WEBVTT

00:00:00.960 --> 00:00:05.280
An important part of security operations is to monitor for

00:00:05.280 --> 00:00:07.640
how well our security program is working.

00:00:08.070 --> 00:00:10.280
Is it achieving its goals?

00:00:10.680 --> 00:00:14.970
We know that this can be done through things like continuous monitoring,

00:00:14.970 --> 00:00:18.440
and we have a number of very good tools that will do this for us.

00:00:18.440 --> 00:00:21.970
They will be watching our systems all the time and don't

00:00:21.970 --> 00:00:24.390
require a person to be standing there observing.

00:00:24.390 --> 00:00:27.470
A good example of this would be a security

00:00:27.750 --> 00:00:29.990
information and event management system,

00:00:29.990 --> 00:00:33.750
a SIEM, that can actually gather data from firewalls,

00:00:33.750 --> 00:00:39.930
IDSs, IPSs, application servers, and bring all of this log data

00:00:39.930 --> 00:00:43.730
together, do some aggregation and correlation.

00:00:44.040 --> 00:00:48.680
So we're able to see if there's anything that isn't quite right or bring in

00:00:48.680 --> 00:00:51.620
an alert of something that's happening that is strange.

00:00:52.420 --> 00:00:57.480
Traditional monitoring was done using logs. A person could look through the log

00:00:57.480 --> 00:01:00.400
and see if there's anything wrong or suspicious in there.

00:01:00.980 --> 00:01:04.840
Now the problem with the log analysis is that it is difficult.

00:01:05.110 --> 00:01:06.520
It takes a lot of time.

00:01:07.090 --> 00:01:12.470
It takes the proper tools to be able to filter through very often tens

00:01:12.470 --> 00:01:16.060
of thousands of entries in a log to find something which was in any

00:01:16.060 --> 00:01:21.030
way significant. It requires the training to be able to detect and

00:01:21.030 --> 00:01:22.770
notice if there's something wrong.

00:01:23.050 --> 00:01:28.300
And of course, the sheer volume of logs can be overwhelming to the

00:01:28.300 --> 00:01:32.670
point that really is unrealistic to expect someone to be able to

00:01:32.670 --> 00:01:34.500
go through them and find something.

00:01:34.840 --> 00:01:36.530
Use of tools is,

00:01:36.710 --> 00:01:41.070
shall we say here, almost required. One of the things we

00:01:41.070 --> 00:01:42.960
should always do is know what's going on.

00:01:43.620 --> 00:01:48.010
It's important to know what's happening outside in the real world

00:01:48.120 --> 00:01:52.250
because these are things that could affect us. And this is where we

00:01:52.250 --> 00:01:55.850
can have commercial feeds that come in, antivirus,

00:01:55.850 --> 00:02:00.360
antispam, as well as a number of very good threat intelligence feeds that

00:02:00.360 --> 00:02:04.840
come and say these are the types of attacks we're seeing. This is how these

00:02:04.840 --> 00:02:07.570
attacks have been launched and been successful.

00:02:08.000 --> 00:02:12.250
And from that, we can learn and see are there vulnerabilities we have

00:02:12.420 --> 00:02:18.600
that then could be exploited as well? There's also a number of open

00:02:18.600 --> 00:02:22.900
source intelligence feeds available, ones that will actually show to

00:02:22.900 --> 00:02:24.930
us things we should watch for.

00:02:24.930 --> 00:02:28.040
And the problem with these, of course, is that, again,

00:02:28.040 --> 00:02:30.980
we can have so much intelligence that we don't know what to do with it.

00:02:31.380 --> 00:02:36.200
So, we do sometimes see managed security service providers will

00:02:36.200 --> 00:02:40.400
actually do a lot of this work for us. They will tell us if there's

00:02:40.400 --> 00:02:42.940
things that we should especially be watching for.

00:02:43.400 --> 00:02:50.480
But the challenge, of course, is that the attackers can be very advanced,

00:02:50.850 --> 00:02:54.550
advanced persistent threats, the very determined,

00:02:54.550 --> 00:02:58.430
very skilled, good resources and support behind them.

00:02:58.950 --> 00:03:03.480
And they go after organizations for things like ransomware,

00:03:03.480 --> 00:03:07.530
distributed denial of service, theft of intellectual property.

00:03:07.920 --> 00:03:11.850
And it's really important that we know whether or not we are

00:03:11.850 --> 00:03:14.360
an industry sector that's being attacked,

00:03:14.370 --> 00:03:17.390
whether we're using a certain type of technology

00:03:17.390 --> 00:03:19.560
that's being attacked right now.

00:03:19.740 --> 00:03:21.530
Those are important things for us to know.

00:03:21.530 --> 00:03:26.700
And it's also good sometimes just look at blogs. What are people talking

00:03:26.700 --> 00:03:33.210
about because very often things go kind of in waves and fads, and all of

00:03:33.210 --> 00:03:35.730
the attacks are against one certain type of,

00:03:35.730 --> 00:03:36.270
should we say,

00:03:36.270 --> 00:03:43.050
language or software and so on, and it's good to know what's going on around us.

00:03:44.620 --> 00:03:45.940
The key points review.

00:03:47.140 --> 00:03:50.180
The reason we need to monitor is that controls can fail.

00:03:50.610 --> 00:03:53.040
In fact, they can just fail to be effective.

00:03:53.450 --> 00:03:55.460
It used to work, but not anymore.

00:03:55.930 --> 00:04:00.860
And it could be that that control we had was great for the attacks of yesterday,

00:04:00.870 --> 00:04:03.410
but it's not suitable for new threats.

00:04:04.070 --> 00:04:06.690
So therefore, monitoring is essential.

00:04:07.500 --> 00:04:11.650
We need to do this to ensure that we are always aware of the

00:04:11.650 --> 00:04:15.260
risk, and we manage that risk adequately.

00:04:15.660 --> 00:04:20.579
Now the problem is we use these, I like to call them waffle words,

00:04:20.579 --> 00:04:23.680
words that almost mean nothing a lot.

00:04:23.920 --> 00:04:28.890
We use terms like adequate security. And what is adequate?

00:04:29.570 --> 00:04:32.430
Adequate means that if we've had a breach,

00:04:32.430 --> 00:04:34.530
obviously, our security was not adequate.

00:04:35.250 --> 00:04:36.880
If we haven't had a breach,

00:04:36.880 --> 00:04:39.480
then we're going to be accused of having spent too much money.

00:04:40.420 --> 00:04:46.910
So, adequate is very much open to interpretation, and we need to know

00:04:46.910 --> 00:04:53.080
what is management's sense for what is adequate? Now it could be we

00:04:53.080 --> 00:04:59.560
need to educate management. Do we have enough security or not? And it

00:04:59.560 --> 00:05:03.310
could be that management doesn't realize how serious certain things

00:05:03.310 --> 00:05:07.320
are and that the security they thought was adequate really isn't in

00:05:07.320 --> 00:05:08.190
today's world.

00:05:08.590 --> 00:05:09.300
But then again,

00:05:09.300 --> 00:05:12.540
we have to be able to present a business case for security

00:05:12.730 --> 00:05:16.660
so that hopefully management is convinced maybe to take

00:05:16.660 --> 00:05:19.210
certain steps and changes as well.

00:05:20.190 --> 00:05:25.940
Our job in security will never end because the people that are trying

00:05:25.940 --> 00:05:31.880
to break in are desperate, and it's their job, in some cases. And so

00:05:31.880 --> 00:05:37.120
therefore, we have to be just as desperate to keep them out as they

00:05:37.120 --> 00:05:39.070
are desperate to try to get in.