June 9, 2025 • 44 mins
Dive deep into the critical world of security logging and monitoring as we explore Domain 7.2 of the CISSP certification. This episode unpacks the strategic considerations behind effective logging practices that balance comprehensive visibility with practical resource management.
We begin with a thought-provoking look at Anthropic's new AI chatbot designed specifically for classified government environments. Could this be the beginning of something like Skynet? While AI offers tremendous capabilities for processing classified data, these developments raise important questions about reliability, oversight, and unintended consequences.
The heart of this episode focuses on building a robust logging and monitoring strategy. We examine the various types of logs you should consider—security logs, system logs, application logs, network logs, and database logs—while emphasizing the importance of starting small and focusing on critical systems. You'll learn why centralized logging through SIEM platforms has become the industry standard, and how to approach log retention policies that balance regulatory requirements with storage costs.
Active monitoring, passive monitoring, and the correlation of events each serve distinct security purposes. We explore how techniques like log sampling and clipping levels can help manage the overwhelming volume of data modern networks generate, while highlighting the risks of missing critical security events if these techniques aren't properly implemented.
Special attention is given to egress monitoring—watching what leaves your network—as a crucial but often overlooked security practice. Since attackers ultimately need to extract data from compromised systems, monitoring outbound traffic can catch breaches even when the initial compromise was missed.
The episode rounds out with discussions on emerging technologies transforming the security monitoring landscape: SOAR tools that automate security operations, the integration of AI and machine learning for threat detection, and the strategic use of threat intelligence to understand attacker methodologies through frameworks like the cyber kill chain.
Whether you're preparing for the CISSP exam or working to strengthen your organization's security monitoring capabilities, this episode provides both the conceptual understanding and practical considerations you need. Connect with us at CISSP Cyber Training for more resources to support your certification journey.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go cybersecurityknowledge.
Speaker 2 (00:28):
All right, let's get started.
Good morning everybody.
It's Sean Gerber with CISSPCyber Training, and hope you all
are having a beautifullyblessed day today.
Today we are going to begindomain 7.
Yeah, domain 7.2 of conductinglogging and monitoring
activities.
So this is an ongoing saga thatwe have with CISSP Cyber
Training and we are prettyexcited about the fact that we
get to provide you some greatcontent.
(00:50):
Again, 7.2 is what we're goingto be chatting about today, but
before we do had an article Iwanted to bring up and get it in
front of your attention.
So this is an article out of ArsTechnica, and they talk about
Anthropic.
This is an article out of ArsTechnica and they talk about
Anthropic.
So Anthropic is releasing an AIchatbot specifically for
classified use.
(01:10):
Now it's called ClawedGov iswhat it's designed for, and it's
designed specifically foraround national security and
intelligence agencies.
So the goal of it is to takeall this information in a
classified setting and use achatbot that is creating for
defense-related documents.
It's going to be handling allkinds of things that are
critical to national security.
(01:31):
Well, is there any downside tothis?
I don't know.
This really does start to soundlike Skynet.
Yeah, skynet's coming.
We just don't realize it yet,or it's probably already here
and we just don't even know it,but this point of using chat
GPT-Gov was introduced in 2025.
And this is a wider push by alot of AI firms to get their
fingers into the government andmilitary complex and the ability
(01:55):
to use their chat capabilitiesto search gobs of data.
Now, coming from a classifiedenvironment, living that for
many, many, many years, yes, Ican definitely see the value in
this.
There's some huge value inhaving AI inside the government
apparatus to be able to lookthrough classified and
unclassified data.
(02:16):
Obviously, as you're studyingfor the CISSP, you understand
the permissions around this canbe substantial and you're going
to want to make sure that thoseare pretty tight.
But, that being said, there'sso much information in the
classified networks that younever actually have a good
understanding of what's outthere.
It doesn't matter if it's theChinese get classified.
Russian, french, israeli, useverybody creates gobs and gobs
(02:39):
of data that has not beensearchable for the most part.
I mean, you can kind of pokearound and I'm sure it's better
than when I was in there, butthe bottom line is is that it's
been really hard to do so doesthis make sense?
Yes, it does make total sense.
However, there are somequestions I have, and one of the
things around is thereliability and even the article
(03:00):
brings this up is thereliability of the intelligence
that this thing is able togarner from that.
Now I go back, you know, reversethe course back to Saddam
Hussein in the desert storm, andsome of you might be listening
this going desert, what?
Yeah, this is a while ago,right, so I'm showing my age.
But Saddam Hussein we basicallyinvaded Iraq to because of the
(03:23):
fact that that we felt thatSaddam Hussein had chemical
weapons, and that was the USgovernment thought that.
Now, being said, whether it's aconspiracy theory, whether it
was all Bush trying to push it,who knows, don't care.
At this point Doesn't reallymatter.
The point of it is they got itwrong, right, they got it wrong
based on the intelligence theyhad.
So now you add AI into this, andthen you add Skynet, and then
(03:47):
now, all of a sudden, ai issmart and AI starts thinking on
its own and it starts feedingyou information to make you do
things that it wants you to godo.
Yeah, mission Impossible,fallout, whatever the most
recent Mission Impossible thingall over again.
So again, that's obviously fastforwarding a bit and that's
kind of creepy scary, but thepoint of it is is that this is
(04:09):
something that Anthropic isreleasing their AI chatbot to
work on specific classified work.
It's moving in this direction.
So I say all this if you'relistening to this, you probably
are dealing with AI in yourorganization.
Hey, come visit me withnextpeaknet and we can help you
with that as well.
We've developed an actual AIcybersecurity framework, risk
(04:31):
framework for you.
So, yeah, it doesn't reallymatter where you go and get this
risk analysis done.
You need to get it donesomewhere, because if you think
that you don't have AI in yourenvironment, maybe you don't,
but you will soon.
So it's imperative that youstart thinking ahead of this now
.
I'm working with some reallystrong contracts right now and
these folks are now starting togo oh yeah, ai is coming.
You better look at it.
(04:51):
I truly believe it, and this isjust another example of that.
Okay so, let's go ahead and getinto what we're going to talk
about today.
Okay so this is domain 7.2,conducting logging and
monitoring activities.
So this is a big part of theCISSP.
Logging and monitoring is ahuge factor and it's something
you really need to beunderstanding and you need to be
(05:12):
prepared for as it relates totaking the test.
So what is logging andmonitoring?
Well, we've talked about thisin numerous cases around CISSP,
cyber training, but one of theimportance of it is a
foundational security control.
Now logging and monitoring itdoes provide you extreme
visibility into your system.
Now, the part of it is that'sgoing to be a factor we'll talk
(05:33):
about this is the amount oflogging that you do.
Now, logging and monitoring asa whole air quotes whole can be
very limited and one of thethings that affects that is cost
, which we'll get into in just aminute.
So you really need to considerwhat is your logging strategy.
But this will help detectmalicious or anomalous behavior
that's occurring within yourorganization.
Now there might be somecompliance requirements around
(05:56):
this, such as GDPR, hipaa, pci,dss, anything out there GLBA.
They may require some level oflogging within your company.
Now, they won't come out to thespecifics, but they'll tell you
you need to be logging criticaltype systems.
So it's important that youconsider what is your logging
strategy.
I just said that twice now inthe same slide.
(06:17):
You need to have a strategy.
What is your overall plan?
It does deal with incidentdetection as well.
Real-time monitoring andlogging can identify security
instances way before theyescalate into something else.
So you need to have a good ideaof those and then they actually
help a lot with forensicsinvestigations.
Now, they can't help withforensics investigations if, and
(06:38):
if only only if you have themput in strategic and tactical
places within your company sothat you can catch the right
amount of data.
Again, you're going to dealwith forensics and dealing with
PCAPs, and that's right, yourpacket captures.
Those need to be stationed incertain spots within your
network to ensure that you'regetting the right amount of data
(06:58):
coming into the overall system.
Now, some key conceptsCentralized logging this comes
into this.
It goes into a centralrepository, what we would
typically call a SIEM.
Now you have Splunk, you've gotAzure, you've got ArcSight.
You've got various types ofSIEMs that are out there that
they basically aggregate thedata.
Now, some are better thanothers, depending upon the need
(07:19):
for your organization, and we'renot going to get into SIEMs
today, but it really kind ofdepends.
If you're dealing with a cloudenvironment, maybe you want
something that's more Azure.
If you want something thatdeals with all types of network
logs, from basically securitylogs to overall network
architecture logs.
Maybe Splunk is the thing.
Do you have a limited budget?
Maybe that may impact it aswell.
(07:40):
So something just to kind ofwalk through and just determine
Log retention policies how longdo you want to keep the stuff
that you're storing?
A lot of things can take thatinto account.
One is the regulatoryrequirements around the amount
of data that you store.
Two, how fast do you need torecover?
And if those logs are importantfor you to recover, if they're
(08:01):
imperative, for that Is legal orbusiness or any sort of
operational needs around thatrequire you to keep them for a
period of time.
So it's important for you tounderstand these policies and
it's important for you to have agood plan before you get moving
forward too far down the pathImplementing them.
Having a limited log recoveryor storage is fine, but you need
(08:23):
to really consider what is yourlong-term strategy around it.
Log integrity you need to ensurethe logs are tamper-proof.
Somebody can't go in and startdeleting them or modifying them
to hide what they're doing.
Do you have hashing orencryption or something like
that set up specifically foryour logs?
It's imperative that you reallydo.
You have a good idea, and thiscomes back to what I said just a
(08:45):
minute ago your strategic goalaround logging and monitoring
and then alerting andnotifications.
What kind of alerts are setwhen thresholds are exceeded?
Right, if you have a certainlevel of logins from an external
location, is that alert kickedoff?
Will it then send you anotification?
How is that notification done?
(09:05):
As a friend of mine says, withNextpeak, he goes you know what.
What is the thing?
Where it goes from the lifecycle, from the time you start
it to the time it dies.
What is the overall process andhow will that work?
So there's different types oflogs.
You have a security log.
These security logs containsauthentication events, access
attempts and security events,successful and failed logins,
(09:28):
changes to user roles andprivileges.
All of those are examples ofwhat could be a security log.
If somebody's going in andchanging their roles, their role
or their privileges, you needto have a record of that.
Is it somebody that's supposedto be doing that?
Is it not?
It could be a bad guy or girlgoing in and actually modifying
their credentials so that theycan do something nefarious or
(09:50):
inappropriate.
System logs you need to trackthe events related to the
operating system or a hardware.
This comes under boot processes, any kernel events.
All of these are system logsthat are stored.
Now, if you're looking athaving to rack and stack these,
you may make a choice where youknow what I'm not going to take.
(10:10):
Maybe application logs I'm notgoing to take system logs.
Or maybe you will takeapplication logs, which I'm
going to get into in just asecond.
You decide which logs you wantto keep and there's different
kinds of reasons behind that.
So application logs theserecord events generated by
specific applications.
So if you have an applicationsuch as Salesforce that's a big
(10:32):
one, I know, but let's just saySalesforce and you have certain
application, part of thatSalesforce thing is going on,
it's doing, it's recordingsomething, whatever that might
be, that would then have aspecific log for that.
You have databases.
They have a specific log.
The point of it is that youhave security logs, system logs
and application logs.
You have to decide which onesdo you want to keep.
(10:54):
All some maybe modify it a bit,it's up to you, but a lot of it
will come down to what is youroverall quote-unquote strategy.
Now, network logs these are someother ones to kind of consider.
This goes into your router,your switch activities, traffic
flow logs, net flow, s-flow,different types of flow logs
that are going in, and again,you can see all these types of
(11:15):
logs are going to continue togrow.
Well, when you store all this,what does it cost?
It costs money and it costsstorage space.
So you're going to have a lotof data you're going to have to
keep and it's going topotentially cost you a lot of
money.
So then you have to come backto your thought process around
that Database logs.
These are important one toreally start considering keeping
.
Now, again, there's a lot ofdatabases within most
(11:38):
enterprises, a gob of databases.
So you're going to want to makesure that you pick the most
critical databases and startfrom there.
I recommend start small withyour strategic plan.
What are you going to keep?
My critical apps, my criticaldatabases, my critical log app,
different types of logs that aregoing to security logs those
should all be kept.
And then from there, are thereany network logs that connect
(12:01):
the two together that I feel Ishould keep?
That's how I would rack andstack this.
Then, from there, once you havea good plan and an idea of how
you want to do it, then you canexpand that out, keeping in mind
the cost that's going to gowith this, both from an
opportunity cost and from acapital expense.
How much is this going to costyour organization and how much
(12:21):
time is it going to cost by yourpeople going out and
configuring all this, and howmuch time is it going to cost by
your people going out andconfiguring all this?
Then the last one is an auditlog.
These are basically capture ofchanges to systems, applications
, user privileges.
It's a secondary log that mightbe kept because it has an audit
function.
Now, your organization orapplication or whatever may not
(12:42):
have an audit piece of this, butit might be something your
audit team wants to set upspecific snapshots to help them
in their overall plan.
It just kind of comes down toyou and what you're going to do
and how your organization isgoing to handle it.
Now the role of monitoring isagain.
It's around early threatdetection.
You identify potential threatsor intrusions in near real time.
That's the goal, right themoment that you see it, you can
(13:04):
then quickly make a decision andflip to it and take care of it.
It also deals with operationalefficiency or efficiency.
I don't know, it's a big word,Don't know what that means
really, truly.
But bottom line is it's youroperational aspects right.
It ensures the systemavailability and performance can
be used to identify theseissues early.
(13:24):
If something breaks early, younow can identify it quickly.
Compliance validation Complianceis a big deal.
A lot I do with organizationsthat are like, yeah, yeah,
compliance, oh, yeah, we'regoing to do our thing, we're
going to be there protecting ourhacking stuff going on
Compliance eh no, don't reallycare too much about them.
That's a wrong approach, right?
So, depending on yourorganization, your regulatory
(13:45):
aspects of it, you may need tohave a very close relationship
with your compliance folks andin other cases maybe you don't.
But I would highly recommend,if you don't have a good
relationship with them, you goand build one, one that's going
to help your organization.
Two, it's going to help youprofessionally.
And three there's probably athree in there, but I can't
think of what that is but atleast those two right, it'll
(14:05):
help your organization, it'llhelp you professionally.
Just stick with those.
The last thing around role ofmonitoring is behavior analysis.
Establish baselines for normalactivity to detect deviations
and or anomalies.
People will make choices rightand if you have behavior
analytics that are baked intothis, it can go a long way in
helping you detect any sort ofissues, anomalies that may be
(14:28):
occurring within yourenvironment, within your network
, because of those behavioractivities.
Now, some key components wehave active monitoring, passive
monitoring and correlation ofevents.
Your active monitoring thisinvolves real-time tracking
events and generating alerts ofthe specific anomalies that are
going on.
Passive monitoring this iswhere you're looking at your
(14:48):
logs and your data.
After the collection, it'soften used for forensics
activities.
Now, forensic piece of thisagain, the important part, like
we mentioned earlier, is theamount of logs that you store.
It's really hard to doforensics on logs that don't
exist, right?
So if you want to have somelevel of forensics capability,
you need to strategically planwhere you're going to pull these
(15:10):
logs from and then you havethem in a protected, centralized
location where only selectpeople can or applications can
gain access to them.
So that's an important part.
Correlation of events this isidentifying patterns and
relationship across multipledata sources to provide
actionable intelligence.
Right, you're looking at theirevents, you're correlating
(15:30):
between them.
Kind of what we've talked aboutin numerous places within the
CISSP.
Cyber training is, if you havemultiple data sources coming in,
how can you use thatinformation to give you a
product that you can then go oh,a plus B equals C, not A plus G
plus D equals F.
That doesn't work right.
You want the correlation ofevents and all these different
signals coming in, theprotection of log data.
(15:52):
Attacker will want tomanipulate this data.
So what do you need to do?
You need to protect it, like wementioned before, having an
essential repository that yourSIEM can gain access to.
Now, what is a SIEM?
You hear me say this.
It's called a securityinformation event manager,
otherwise known as a sim.
Now you also have what we callforwarders and they take the log
(16:14):
data and they forward it on tothe sim.
You may have central locationswhere this is stored.
Now, as an example, splunk haswhat they call a heavy forwarder
.
I don't, you know it's can movelots of data.
I guess that's why they call itheavy.
But bottom line is it worksreally well to take aggregate
data, log data, and ship it to acentral location.
This works really well.
(16:34):
It also can work well to parsethe data before it's shipped, so
it doesn't just ship everything.
You can have it select certainlevels of log data that is sent
and then other data is shuntedor it's basically dumped.
Now you have 30, 60, 90 days iswhat I got on the slide and if
you're looking at that, it's onething to kind of consider is
it's 30, 60, 90 days.
What does that mean?
It means the amount of log datayou want to store for your
(16:57):
organization.
Now I will tell you that prettymuch everybody will.
Everybody's not the right word.
Many people will store sevendays of data.
That's great.
It's after seven days.
It's always regenerating it,right, it goes in first in,
first out kind of activity.
Well, so what ends up happeningis you only have seven days.
If you can detect somethingthat's occurred within your
(17:18):
organization, odds are high.
Your log data is gone right, itain't there.
So you really truly want tohave a 30, 60, 90-day policy on
how much you're going to storeof your logs.
Again, this comes back tostrategic planning of critical
apps.
You know what?
I maybe only need seven daysfor everything else, but for
this one server and this onedatabase I want 90 days because
(17:41):
if anything bad happens to it, Iwant to know it.
I want to have the ability togo back and look at it.
The other part around is alegal hold.
If your legal team comes in andsays I need you to hold onto
this data until I tell you youcan't.
So then you can have to keepthis log data for indefinite
periods, and so it's imperativethat you have a good plan around
that.
When the legal comes to you andsays keep all the log data, you
(18:03):
say, okay, I'll keep it, noproblem, by the way.
Here's the bill.
The bill is going to cost you X.
Legal may go well, you don'tneed to keep all that, just keep
that.
So it's important that you havethat relationship with legal,
because they're just going tocome in and say hey, you're the
IT guy, you just take all thisstuff.
You do what I ask you to do.
I'm making 400 bucks an hour,you're not.
You just do what I ask.
(18:24):
And yeah, an imperative though,that you to go and say to them
you know what, that's fine, I'mhappy to do it, but it's going
to cost you X.
They need to understand thebill and they also need to pay
for it, because they may make adecision that you know what,
it's not worth it, or they maysay you know what, it's fine,
we'll pay it.
The thing is is that you reallyneed to make sure that the logs
(18:45):
are destroyed if they're notbeing used, and I can't stress
that enough Log data.
In of itself, just having thedata, is a bad idea, so you need
to make sure that you delete itwhen it's not specifically
being used.
Security information, eventmanagement SIM.
Okay, we talked about the SIM.
It's an automated, configurableproduct Rule sets established
for alert and flag suspiciousactivity.
(19:05):
They will range in pricedepending upon the air quotes,
bells and whistles you want toadd to them.
So the bigger the product, moreit's going to cost.
Splunk is a great example.
I remember when splunk wasbrought in.
Splunk was a great idea.
The logs were not thatexpensive and then, over time,
now the storage of the log datais getting to be more and more
(19:26):
and more expensive because,guess what?
It's not really a splunkproblem, it's more of a just a
data storage problem.
But you realize, to get thetrue value out of Splunk you
have to have lots of data for itto use.
Well, so what do you do?
You store more.
And as you store more, whathappens to your costs?
Costs go up.
So it's really important thatyou have a good plan on that.
Now these rule sets and theseSIMs are established to alert
(19:48):
our flag on suspicious activity.
The range and price.
Again we'll talk about thebells and whistles, but
realistically, that's theultimate goal.
Something triggers, theytrigger.
They let you know something'sgoing on.
Now they typically are deployedin either an agent or an
agentless deployment.
The agentless basically takeslogs directly from the system
(20:08):
and ingests them into the SIM.
The agent list basically takeslogs directly from the system
and ingests them into the SIEM.
The agent utilizes software tocollate, to basically parse it
down to a much smaller amountand, depending upon where you
have your data so if you like,say you have lots of remote
locations you may want an agentat each of those locations, or
maybe a forwarder that's passingon the information.
(20:29):
Why Bandwidth?
Bandwidth's a big deal Ifyou're shipping data over the
wire.
It costs a lot of money, ittakes up a lot of bandwidth.
So therefore, do you need tosend all these logs back or can
you send a smaller subset oflogs back?
Important thing to considerwhen you're dealing with your
overall strategy.
Now, typical deployment agentsare talked about are systems
(20:51):
that are being monitored.
You can deploy this withadditional functionality.
These SIMs are usually veryconfigurable.
They can do a lot of differentthings and if you're looking at
the slide, sometimes they can dotoo much.
It's a typical thing where youknow what.
Ooh, my watch now has bells andwhistles.
I'm gonna enable them all.
Turn them all on because I wantto be excited and I want to see
(21:12):
lots of stuff.
That's usually a bad idea,because what happens when it
lights up like a Christmas tree?
You just kind of basically gointo shock because all the
flickering lights cause you tobasically have a stroke or shock
or whatever it is that you justpass out.
So you don't want to do that.
You want to basically startsmall and work your way out.
Correlation engines and machinelearning are also being
(21:33):
embedded within these sims now,which is awesome.
Back to the initial point we hadin the notes is the fact that
AI is a huge factor in all ofthese capabilities and it needs
to be leveraged.
However, that being said,understand the foundational
pieces before you flip on AI.
I'll learn an example of this.
I have QuickBooks, right, so Ihave business books for my
(21:55):
wife's Kona business and for ourtraveling Tom's coffee business
.
Quickbooks decided in theirinfinite wisdom, I'm going to
kick on AI.
Oh, I hate it, I despise it.
Why?
Because it's giving me allkinds of stuff that I don't even
know what it means, and so whatis it causing me to do?
I just don't want to touch itanymore, which is bad for
business, right, you don't wantto do that, but the point of it
(22:16):
is is that AI is great, but yougot to have your foundational
pieces before you flip theswitch on.
I would have preferred withQuickBooks that I turn it on,
not them.
So again, there's an importantpart you need to integrate in
other device management systems,such as microsoft's sccm, which
is system center configurationmanager.
A lot of organizations havesccm within their company.
(22:38):
You need to incorporate yoursim into that.
It can animate, add a lot ofautomated processes to help your
organization be much moresecure.
Continuous monitoring what isthis?
This provides an audit trailand basically investigation
fodder.
What is investigation fodder?
Lots of stuff that can help youwith an investigation.
(22:58):
Without the logs, again, youhave virtually nothing other
than the specific incident,that's if you even catch it.
The logs help you maybe findwhat actually occurred.
So network time protocol is animportant part of all your logs.
This is where it's actuallydoing.
A timestamp on the logs itselfSynchronizes the ability for
timestamps and allows forbreadcrumbs for you to be able
(23:19):
to go back and trace back whatactually occurred when you're
dealing with some sort of audittrail for continuous monitoring.
It deals with promotesaccountability.
It's an imperative piece of allof this.
Now, continuous monitoringprovides data for adequate
investigations.
It also log amounts that theyprovide will be huge.
Right the investigativeautomated tools to help you
search the logs, because youreally truly need some level of
(23:42):
automation to go through thevast amounts of logs that will
be coming into your sim, so it'simportant that you have that.
But again, logs that will becoming into your sim, so it's
important that you have that.
But again, I start small.
Do the mapping, have a plan.
If you do that rather than justturn it on, you'll be much more
successful and you'll actuallyhave the ability to potentially
protect your organization in amuch better capacity than if you
(24:04):
just flip the switch and turnit.
On the role of monitoring aswe've mentioned before, it's
early detection, operationalefficiency, compliance, behavior
analysis.
All those are aspects of it.
But we're going to get intoactive monitoring, passive
monitoring and correlation ofevents, so we've got passive
monitoring.
This is where you're lookingfor indicators of compromise or
(24:25):
IOCs such as unusual loginpatterns, unexpected system
behavior.
Iocs such as unusual loginpatterns, unexpected system
behavior you need to correlatethe network traffic with
potentially malicious IPaddresses or domains from threat
intelligence that you may bereceiving.
So these IOCs you're lookingfor proactive monitoring of
what's occurring within yournetwork.
Now, forensic analysis this iswhere you utilize logs for
(24:47):
reconstructing the sequence ofevents.
This is usually after the fact.
You also need to keep all ofthis for what they call chain of
custody.
We talked about chain ofcustody a lot in CISSP, cyber
Training.
The part of it is that it's aplan on how you're going to keep
this data from a legalperspective, to ensure that if
something ever had to go tocourt, you can prove without a
(25:08):
doubt that you had this data.
I got it at this time from thissystem and I have all the logs
to back it all up.
They have been saved.
You can go and look at them.
Everything is tight.
That is what you deal withchain of custody right now, when
you're integrating withincident response.
This will also help triggerresponse playbooks, or what they
(25:29):
call a procedure either one ofthose, and they're based on the
alerts that they have, and thenthey will go and go oh,
something bad happened.
Pull out the XYZ playbook,let's run through it, and then
they will run through theplaybook.
The point of it is is it allowsthem to have the ability to
respond quickly to these events.
Now I've dealt withorganizations that go well.
I don't need a playbook.
I got it down, pat.
(25:50):
I know what I'm supposed to do.
I've done this so many times Ican do it in my sleep.
Yeah, you're rock, you'reamazing, that's awesome.
However, when you hire somebodywho comes in, that person
doesn't have the same level ofknowledge.
So in a playbook, it'simportant that you put all this
information down and you keep itupdated, because, guess what,
we all know within security, wegot people coming and we got
(26:11):
people going, and so it'simperative that you have a plan
to deal with that specificallyas well.
It also helps escalateincidents to appropriate teams
when some severity thresholdsare met or exceeded.
So again, monitoring andinvestigation is an important
part.
Now syslog we're going to getinto what is a syslog?
Syslog protocol this is astandardized protocol for
(26:31):
logging messages from a networkdevices and systems.
This operates on, in this case,udp 4, port 514.
Now, that's the default portfor syslog.
That doesn't always mean it'sgoing to be on 514.
That's just the default portfor it.
You can set whatever one youwant.
But bottom line is that it'sset up to go through there it's
set up with.
(26:51):
You can have UDP or you canhave TCP.
If you're going TCP, obviouslyit's much more reliable.
But now you're dealing with theSYNAC aspects of it versus UDP,
just blasting the log data tothat location.
Now the syslog structure.
You've got a header and youhave message body.
Now the header includespriorities, timestamps and host
names and then the message bodywill contain the actual log
(27:13):
message itself.
Now there are authenticationfailures, firewall events,
system boot messages and soforth.
All of that stuff is availablethrough syslog.
Now log sampling this isreviewing a subset of the logs
rather than analyzing all thecollected data.
This reduces the workload fromlarge volumes.
It focuses on high priorityevents.
Now the challenges around thisis that there can risk of
(27:35):
missing critical events.
When you're just sampling thelog data, you could actually
miss something.
You also get sampling bias ifit's not randomized.
So you could be samplingcertain areas that are always
coming in and other areas thatare not.
That's the sampling piece ofthis.
Now the best practice is usinga stratified sampling for
specific types of events ortimeframes and you supplement
(27:56):
the sampling with targetedsearches for IOCs or incident
indicators of compromise.
So that is when you're dealingwith specifically around log
sampling.
Clipping levels.
Now, this is a.
Thresholds are set to filterout our minor or irrelevant
events.
So you have lots of littlethings that are going on in your
network and you'll see this inlogs.
A lot, all kinds of stuffthat's happening.
(28:18):
The clipping levels wouldbasically say that I'm going to
ignore login failures belowthree attempts right, because
people screw up I do too.
So this helps avoid excessivealerts because people make typos
.
That would be a clipping error.
You log only errors of certainseverity levels, right, so if
you have a certain issue thathappens and it's all low
(28:39):
severity, don't even mess withit.
Right Now.
The benefits is obviously itreduces noise, improves analyst
focus right, so that's positive.
And it optimizes your storagefor unnecessary logs, adding
cost and time right now.
The downside of this is youpotentially overlook low
frequency events that couldindicate a slow attack or more
of a methodical attack, and thenmisconfigured clipping levels
(29:02):
office obviously can reallyrelate to or result in
incomplete monitoring.
You set your clipping level to10 instead of two.
Well, now you're missing allkinds of stuff because you made
that fat finger mistake.
So, or two and 20, that kind ofthing.
So it's important that you kindof have a really good plan with
what your organization needs.
Now, when you're implementingthis, you align your clipping
(29:25):
levels with your risk tolerance.
It's important that you have agood plan around that and then
you review this on a routinebasis to adjust your thresholds
based on the threat that may beevolving to you.
What does that mean?
That means basically in yourbusiness, if all of a sudden,
you've known I know APTs want me, nobody wants to deal with me,
and then you just get agovernment contract and now all
(29:46):
of a sudden you are a high riskfrom an APT attack, that would
change your potential riskprofile and your thresholds
because the threat may havealready changed.
So that's what that whole pointis trying to get to Egress
monitoring this is where you'remonitoring and controlling
outbound traffic to detect,prevent data exfiltration,
malicious communications orunauthorized access attempts.
(30:08):
The importance of this is arounddata loss prevention.
You help identify stop-ssensitive data from leaving your
company.
It can also help you detectmalware or any command and
control communications that aregoing out, and many regulations
will mandate some level ofsafeguards against unauthorized
data transfer.
So you need to be monitoringyour any outbound communications
(30:28):
.
One of the main things youreally need to do is look for
outbound or egress monitoring.
Now you're gonna be looking attools such as firewalls, your
IDS, ipss.
You'll look at other types ofproxy information that might be
going outbound.
You're gonna wanna look at allof that.
You also wanna understand yourcontent, filtering and
inspecting it for sensitiveinformation such as credit cards
(30:51):
.
A lot of these systems willhave the ability to look for
social security numbers, creditcard numbers and the like.
So you want to make sure thatyou're filtering this kind of
data going out.
Behavior monitoring looking forunusual outbound traffic.
It's going to Australia at twoin the morning.
That would be not normal,especially if you're operating
(31:12):
out of the Midwest,understanding that sort of
behavioral aspects.
Now the challenges that comewith it is you have outbound
traffic is usually, in manycases, https and the inspection
of it can be very difficult.
I was working with a largecompany and helping them and
deploy their encryption classdecryption software to look at
this specifically.
(31:32):
So you may want to considerthat if you're going to be the
security person for yourorganization, depending upon the
outbound traffic, that might besomething you want to go do.
Now there's lots of falsepositives.
This could be legitimateactivities that may trigger
alerts requiring fine-tunedrules and thresholds.
So it's important that you havea good plan what is that about?
And then also understand yourfalse positives to ensure that
(31:55):
what's going out there is trulysomething that's bad, or getting
alerted that's bad and what isnot a big deal.
So again, we kind of talkedabout egress and monitoring
traffic as it's leaving.
Assume internal networks havebeen compromised, so what do
they have to do if they've beencompromised?
The data has to go outsomewhere.
It's really hard to monitor thestuff coming in, but you always
(32:17):
want to look for any of thedata leaving your company.
The attacker wants the data toleave.
They want to get the data outand in many ways they will ship
it out in plain sight, right outthe front door, just so that
you're not and it's in with allthe other data, so you will miss
it.
Now there's tools to help youdo to obviously stop data loss
web proxies, stenography andthen file-based DLP.
(32:37):
So your web proxy, obviouslylooking for any rules, anything
going to destinations that itshouldn't go to stop it right
there.
Most environments just reallydon't even address this.
They just let all the data thatgoes out.
I say most, not all, but many,many do Stenography you embed
messages within a message.
It's very hard to detect.
Now the good thing is is you,it can be, you can kind of go to
(33:00):
if a JPEG is 37 meg in size,well, you might be going, yeah,
that ain't right, that's notnormally what it is.
That would be an alert or atrigger on it.
But putting data inside astenographer or inside a picture
and shipping it out the door,that's really hard to detect.
You also have a bigger problem.
You've got an insider that'sdoing that, potentially as well.
(33:21):
Now, could the bad guys do it?
Yes, but it's much morecomplicated if you're remoting
in trying to put this data intoa picture.
That's really challengingversus being the person in the
business, in the company.
Actually manually doing that ona day-to-day basis is much,
much easier.
And then file-based DLP softwarethat affects you know, looks
for affected file types yourJPEGs, your PDFs, your docs.
(33:43):
Are they going to places theyshouldn't go?
Are they systems that does itlook like the file type or the
file name, has changed All ofthose aspects you want to be
looking for with egressmonitoring SOAR tools.
Now these are platforms thatautomate and orchestrate your
security operations processesthreat detection, analysis,
(34:03):
response.
Soar tools are very cool,especially for some level of
automation that goes into it.
Now you can combine multiplesecurity tools, a SIEM and Threl
and intelligence platforms allof this to be in a unified or
processed workflow.
The automation from havingmanual tasks, reducing manual
tasks to more of an automatedtask to from incident triage to
(34:25):
threat containment, to reportingall of that can be automated
and set up.
Threat comes in, threat isremediated, report is generated,
everybody's happy and very fewpeople touch it.
It all just kind ofautomatically does it.
That's amazing.
Now, playbook execution this isimplementing predefined
workflows based on the playbookthat you said, and then this
will handle specific types ofincidents.
(34:46):
So having a good SOAR tool andits process in place is an
amazing part to yourorganization.
Now some of the other benefitsthis includes efficiency,
consistency and scalability, andthey allow for your analysts to
have time to be able to go andactually focus on the real
things that are there.
The SOAR tools can help kind oftriage, some of the lower level
(35:07):
things.
So it's great, great products.
Now some examples of SOAR tools.
You got Splunk, ibm QRadar,palo Alto's Cortex.
All of those are differenttypes of SOAR tools that can be
used within your organizationRun books and playbooks.
So what are these?
Now?
A runbook is a detailed,step-by-step instruction for
(35:28):
executing specific operationaltasks, such as configuring
firewalls, resetting passwordsand so forth.
A playbook is a high-levelworkflow that outlines the steps
and the decision points forresponding to a security
incident Phishing, attack,response.
That is what would fall under aplaybook.
Now, the key differences aroundthis are this A runbook is a
(35:50):
task-oriented and focused on thetechnical implementation.
The playbook, on the other hand, is strategic, decision-driven
and has multiple playbooks inthem.
I've created playbooks thathave multiple tabs and they have
multiple playbooks that youwould refer to to make it happen
.
Good example financialdisconnect or financial
reconnect to third parties haslots of playbooks in it, and so
(36:14):
it's an important piece of anycompany.
So it's an important piece ofany company.
Any financial organizationreally needs to have a good
disconnect and reconnectplaybook, especially for third
parties.
If you're listening to this, ifyou don't have one, I can help
you.
Just reach out.
I can help you with that.
So, again, disconnect andreconnect playbooks important
part Playbooks and runbooks,importance of them.
(36:36):
Standardization ensuresconsistent response to security
incidents.
Documentation provides clearinstruction for less experienced
team members and, like wementioned before, having this in
place is important, veryimportant for having your team
Efficiency, reduces responsetimes, eliminating guesswork
(36:57):
very important part of havingall this documented.
Again, the downside of all ofthis is it takes work to do it.
It takes time to do it.
You've got to dedicate peopleand resources to make that
happen.
Machine learning and AI toolsOkay so.
Threat detection it can happenwith looking for zero-day
attacks.
All of this stuff can beincorporated and embedded.
I've said it time and again Allof this stuff can be
(37:19):
incorporated and embedded.
I've said it time and again Itruly believe AI, embedded
within your security tools, isgoing to be a big factor in the
protecting of your organization.
If you can incorporate it,understand it, deploy it, it's
going to help your companymitigate a lot of risk.
Again, though, you have tounderstand it before you deploy
it.
Automation is another big factor.
Automate repetitive tasks suchas log analysis or threat
(37:40):
hunting.
You want to have that done.
You don't need somebody'seyeballs looking at it.
Predictive analytics youforecast potential attack
vectors based on historical data.
What does that look like?
How are they attacking you?
How could they potentiallyattack you in the future?
Now, when you're dealing withdifferent types of analysis,
malware analysis would be oneexample of how AI would help
(38:03):
look for this.
It would look for maliciouscode by recognizing patterns in
the binaries.
It also could look at thebehaviors of these different
types of malware and then lookat how's it operating, even
though the code that came in maybe completely different, but
it's operating in a very similarmanner.
This is where AI can look anddetermine hmm, maybe this is
(38:23):
something that's more malicious,whereas a person like me would
not be able to see that becauseit's just so much data.
Now the challenges around thisagain is poor quality training
can lead to inaccurate models.
If you don't have, you know,junk in, junk out.
You also have adversarial AI,where the attackers may develop
techniques to evade AI detection, and I guarantee you they're
(38:44):
doing that now.
They're coming up withsolutions because they know
organizations are deploying AIwithin their companies, so
they're trying to figure out howto avoid AI seeing them.
And then resource intensity.
And then resource intensity.
This is where MLAI toolsrequire significant
computational and storageresources, specifically for your
(39:05):
organization.
Threat intelligence what is this?
This is where information aboutexisting and emerging threats,
including their tactics,techniques and their procedures
or TTPs so there's types ofthreat intelligence you have
strategic, operational andtactical High level is strategic
.
So there's types of threatintelligence.
You have strategic, operationaland tactical high level.
Strategic this is where youhave insights.
Decision makers, geopoliticalrisks are all part of the
strategic intelligence piece ofthis.
(39:27):
Operational is is where youhave information on active
campaigns or attack groupspotentially coming after you.
And then tactical is detailssuch as incidents of compromise,
ip addresses and malware hashes.
That would be your tacticalpiece.
So that's where threatintelligence is important
strategic, operational andtactical.
(39:47):
Now the benefits of this youhave proactive defense, enhanced
detection and incident response.
Your proactive defense is whereyou're preparing for the
threats and understanding theattacker's TTPs.
Enhanced detection is whereyou're correlating this
intelligence and internal logs,so you're basically putting the
nexus together.
You're combining them, figuringout where is this all coming
from, and then your incidentresponse uses these IOCs to
(40:10):
identify affected systems,specifically during an
investigation.
Now there's different sources.
You have open threatintelligence from like
AlienVault.
You have commercial fees fromFireEye, recorded Future, and
then you have industry sharinggroups, such as the ISACs.
So you have FS-ISAC, you havemanufacturing ISAC, you have all
these different ISACs that areindustry sharing groups.
So the point of it comes downto, though, is that this
(40:32):
intelligence is imperative, andyou want to incorporate all this
intelligence within yourorganization and within your sim
.
Now, the kill chain.
This is a framework which youdescribe the stages of a cyber
attack, from reconnaissance toexecution.
Now, this is the LockheedMartin cyber kill chain.
It's kind of how they brokethis out and you have seven
(40:53):
steps.
You have reconnaissance, whichyou're gathering information.
Weaponization, where they'recreating the malicious payload
to basically exploit Deliveries,which you're gathering
information.
Weaponization, where they'recreating the malicious payload
to basically exploit delivery,is where you're transmitting the
payload to the target right,you're launching it.
Exploitation is you're actuallydoing something to gain access,
whether it's using pass, thehash, whether it's using
credentials.
You're using something, andthen your installation is
(41:15):
installing the malware or theback door to allow access.
Then setting up the command andcontrol system to net,
establish communications withthe attacking device so it
allows you to basically remotecontrol your robot on the moon.
That's the command and controlpiece, and then your actions and
objectives.
This is where you're executingthe final goal, such as data
(41:35):
theft or potentially evendestruction.
Those are are your cyber killchain, right, one through seven
reconnaissance, weaponization,delivery, exploitation,
installation, command andcontrol.
And actions on objectives.
Now the uses around this.
Obviously, if you understandthis, you can identify and
disrupt attacks that arespecific within the kill chain
(41:56):
stages, and then you understandthe analysis that goes along
with it.
You can understand what theattacker's progress is.
Now, this is all soundshunky-dory and wonderful.
That's assuming you catch them.
A lot of times, these guys getin your environment and they may
be in the delivery andexploitation and they're getting
to the installation phase andthey might even already be
(42:17):
insulated.
And then they have command andcontrol, where they're talking
back and forth.
And all six steps have alreadyoccurred, and they occurred
months ago.
And now what are you going todo?
Right, that's an important part.
Okay, that's all I have for youtoday.
Head on over to CISSP CyberTraining.
You can get all this content.
All of it's available to you,just you got to purchase it.
You can have access to it andthen all the training can help
(42:39):
you pass the CISSP exam.
There's a lot of free stuff outthere.
You get my 360 free questionsas well as some of the other
content that's on the blogthat's out there and it's free
some of the videos and somesnippets of the videos and so
forth.
You can go to YouTube and getsome of this content as well, or
go to Nextpeak.
If you're interested incybersecurity consulting head,
(43:00):
or go to Nextpeak.
If you're interested incybersecurity consulting, head
over to reducecyberriskcom orhead over to nextpeaknet.
If you're in the financialindustry and you need some
consultation around financialaspects and cybersecurity, head
on over to nextpeaknet.
Or just send me a note.
I'm happy to sit down and chatwith you about that.
We do a lot of great stuff witha lot of large financial
organizations, so we definitelycan help you with what you need.
(43:21):
Okay, have a wonderful,wonderful day and we will catch
you all on the flip side, see ya.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes,
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining and you will find a
plethora or a cornucopia ofcontent to help you pass the
CISSP exam the first time.
(43:43):
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go cybersecurityknowledge.
Speaker 2 (00:28):
All right, let's get started.
Good morning everybody.
It's Sean Gerber with CISSPCyber Training, and hope you all
are having a beautifullyblessed day today.
Today we are going to begindomain 7.
Yeah, domain 7.2 of conductinglogging and monitoring
activities.
So this is an ongoing saga thatwe have with CISSP Cyber
Training and we are prettyexcited about the fact that we
get to provide you some greatcontent.
(00:50):
Again, 7.2 is what we're goingto be chatting about today, but
before we do had an article Iwanted to bring up and get it in
front of your attention.
So this is an article out of ArsTechnica, and they talk about
Anthropic.
This is an article out of ArsTechnica and they talk about
Anthropic.
So Anthropic is releasing an AIchatbot specifically for
classified use.
(01:10):
Now it's called ClawedGov iswhat it's designed for, and it's
designed specifically foraround national security and
intelligence agencies.
So the goal of it is to takeall this information in a
classified setting and use achatbot that is creating for
defense-related documents.
It's going to be handling allkinds of things that are
critical to national security.
(01:31):
Well, is there any downside tothis?
I don't know.
This really does start to soundlike Skynet.
Yeah, skynet's coming.
We just don't realize it yet,or it's probably already here
and we just don't even know it,but this point of using chat
GPT-Gov was introduced in 2025.
And this is a wider push by alot of AI firms to get their
fingers into the government andmilitary complex and the ability
(01:55):
to use their chat capabilitiesto search gobs of data.
Now, coming from a classifiedenvironment, living that for
many, many, many years, yes, Ican definitely see the value in
this.
There's some huge value inhaving AI inside the government
apparatus to be able to lookthrough classified and
unclassified data.
(02:16):
Obviously, as you're studyingfor the CISSP, you understand
the permissions around this canbe substantial and you're going
to want to make sure that thoseare pretty tight.
But, that being said, there'sso much information in the
classified networks that younever actually have a good
understanding of what's outthere.
It doesn't matter if it's theChinese get classified.
Russian, french, israeli, useverybody creates gobs and gobs
(02:39):
of data that has not beensearchable for the most part.
I mean, you can kind of pokearound and I'm sure it's better
than when I was in there, butthe bottom line is is that it's
been really hard to do so doesthis make sense?
Yes, it does make total sense.
However, there are somequestions I have, and one of the
things around is thereliability and even the article
(03:00):
brings this up is thereliability of the intelligence
that this thing is able togarner from that.
Now I go back, you know, reversethe course back to Saddam
Hussein in the desert storm, andsome of you might be listening
this going desert, what?
Yeah, this is a while ago,right, so I'm showing my age.
But Saddam Hussein we basicallyinvaded Iraq to because of the
(03:23):
fact that that we felt thatSaddam Hussein had chemical
weapons, and that was the USgovernment thought that.
Now, being said, whether it's aconspiracy theory, whether it
was all Bush trying to push it,who knows, don't care.
At this point Doesn't reallymatter.
The point of it is they got itwrong, right, they got it wrong
based on the intelligence theyhad.
So now you add AI into this, andthen you add Skynet, and then
(03:47):
now, all of a sudden, ai issmart and AI starts thinking on
its own and it starts feedingyou information to make you do
things that it wants you to godo.
Yeah, mission Impossible,fallout, whatever the most
recent Mission Impossible thingall over again.
So again, that's obviously fastforwarding a bit and that's
kind of creepy scary, but thepoint of it is is that this is
(04:09):
something that Anthropic isreleasing their AI chatbot to
work on specific classified work.
It's moving in this direction.
So I say all this if you'relistening to this, you probably
are dealing with AI in yourorganization.
Hey, come visit me withnextpeaknet and we can help you
with that as well.
We've developed an actual AIcybersecurity framework, risk
(04:31):
framework for you.
So, yeah, it doesn't reallymatter where you go and get this
risk analysis done.
You need to get it donesomewhere, because if you think
that you don't have AI in yourenvironment, maybe you don't,
but you will soon.
So it's imperative that youstart thinking ahead of this now
.
I'm working with some reallystrong contracts right now and
these folks are now starting togo oh yeah, ai is coming.
You better look at it.
(04:51):
I truly believe it, and this isjust another example of that.
Okay so, let's go ahead and getinto what we're going to talk
about today.
Okay so this is domain 7.2,conducting logging and
monitoring activities.
So this is a big part of theCISSP.
Logging and monitoring is ahuge factor and it's something
you really need to beunderstanding and you need to be
(05:12):
prepared for as it relates totaking the test.
So what is logging andmonitoring?
Well, we've talked about thisin numerous cases around CISSP,
cyber training, but one of theimportance of it is a
foundational security control.
Now logging and monitoring itdoes provide you extreme
visibility into your system.
Now, the part of it is that'sgoing to be a factor we'll talk
(05:33):
about this is the amount oflogging that you do.
Now, logging and monitoring asa whole air quotes whole can be
very limited and one of thethings that affects that is cost
, which we'll get into in just aminute.
So you really need to considerwhat is your logging strategy.
But this will help detectmalicious or anomalous behavior
that's occurring within yourorganization.
Now there might be somecompliance requirements around
(05:56):
this, such as GDPR, hipaa, pci,dss, anything out there GLBA.
They may require some level oflogging within your company.
Now, they won't come out to thespecifics, but they'll tell you
you need to be logging criticaltype systems.
So it's important that youconsider what is your logging
strategy.
I just said that twice now inthe same slide.
(06:17):
You need to have a strategy.
What is your overall plan?
It does deal with incidentdetection as well.
Real-time monitoring andlogging can identify security
instances way before theyescalate into something else.
So you need to have a good ideaof those and then they actually
help a lot with forensicsinvestigations.
Now, they can't help withforensics investigations if, and
(06:38):
if only only if you have themput in strategic and tactical
places within your company sothat you can catch the right
amount of data.
Again, you're going to dealwith forensics and dealing with
PCAPs, and that's right, yourpacket captures.
Those need to be stationed incertain spots within your
network to ensure that you'regetting the right amount of data
(06:58):
coming into the overall system.
Now, some key conceptsCentralized logging this comes
into this.
It goes into a centralrepository, what we would
typically call a SIEM.
Now you have Splunk, you've gotAzure, you've got ArcSight.
You've got various types ofSIEMs that are out there that
they basically aggregate thedata.
Now, some are better thanothers, depending upon the need
(07:19):
for your organization, and we'renot going to get into SIEMs
today, but it really kind ofdepends.
If you're dealing with a cloudenvironment, maybe you want
something that's more Azure.
If you want something thatdeals with all types of network
logs, from basically securitylogs to overall network
architecture logs.
Maybe Splunk is the thing.
Do you have a limited budget?
Maybe that may impact it aswell.
(07:40):
So something just to kind ofwalk through and just determine
Log retention policies how longdo you want to keep the stuff
that you're storing?
A lot of things can take thatinto account.
One is the regulatoryrequirements around the amount
of data that you store.
Two, how fast do you need torecover?
And if those logs are importantfor you to recover, if they're
(08:01):
imperative, for that Is legal orbusiness or any sort of
operational needs around thatrequire you to keep them for a
period of time.
So it's important for you tounderstand these policies and
it's important for you to have agood plan before you get moving
forward too far down the pathImplementing them.
Having a limited log recoveryor storage is fine, but you need
(08:23):
to really consider what is yourlong-term strategy around it.
Log integrity you need to ensurethe logs are tamper-proof.
Somebody can't go in and startdeleting them or modifying them
to hide what they're doing.
Do you have hashing orencryption or something like
that set up specifically foryour logs?
It's imperative that you reallydo.
You have a good idea, and thiscomes back to what I said just a
(08:45):
minute ago your strategic goalaround logging and monitoring
and then alerting andnotifications.
What kind of alerts are setwhen thresholds are exceeded?
Right, if you have a certainlevel of logins from an external
location, is that alert kickedoff?
Will it then send you anotification?
How is that notification done?
(09:05):
As a friend of mine says, withNextpeak, he goes you know what.
What is the thing?
Where it goes from the lifecycle, from the time you start
it to the time it dies.
What is the overall process andhow will that work?
So there's different types oflogs.
You have a security log.
These security logs containsauthentication events, access
attempts and security events,successful and failed logins,
(09:28):
changes to user roles andprivileges.
All of those are examples ofwhat could be a security log.
If somebody's going in andchanging their roles, their role
or their privileges, you needto have a record of that.
Is it somebody that's supposedto be doing that?
Is it not?
It could be a bad guy or girlgoing in and actually modifying
their credentials so that theycan do something nefarious or
(09:50):
inappropriate.
System logs you need to trackthe events related to the
operating system or a hardware.
This comes under boot processes, any kernel events.
All of these are system logsthat are stored.
Now, if you're looking athaving to rack and stack these,
you may make a choice where youknow what I'm not going to take.
(10:10):
Maybe application logs I'm notgoing to take system logs.
Or maybe you will takeapplication logs, which I'm
going to get into in just asecond.
You decide which logs you wantto keep and there's different
kinds of reasons behind that.
So application logs theserecord events generated by
specific applications.
So if you have an applicationsuch as Salesforce that's a big
(10:32):
one, I know, but let's just saySalesforce and you have certain
application, part of thatSalesforce thing is going on,
it's doing, it's recordingsomething, whatever that might
be, that would then have aspecific log for that.
You have databases.
They have a specific log.
The point of it is that youhave security logs, system logs
and application logs.
You have to decide which onesdo you want to keep.
(10:54):
All some maybe modify it a bit,it's up to you, but a lot of it
will come down to what is youroverall quote-unquote strategy.
Now, network logs these are someother ones to kind of consider.
This goes into your router,your switch activities, traffic
flow logs, net flow, s-flow,different types of flow logs
that are going in, and again,you can see all these types of
(11:15):
logs are going to continue togrow.
Well, when you store all this,what does it cost?
It costs money and it costsstorage space.
So you're going to have a lotof data you're going to have to
keep and it's going topotentially cost you a lot of
money.
So then you have to come backto your thought process around
that Database logs.
These are important one toreally start considering keeping
.
Now, again, there's a lot ofdatabases within most
(11:38):
enterprises, a gob of databases.
So you're going to want to makesure that you pick the most
critical databases and startfrom there.
I recommend start small withyour strategic plan.
What are you going to keep?
My critical apps, my criticaldatabases, my critical log app,
different types of logs that aregoing to security logs those
should all be kept.
And then from there, are thereany network logs that connect
(12:01):
the two together that I feel Ishould keep?
That's how I would rack andstack this.
Then, from there, once you havea good plan and an idea of how
you want to do it, then you canexpand that out, keeping in mind
the cost that's going to gowith this, both from an
opportunity cost and from acapital expense.
How much is this going to costyour organization and how much
(12:21):
time is it going to cost by yourpeople going out and
configuring all this, and howmuch time is it going to cost by
your people going out andconfiguring all this?
Then the last one is an auditlog.
These are basically capture ofchanges to systems, applications
, user privileges.
It's a secondary log that mightbe kept because it has an audit
function.
Now, your organization orapplication or whatever may not
(12:42):
have an audit piece of this, butit might be something your
audit team wants to set upspecific snapshots to help them
in their overall plan.
It just kind of comes down toyou and what you're going to do
and how your organization isgoing to handle it.
Now the role of monitoring isagain.
It's around early threatdetection.
You identify potential threatsor intrusions in near real time.
That's the goal, right themoment that you see it, you can
(13:04):
then quickly make a decision andflip to it and take care of it.
It also deals with operationalefficiency or efficiency.
I don't know, it's a big word,Don't know what that means
really, truly.
But bottom line is it's youroperational aspects right.
It ensures the systemavailability and performance can
be used to identify theseissues early.
(13:24):
If something breaks early, younow can identify it quickly.
Compliance validation Complianceis a big deal.
A lot I do with organizationsthat are like, yeah, yeah,
compliance, oh, yeah, we'regoing to do our thing, we're
going to be there protecting ourhacking stuff going on
Compliance eh no, don't reallycare too much about them.
That's a wrong approach, right?
So, depending on yourorganization, your regulatory
(13:45):
aspects of it, you may need tohave a very close relationship
with your compliance folks andin other cases maybe you don't.
But I would highly recommend,if you don't have a good
relationship with them, you goand build one, one that's going
to help your organization.
Two, it's going to help youprofessionally.
And three there's probably athree in there, but I can't
think of what that is but atleast those two right, it'll
(14:05):
help your organization, it'llhelp you professionally.
Just stick with those.
The last thing around role ofmonitoring is behavior analysis.
Establish baselines for normalactivity to detect deviations
and or anomalies.
People will make choices rightand if you have behavior
analytics that are baked intothis, it can go a long way in
helping you detect any sort ofissues, anomalies that may be
(14:28):
occurring within yourenvironment, within your network
, because of those behavioractivities.
Now, some key components wehave active monitoring, passive
monitoring and correlation ofevents.
Your active monitoring thisinvolves real-time tracking
events and generating alerts ofthe specific anomalies that are
going on.
Passive monitoring this iswhere you're looking at your
(14:48):
logs and your data.
After the collection, it'soften used for forensics
activities.
Now, forensic piece of thisagain, the important part, like
we mentioned earlier, is theamount of logs that you store.
It's really hard to doforensics on logs that don't
exist, right?
So if you want to have somelevel of forensics capability,
you need to strategically planwhere you're going to pull these
(15:10):
logs from and then you havethem in a protected, centralized
location where only selectpeople can or applications can
gain access to them.
So that's an important part.
Correlation of events this isidentifying patterns and
relationship across multipledata sources to provide
actionable intelligence.
Right, you're looking at theirevents, you're correlating
(15:30):
between them.
Kind of what we've talked aboutin numerous places within the
CISSP.
Cyber training is, if you havemultiple data sources coming in,
how can you use thatinformation to give you a
product that you can then go oh,a plus B equals C, not A plus G
plus D equals F.
That doesn't work right.
You want the correlation ofevents and all these different
signals coming in, theprotection of log data.
(15:52):
Attacker will want tomanipulate this data.
So what do you need to do?
You need to protect it, like wementioned before, having an
essential repository that yourSIEM can gain access to.
Now, what is a SIEM?
You hear me say this.
It's called a securityinformation event manager,
otherwise known as a sim.
Now you also have what we callforwarders and they take the log
(16:14):
data and they forward it on tothe sim.
You may have central locationswhere this is stored.
Now, as an example, splunk haswhat they call a heavy forwarder
.
I don't, you know it's can movelots of data.
I guess that's why they call itheavy.
But bottom line is it worksreally well to take aggregate
data, log data, and ship it to acentral location.
This works really well.
(16:34):
It also can work well to parsethe data before it's shipped, so
it doesn't just ship everything.
You can have it select certainlevels of log data that is sent
and then other data is shuntedor it's basically dumped.
Now you have 30, 60, 90 days iswhat I got on the slide and if
you're looking at that, it's onething to kind of consider is
it's 30, 60, 90 days.
What does that mean?
It means the amount of log datayou want to store for your
(16:57):
organization.
Now I will tell you that prettymuch everybody will.
Everybody's not the right word.
Many people will store sevendays of data.
That's great.
It's after seven days.
It's always regenerating it,right, it goes in first in,
first out kind of activity.
Well, so what ends up happeningis you only have seven days.
If you can detect somethingthat's occurred within your
(17:18):
organization, odds are high.
Your log data is gone right, itain't there.
So you really truly want tohave a 30, 60, 90-day policy on
how much you're going to storeof your logs.
Again, this comes back tostrategic planning of critical
apps.
You know what?
I maybe only need seven daysfor everything else, but for
this one server and this onedatabase I want 90 days because
(17:41):
if anything bad happens to it, Iwant to know it.
I want to have the ability togo back and look at it.
The other part around is alegal hold.
If your legal team comes in andsays I need you to hold onto
this data until I tell you youcan't.
So then you can have to keepthis log data for indefinite
periods, and so it's imperativethat you have a good plan around
that.
When the legal comes to you andsays keep all the log data, you
(18:03):
say, okay, I'll keep it, noproblem, by the way.
Here's the bill.
The bill is going to cost you X.
Legal may go well, you don'tneed to keep all that, just keep
that.
So it's important that you havethat relationship with legal,
because they're just going tocome in and say hey, you're the
IT guy, you just take all thisstuff.
You do what I ask you to do.
I'm making 400 bucks an hour,you're not.
You just do what I ask.
(18:24):
And yeah, an imperative though,that you to go and say to them
you know what, that's fine, I'mhappy to do it, but it's going
to cost you X.
They need to understand thebill and they also need to pay
for it, because they may make adecision that you know what,
it's not worth it, or they maysay you know what, it's fine,
we'll pay it.
The thing is is that you reallyneed to make sure that the logs
(18:45):
are destroyed if they're notbeing used, and I can't stress
that enough Log data.
In of itself, just having thedata, is a bad idea, so you need
to make sure that you delete itwhen it's not specifically
being used.
Security information, eventmanagement SIM.
Okay, we talked about the SIM.
It's an automated, configurableproduct Rule sets established
for alert and flag suspiciousactivity.
(19:05):
They will range in pricedepending upon the air quotes,
bells and whistles you want toadd to them.
So the bigger the product, moreit's going to cost.
Splunk is a great example.
I remember when splunk wasbrought in.
Splunk was a great idea.
The logs were not thatexpensive and then, over time,
now the storage of the log datais getting to be more and more
(19:26):
and more expensive because,guess what?
It's not really a splunkproblem, it's more of a just a
data storage problem.
But you realize, to get thetrue value out of Splunk you
have to have lots of data for itto use.
Well, so what do you do?
You store more.
And as you store more, whathappens to your costs?
Costs go up.
So it's really important thatyou have a good plan on that.
Now these rule sets and theseSIMs are established to alert
(19:48):
our flag on suspicious activity.
The range and price.
Again we'll talk about thebells and whistles, but
realistically, that's theultimate goal.
Something triggers, theytrigger.
They let you know something'sgoing on.
Now they typically are deployedin either an agent or an
agentless deployment.
The agentless basically takeslogs directly from the system
(20:08):
and ingests them into the SIM.
The agent list basically takeslogs directly from the system
and ingests them into the SIEM.
The agent utilizes software tocollate, to basically parse it
down to a much smaller amountand, depending upon where you
have your data so if you like,say you have lots of remote
locations you may want an agentat each of those locations, or
maybe a forwarder that's passingon the information.
(20:29):
Why Bandwidth?
Bandwidth's a big deal Ifyou're shipping data over the
wire.
It costs a lot of money, ittakes up a lot of bandwidth.
So therefore, do you need tosend all these logs back or can
you send a smaller subset oflogs back?
Important thing to considerwhen you're dealing with your
overall strategy.
Now, typical deployment agentsare talked about are systems
(20:51):
that are being monitored.
You can deploy this withadditional functionality.
These SIMs are usually veryconfigurable.
They can do a lot of differentthings and if you're looking at
the slide, sometimes they can dotoo much.
It's a typical thing where youknow what.
Ooh, my watch now has bells andwhistles.
I'm gonna enable them all.
Turn them all on because I wantto be excited and I want to see
(21:12):
lots of stuff.
That's usually a bad idea,because what happens when it
lights up like a Christmas tree?
You just kind of basically gointo shock because all the
flickering lights cause you tobasically have a stroke or shock
or whatever it is that you justpass out.
So you don't want to do that.
You want to basically startsmall and work your way out.
Correlation engines and machinelearning are also being
(21:33):
embedded within these sims now,which is awesome.
Back to the initial point we hadin the notes is the fact that
AI is a huge factor in all ofthese capabilities and it needs
to be leveraged.
However, that being said,understand the foundational
pieces before you flip on AI.
I'll learn an example of this.
I have QuickBooks, right, so Ihave business books for my
(21:55):
wife's Kona business and for ourtraveling Tom's coffee business
.
Quickbooks decided in theirinfinite wisdom, I'm going to
kick on AI.
Oh, I hate it, I despise it.
Why?
Because it's giving me allkinds of stuff that I don't even
know what it means, and so whatis it causing me to do?
I just don't want to touch itanymore, which is bad for
business, right, you don't wantto do that, but the point of it
(22:16):
is is that AI is great, but yougot to have your foundational
pieces before you flip theswitch on.
I would have preferred withQuickBooks that I turn it on,
not them.
So again, there's an importantpart you need to integrate in
other device management systems,such as microsoft's sccm, which
is system center configurationmanager.
A lot of organizations havesccm within their company.
(22:38):
You need to incorporate yoursim into that.
It can animate, add a lot ofautomated processes to help your
organization be much moresecure.
Continuous monitoring what isthis?
This provides an audit trailand basically investigation
fodder.
What is investigation fodder?
Lots of stuff that can help youwith an investigation.
(22:58):
Without the logs, again, youhave virtually nothing other
than the specific incident,that's if you even catch it.
The logs help you maybe findwhat actually occurred.
So network time protocol is animportant part of all your logs.
This is where it's actuallydoing.
A timestamp on the logs itselfSynchronizes the ability for
timestamps and allows forbreadcrumbs for you to be able
(23:19):
to go back and trace back whatactually occurred when you're
dealing with some sort of audittrail for continuous monitoring.
It deals with promotesaccountability.
It's an imperative piece of allof this.
Now, continuous monitoringprovides data for adequate
investigations.
It also log amounts that theyprovide will be huge.
Right the investigativeautomated tools to help you
search the logs, because youreally truly need some level of
(23:42):
automation to go through thevast amounts of logs that will
be coming into your sim, so it'simportant that you have that.
But again, logs that will becoming into your sim, so it's
important that you have that.
But again, I start small.
Do the mapping, have a plan.
If you do that rather than justturn it on, you'll be much more
successful and you'll actuallyhave the ability to potentially
protect your organization in amuch better capacity than if you
(24:04):
just flip the switch and turnit.
On the role of monitoring aswe've mentioned before, it's
early detection, operationalefficiency, compliance, behavior
analysis.
All those are aspects of it.
But we're going to get intoactive monitoring, passive
monitoring and correlation ofevents, so we've got passive
monitoring.
This is where you're lookingfor indicators of compromise or
(24:25):
IOCs such as unusual loginpatterns, unexpected system
behavior.
Iocs such as unusual loginpatterns, unexpected system
behavior you need to correlatethe network traffic with
potentially malicious IPaddresses or domains from threat
intelligence that you may bereceiving.
So these IOCs you're lookingfor proactive monitoring of
what's occurring within yournetwork.
Now, forensic analysis this iswhere you utilize logs for
(24:47):
reconstructing the sequence ofevents.
This is usually after the fact.
You also need to keep all ofthis for what they call chain of
custody.
We talked about chain ofcustody a lot in CISSP, cyber
Training.
The part of it is that it's aplan on how you're going to keep
this data from a legalperspective, to ensure that if
something ever had to go tocourt, you can prove without a
(25:08):
doubt that you had this data.
I got it at this time from thissystem and I have all the logs
to back it all up.
They have been saved.
You can go and look at them.
Everything is tight.
That is what you deal withchain of custody right now, when
you're integrating withincident response.
This will also help triggerresponse playbooks, or what they
(25:29):
call a procedure either one ofthose, and they're based on the
alerts that they have, and thenthey will go and go oh,
something bad happened.
Pull out the XYZ playbook,let's run through it, and then
they will run through theplaybook.
The point of it is is it allowsthem to have the ability to
respond quickly to these events.
Now I've dealt withorganizations that go well.
I don't need a playbook.
I got it down, pat.
(25:50):
I know what I'm supposed to do.
I've done this so many times Ican do it in my sleep.
Yeah, you're rock, you'reamazing, that's awesome.
However, when you hire somebodywho comes in, that person
doesn't have the same level ofknowledge.
So in a playbook, it'simportant that you put all this
information down and you keep itupdated, because, guess what,
we all know within security, wegot people coming and we got
(26:11):
people going, and so it'simperative that you have a plan
to deal with that specificallyas well.
It also helps escalateincidents to appropriate teams
when some severity thresholdsare met or exceeded.
So again, monitoring andinvestigation is an important
part.
Now syslog we're going to getinto what is a syslog?
Syslog protocol this is astandardized protocol for
(26:31):
logging messages from a networkdevices and systems.
This operates on, in this case,udp 4, port 514.
Now, that's the default portfor syslog.
That doesn't always mean it'sgoing to be on 514.
That's just the default portfor it.
You can set whatever one youwant.
But bottom line is that it'sset up to go through there it's
set up with.
(26:51):
You can have UDP or you canhave TCP.
If you're going TCP, obviouslyit's much more reliable.
But now you're dealing with theSYNAC aspects of it versus UDP,
just blasting the log data tothat location.
Now the syslog structure.
You've got a header and youhave message body.
Now the header includespriorities, timestamps and host
names and then the message bodywill contain the actual log
(27:13):
message itself.
Now there are authenticationfailures, firewall events,
system boot messages and soforth.
All of that stuff is availablethrough syslog.
Now log sampling this isreviewing a subset of the logs
rather than analyzing all thecollected data.
This reduces the workload fromlarge volumes.
It focuses on high priorityevents.
Now the challenges around thisis that there can risk of
(27:35):
missing critical events.
When you're just sampling thelog data, you could actually
miss something.
You also get sampling bias ifit's not randomized.
So you could be samplingcertain areas that are always
coming in and other areas thatare not.
That's the sampling piece ofthis.
Now the best practice is usinga stratified sampling for
specific types of events ortimeframes and you supplement
(27:56):
the sampling with targetedsearches for IOCs or incident
indicators of compromise.
So that is when you're dealingwith specifically around log
sampling.
Clipping levels.
Now, this is a.
Thresholds are set to filterout our minor or irrelevant
events.
So you have lots of littlethings that are going on in your
network and you'll see this inlogs.
A lot, all kinds of stuffthat's happening.
(28:18):
The clipping levels wouldbasically say that I'm going to
ignore login failures belowthree attempts right, because
people screw up I do too.
So this helps avoid excessivealerts because people make typos
.
That would be a clipping error.
You log only errors of certainseverity levels, right, so if
you have a certain issue thathappens and it's all low
(28:39):
severity, don't even mess withit.
Right Now.
The benefits is obviously itreduces noise, improves analyst
focus right, so that's positive.
And it optimizes your storagefor unnecessary logs, adding
cost and time right now.
The downside of this is youpotentially overlook low
frequency events that couldindicate a slow attack or more
of a methodical attack, and thenmisconfigured clipping levels
(29:02):
office obviously can reallyrelate to or result in
incomplete monitoring.
You set your clipping level to10 instead of two.
Well, now you're missing allkinds of stuff because you made
that fat finger mistake.
So, or two and 20, that kind ofthing.
So it's important that you kindof have a really good plan with
what your organization needs.
Now, when you're implementingthis, you align your clipping
(29:25):
levels with your risk tolerance.
It's important that you have agood plan around that and then
you review this on a routinebasis to adjust your thresholds
based on the threat that may beevolving to you.
What does that mean?
That means basically in yourbusiness, if all of a sudden,
you've known I know APTs want me, nobody wants to deal with me,
and then you just get agovernment contract and now all
(29:46):
of a sudden you are a high riskfrom an APT attack, that would
change your potential riskprofile and your thresholds
because the threat may havealready changed.
So that's what that whole pointis trying to get to Egress
monitoring this is where you'remonitoring and controlling
outbound traffic to detect,prevent data exfiltration,
malicious communications orunauthorized access attempts.
(30:08):
The importance of this is arounddata loss prevention.
You help identify stop-ssensitive data from leaving your
company.
It can also help you detectmalware or any command and
control communications that aregoing out, and many regulations
will mandate some level ofsafeguards against unauthorized
data transfer.
So you need to be monitoringyour any outbound communications
(30:28):
.
One of the main things youreally need to do is look for
outbound or egress monitoring.
Now you're gonna be looking attools such as firewalls, your
IDS, ipss.
You'll look at other types ofproxy information that might be
going outbound.
You're gonna wanna look at allof that.
You also wanna understand yourcontent, filtering and
inspecting it for sensitiveinformation such as credit cards
(30:51):
.
A lot of these systems willhave the ability to look for
social security numbers, creditcard numbers and the like.
So you want to make sure thatyou're filtering this kind of
data going out.
Behavior monitoring looking forunusual outbound traffic.
It's going to Australia at twoin the morning.
That would be not normal,especially if you're operating
(31:12):
out of the Midwest,understanding that sort of
behavioral aspects.
Now the challenges that comewith it is you have outbound
traffic is usually, in manycases, https and the inspection
of it can be very difficult.
I was working with a largecompany and helping them and
deploy their encryption classdecryption software to look at
this specifically.
(31:32):
So you may want to considerthat if you're going to be the
security person for yourorganization, depending upon the
outbound traffic, that might besomething you want to go do.
Now there's lots of falsepositives.
This could be legitimateactivities that may trigger
alerts requiring fine-tunedrules and thresholds.
So it's important that you havea good plan what is that about?
And then also understand yourfalse positives to ensure that
(31:55):
what's going out there is trulysomething that's bad, or getting
alerted that's bad and what isnot a big deal.
So again, we kind of talkedabout egress and monitoring
traffic as it's leaving.
Assume internal networks havebeen compromised, so what do
they have to do if they've beencompromised?
The data has to go outsomewhere.
It's really hard to monitor thestuff coming in, but you always
(32:17):
want to look for any of thedata leaving your company.
The attacker wants the data toleave.
They want to get the data outand in many ways they will ship
it out in plain sight, right outthe front door, just so that
you're not and it's in with allthe other data, so you will miss
it.
Now there's tools to help youdo to obviously stop data loss
web proxies, stenography andthen file-based DLP.
(32:37):
So your web proxy, obviouslylooking for any rules, anything
going to destinations that itshouldn't go to stop it right
there.
Most environments just reallydon't even address this.
They just let all the data thatgoes out.
I say most, not all, but many,many do Stenography you embed
messages within a message.
It's very hard to detect.
Now the good thing is is you,it can be, you can kind of go to
(33:00):
if a JPEG is 37 meg in size,well, you might be going, yeah,
that ain't right, that's notnormally what it is.
That would be an alert or atrigger on it.
But putting data inside astenographer or inside a picture
and shipping it out the door,that's really hard to detect.
You also have a bigger problem.
You've got an insider that'sdoing that, potentially as well.
(33:21):
Now, could the bad guys do it?
Yes, but it's much morecomplicated if you're remoting
in trying to put this data intoa picture.
That's really challengingversus being the person in the
business, in the company.
Actually manually doing that ona day-to-day basis is much,
much easier.
And then file-based DLP softwarethat affects you know, looks
for affected file types yourJPEGs, your PDFs, your docs.
(33:43):
Are they going to places theyshouldn't go?
Are they systems that does itlook like the file type or the
file name, has changed All ofthose aspects you want to be
looking for with egressmonitoring SOAR tools.
Now these are platforms thatautomate and orchestrate your
security operations processesthreat detection, analysis,
(34:03):
response.
Soar tools are very cool,especially for some level of
automation that goes into it.
Now you can combine multiplesecurity tools, a SIEM and Threl
and intelligence platforms allof this to be in a unified or
processed workflow.
The automation from havingmanual tasks, reducing manual
tasks to more of an automatedtask to from incident triage to
(34:25):
threat containment, to reportingall of that can be automated
and set up.
Threat comes in, threat isremediated, report is generated,
everybody's happy and very fewpeople touch it.
It all just kind ofautomatically does it.
That's amazing.
Now, playbook execution this isimplementing predefined
workflows based on the playbookthat you said, and then this
will handle specific types ofincidents.
(34:46):
So having a good SOAR tool andits process in place is an
amazing part to yourorganization.
Now some of the other benefitsthis includes efficiency,
consistency and scalability, andthey allow for your analysts to
have time to be able to go andactually focus on the real
things that are there.
The SOAR tools can help kind oftriage, some of the lower level
(35:07):
things.
So it's great, great products.
Now some examples of SOAR tools.
You got Splunk, ibm QRadar,palo Alto's Cortex.
All of those are differenttypes of SOAR tools that can be
used within your organizationRun books and playbooks.
So what are these?
Now?
A runbook is a detailed,step-by-step instruction for
(35:28):
executing specific operationaltasks, such as configuring
firewalls, resetting passwordsand so forth.
A playbook is a high-levelworkflow that outlines the steps
and the decision points forresponding to a security
incident Phishing, attack,response.
That is what would fall under aplaybook.
Now, the key differences aroundthis are this A runbook is a
(35:50):
task-oriented and focused on thetechnical implementation.
The playbook, on the other hand, is strategic, decision-driven
and has multiple playbooks inthem.
I've created playbooks thathave multiple tabs and they have
multiple playbooks that youwould refer to to make it happen
.
Good example financialdisconnect or financial
reconnect to third parties haslots of playbooks in it, and so
(36:14):
it's an important piece of anycompany.
So it's an important piece ofany company.
Any financial organizationreally needs to have a good
disconnect and reconnectplaybook, especially for third
parties.
If you're listening to this, ifyou don't have one, I can help
you.
Just reach out.
I can help you with that.
So, again, disconnect andreconnect playbooks important
part Playbooks and runbooks,importance of them.
(36:36):
Standardization ensuresconsistent response to security
incidents.
Documentation provides clearinstruction for less experienced
team members and, like wementioned before, having this in
place is important, veryimportant for having your team
Efficiency, reduces responsetimes, eliminating guesswork
(36:57):
very important part of havingall this documented.
Again, the downside of all ofthis is it takes work to do it.
It takes time to do it.
You've got to dedicate peopleand resources to make that
happen.
Machine learning and AI toolsOkay so.
Threat detection it can happenwith looking for zero-day
attacks.
All of this stuff can beincorporated and embedded.
I've said it time and again Allof this stuff can be
(37:19):
incorporated and embedded.
I've said it time and again Itruly believe AI, embedded
within your security tools, isgoing to be a big factor in the
protecting of your organization.
If you can incorporate it,understand it, deploy it, it's
going to help your companymitigate a lot of risk.
Again, though, you have tounderstand it before you deploy
it.
Automation is another big factor.
Automate repetitive tasks suchas log analysis or threat
(37:40):
hunting.
You want to have that done.
You don't need somebody'seyeballs looking at it.
Predictive analytics youforecast potential attack
vectors based on historical data.
What does that look like?
How are they attacking you?
How could they potentiallyattack you in the future?
Now, when you're dealing withdifferent types of analysis,
malware analysis would be oneexample of how AI would help
(38:03):
look for this.
It would look for maliciouscode by recognizing patterns in
the binaries.
It also could look at thebehaviors of these different
types of malware and then lookat how's it operating, even
though the code that came in maybe completely different, but
it's operating in a very similarmanner.
This is where AI can look anddetermine hmm, maybe this is
(38:23):
something that's more malicious,whereas a person like me would
not be able to see that becauseit's just so much data.
Now the challenges around thisagain is poor quality training
can lead to inaccurate models.
If you don't have, you know,junk in, junk out.
You also have adversarial AI,where the attackers may develop
techniques to evade AI detection, and I guarantee you they're
(38:44):
doing that now.
They're coming up withsolutions because they know
organizations are deploying AIwithin their companies, so
they're trying to figure out howto avoid AI seeing them.
And then resource intensity.
And then resource intensity.
This is where MLAI toolsrequire significant
computational and storageresources, specifically for your
(39:05):
organization.
Threat intelligence what is this?
This is where information aboutexisting and emerging threats,
including their tactics,techniques and their procedures
or TTPs so there's types ofthreat intelligence you have
strategic, operational andtactical High level is strategic
.
So there's types of threatintelligence.
You have strategic, operationaland tactical high level.
Strategic this is where youhave insights.
Decision makers, geopoliticalrisks are all part of the
strategic intelligence piece ofthis.
(39:27):
Operational is is where youhave information on active
campaigns or attack groupspotentially coming after you.
And then tactical is detailssuch as incidents of compromise,
ip addresses and malware hashes.
That would be your tacticalpiece.
So that's where threatintelligence is important
strategic, operational andtactical.
(39:47):
Now the benefits of this youhave proactive defense, enhanced
detection and incident response.
Your proactive defense is whereyou're preparing for the
threats and understanding theattacker's TTPs.
Enhanced detection is whereyou're correlating this
intelligence and internal logs,so you're basically putting the
nexus together.
You're combining them, figuringout where is this all coming
from, and then your incidentresponse uses these IOCs to
(40:10):
identify affected systems,specifically during an
investigation.
Now there's different sources.
You have open threatintelligence from like
AlienVault.
You have commercial fees fromFireEye, recorded Future, and
then you have industry sharinggroups, such as the ISACs.
So you have FS-ISAC, you havemanufacturing ISAC, you have all
these different ISACs that areindustry sharing groups.
So the point of it comes downto, though, is that this
(40:32):
intelligence is imperative, andyou want to incorporate all this
intelligence within yourorganization and within your sim
.
Now, the kill chain.
This is a framework which youdescribe the stages of a cyber
attack, from reconnaissance toexecution.
Now, this is the LockheedMartin cyber kill chain.
It's kind of how they brokethis out and you have seven
(40:53):
steps.
You have reconnaissance, whichyou're gathering information.
Weaponization, where they'recreating the malicious payload
to basically exploit Deliveries,which you're gathering
information.
Weaponization, where they'recreating the malicious payload
to basically exploit delivery,is where you're transmitting the
payload to the target right,you're launching it.
Exploitation is you're actuallydoing something to gain access,
whether it's using pass, thehash, whether it's using
credentials.
You're using something, andthen your installation is
(41:15):
installing the malware or theback door to allow access.
Then setting up the command andcontrol system to net,
establish communications withthe attacking device so it
allows you to basically remotecontrol your robot on the moon.
That's the command and controlpiece, and then your actions and
objectives.
This is where you're executingthe final goal, such as data
(41:35):
theft or potentially evendestruction.
Those are are your cyber killchain, right, one through seven
reconnaissance, weaponization,delivery, exploitation,
installation, command andcontrol.
And actions on objectives.
Now the uses around this.
Obviously, if you understandthis, you can identify and
disrupt attacks that arespecific within the kill chain
(41:56):
stages, and then you understandthe analysis that goes along
with it.
You can understand what theattacker's progress is.
Now, this is all soundshunky-dory and wonderful.
That's assuming you catch them.
A lot of times, these guys getin your environment and they may
be in the delivery andexploitation and they're getting
to the installation phase andthey might even already be
(42:17):
insulated.
And then they have command andcontrol, where they're talking
back and forth.
And all six steps have alreadyoccurred, and they occurred
months ago.
And now what are you going todo?
Right, that's an important part.
Okay, that's all I have for youtoday.
Head on over to CISSP CyberTraining.
You can get all this content.
All of it's available to you,just you got to purchase it.
You can have access to it andthen all the training can help
(42:39):
you pass the CISSP exam.
There's a lot of free stuff outthere.
You get my 360 free questionsas well as some of the other
content that's on the blogthat's out there and it's free
some of the videos and somesnippets of the videos and so
forth.
You can go to YouTube and getsome of this content as well, or
go to Nextpeak.
If you're interested incybersecurity consulting head,
(43:00):
or go to Nextpeak.
If you're interested incybersecurity consulting, head
over to reducecyberriskcom orhead over to nextpeaknet.
If you're in the financialindustry and you need some
consultation around financialaspects and cybersecurity, head
on over to nextpeaknet.
Or just send me a note.
I'm happy to sit down and chatwith you about that.
We do a lot of great stuff witha lot of large financial
organizations, so we definitelycan help you with what you need.
(43:21):
Okay, have a wonderful,wonderful day and we will catch
you all on the flip side, see ya.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes,
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining and you will find a
plethora or a cornucopia ofcontent to help you pass the
CISSP exam the first time.
(43:43):
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Popular Podcasts
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.