:07:52.936 --> 00:07:56.745
In the same way, the enterprise network security team

151
00:07:56.745 --> 00:08:01.200
has a unified place to perform threat-hunting activities,

152
00:08:01.200 --> 00:08:05.070
searching through logs for evidence of suspicious patterns,

153
00:08:05.070 --> 00:08:08.490
like repeated access attempts to restricted files

154
00:08:08.490 --> 00:08:10.119
across different systems.

155
00:08:10.119 --> 00:08:14.080
So, centralized logging makes threat detection faster

156
00:08:14.080 --> 00:08:17.720
and more effective by simplifying the process

157
00:08:17.720 --> 00:08:21.939
of analyzing diverse logs in a unified way.

158
00:08:21.939 --> 00:08:26.400
So, remember, detection and threat-hunting enablers

159
00:08:26.400 --> 00:08:31.205
provide the necessary tools and infrastructure to identify

160
00:08:31.205 --> 00:08:35.490
and investigate potential threats within a network.

161
00:08:35.490 --> 00:08:39.480
These include sensor placement, continuous monitoring,

162
00:08:39.480 --> 00:08:42.180
alerting, and centralized logging.

163
00:08:42.180 --> 00:08:46.440
Sensor placement involves strategically positioning devices

164
00:08:46.440 --> 00:08:50.280
to capture critical network data for analysis.

165
00:08:50.280 --> 00:08:53.610
Next, continuous monitoring keeps a constant watch

166
00:08:53.610 --> 00:08:55.950
over network activities,

167
00:08:55.950 --> 00:08:59.520
detecting suspicious behavior in real-time.

168
00:08:59.520 --> 00:09:03.180
Then, alerting uses predefined criteria

169
00:09:03.180 --> 00:09:07.980
to notify security teams when unusual activities occur,

170
00:09:07.980 --> 00:09:10.350
allowing for quick responses.

171
00:09:10.350 --> 00:09:13.759
And finally, centralized logging consolidates data

172
00:09:13.759 --> 00:09:17.129
from various sources into one location,

173
00:09:17.129 --> 00:09:20.869
making it easier for security teams to analyze

174
00:09:20.869 --> 00:09:23.793
and detect potential threats.