WEBVTT 00:00.000 --> 00:02.700 >> Hi everybody. Let's go 00:02.700 --> 00:05.550 ahead and pick up with risk monitoring. 00:05.550 --> 00:07.920 Risk monitoring is all about the 00:07.920 --> 00:09.120 >> fact that no matter how 00:09.120 --> 00:12.780 >> much you put into planning, risks still materialize. 00:12.780 --> 00:15.150 We're going to need to continue to evaluate 00:15.150 --> 00:18.195 and watch for risk in a number of ways. 00:18.195 --> 00:21.525 The first way is to look for care eyes. 00:21.525 --> 00:23.340 Key risk indicators. 00:23.340 --> 00:25.425 These are also known as triggers. 00:25.425 --> 00:27.450 Triggers indicate that a risk event 00:27.450 --> 00:29.760 is likely to materialize. 00:29.760 --> 00:33.290 For example, if I am concerned about a denial of 00:33.290 --> 00:34.790 service attack and I put 00:34.790 --> 00:36.785 my mitigation strategies in place, 00:36.785 --> 00:38.740 I'll also monitor the network. 00:38.740 --> 00:41.870 If I see network traffic escalating and 00:41.870 --> 00:44.890 network utilization is at 70 percent and going up, 00:44.890 --> 00:47.495 then I'll see that as a key risk indicator. 00:47.495 --> 00:49.310 It tells me that regardless 00:49.310 --> 00:51.050 of what I've done for mitigation, 00:51.050 --> 00:53.050 there's still something going on. 00:53.050 --> 00:54.780 For this type of scenario, 00:54.780 --> 00:56.780 I would plan to monitor the network 00:56.780 --> 00:58.040 >> and establish that if 00:58.040 --> 01:00.680 >> network utilization exceeds 50 percent 01:00.680 --> 01:03.005 for more than five minutes consecutively, 01:03.005 --> 01:05.780 then that is something I want to be alerted to. 01:05.780 --> 01:08.135 That's what a key risk indicator is. 01:08.135 --> 01:11.080 It's an alarm or an early warning system. 01:11.080 --> 01:13.790 Care eyes need to be determined early. 01:13.790 --> 01:16.790 These are things you would add in your risk register. 01:16.790 --> 01:18.770 You would add what you are looking for as 01:18.770 --> 01:21.115 an indicator of the risk you are documenting. 01:21.115 --> 01:23.030 You want to be as proactive as you 01:23.030 --> 01:24.875 can and be preventative. 01:24.875 --> 01:27.200 But you also want an alarm that will tell you when 01:27.200 --> 01:30.260 your risk is going to materialize anyway. 01:30.260 --> 01:32.690 Other things you can do to monitor for 01:32.690 --> 01:34.595 risk are to review your logs. 01:34.595 --> 01:36.395 You want to do it proactively. 01:36.395 --> 01:39.760 Often you only look at your logs after an event. 01:39.760 --> 01:41.480 But we find that if we've been 01:41.480 --> 01:43.415 looking at our logs ahead of time, 01:43.415 --> 01:45.170 we could have seen signs that something was 01:45.170 --> 01:47.300 happening before the actual event. 01:47.300 --> 01:49.780 So log review is important. 01:49.780 --> 01:52.640 Also, we can use intrusion detection and 01:52.640 --> 01:55.435 protection systems, IDPS. 01:55.435 --> 01:58.655 You should monitor them and be wary of false positives, 01:58.655 --> 02:00.395 but also false negatives. 02:00.395 --> 02:02.030 We want to make sure our intrusion 02:02.030 --> 02:04.100 detection systems are tuned properly. 02:04.100 --> 02:06.385 We'll talk more about those later. 02:06.385 --> 02:08.810 Another way to monitor for risk is 02:08.810 --> 02:10.820 to use honeypots and honeynets. 02:10.820 --> 02:13.100 These are devices that are decoys. 02:13.100 --> 02:15.860 They're set aside to look like a vulnerable system, 02:15.860 --> 02:17.440 but instead they contain 02:17.440 --> 02:20.580 detective software that monitors when an attacker does. 02:20.580 --> 02:22.445 Their purpose is distraction, 02:22.445 --> 02:25.195 but also detection of an attack. 02:25.195 --> 02:27.530 Finally, you want to keep in 02:27.530 --> 02:30.275 good communication with your incident response team. 02:30.275 --> 02:32.540 Monitor what they are seeing and use 02:32.540 --> 02:35.940 that as an indicator of a risk that might occur.