WEBVTT

00:07.220 --> 00:11.570
So we just learned about what it's like to be a SOC analyst in the daily life of.

00:11.600 --> 00:16.100
Today we're going to actually go into the specific tools in ACM and some of the different tools that

00:16.100 --> 00:18.830
you might see in a security operations center.

00:18.830 --> 00:19.430
Richard.

00:19.460 --> 00:20.240
Take it away.

00:20.240 --> 00:21.380
What are we going to see?

00:21.740 --> 00:27.920
We're going to see a few different tools that you will definitely see in a security operation center.

00:28.010 --> 00:32.960
Um, again, as I mentioned when we talked before, every SOC is going to be slightly different, but

00:32.960 --> 00:38.780
there are some staples that you generally will see across most SoC environments.

00:38.780 --> 00:41.480
So we're going to take a look at some of those today.

00:42.530 --> 00:43.250
All right.

00:43.250 --> 00:47.270
So you should now see on your screen our SOC landing page.

00:47.420 --> 00:53.120
Um, the SoC landing page is really kind of a directory of the different tools that we have in our environment.

00:53.120 --> 00:55.820
And I'm not going to go through every single tool that we have.

00:55.820 --> 00:57.200
We don't have that kind of time.

00:57.230 --> 01:01.730
I don't want to bore you to death completely, but I do want to highlight some of the tools that we

01:01.730 --> 01:02.990
use in our environment.

01:02.990 --> 01:08.340
And some of the first tools that I think are very important are what we what are known as steam tools

01:08.340 --> 01:10.020
are security event managers.

01:10.020 --> 01:14.640
Basically, what they're doing is they're creating alerts or detections for us to look at.

01:14.640 --> 01:21.750
And what they do is they actually give us one single location that an analyst can view and monitor the

01:21.750 --> 01:25.950
alerts that are happening in the environment, and you're going to see many different types of alerts

01:25.950 --> 01:26.100
here.

01:26.100 --> 01:28.590
You're going to see alerts from your email security tool.

01:28.620 --> 01:32.070
You're going to see alerts from your endpoint detection response tools.

01:32.070 --> 01:38.820
You're going to see network, uh, alerts that are demonstrating different attacks that are being carried

01:38.820 --> 01:40.050
out on your environment.

01:40.050 --> 01:45.210
The the end of the day, this is kind of a single pane of glass that an analyst can investigate on and

01:45.210 --> 01:47.160
basically just work through one at a time.

01:47.160 --> 01:52.020
And we teach two different Siem tools, IBM Qradar and Splunk Enterprise Security.

01:52.020 --> 01:57.780
Both of these are top tier enterprise grade security event managers.

01:57.780 --> 02:01.680
And you will absolutely see these on job descriptions out there in the world.

02:01.680 --> 02:07.080
So these are as a matter of fact, these are two of the top three tools in the industry right now.

02:08.430 --> 02:16.690
Email security I would say 75% of most successful attacks are successful because of a phishing email

02:16.690 --> 02:21.400
that comes into an environment and somebody's clicking on a link or downloading a file from an email

02:21.430 --> 02:24.790
that they should not necessarily be clicking on or downloading.

02:24.790 --> 02:31.030
So being able to understand what happens with an email and knowing how to investigate it is a very important

02:31.030 --> 02:33.760
component of being a security operations center analyst.

02:33.760 --> 02:37.990
And Proofpoint is by far one of the number one email security tools.

02:37.990 --> 02:40.720
So we teach our analysts how to investigate that.

02:40.720 --> 02:41.560
They go through.

02:41.590 --> 02:47.410
They understand who the email came from or who it's pretending to come from, what the email was attempting

02:47.440 --> 02:52.450
to do, what the threat is, and then if there's any steps that need to be taken, then they can make

02:52.450 --> 02:59.260
those recommendations to our security teams, whether it's blocking URLs or blocking email senders or

02:59.260 --> 03:06.160
maybe even removing an email from an inbox because it did get successfully delivered to a user, and

03:06.160 --> 03:08.950
we want to avoid them clicking on that link.

03:08.950 --> 03:09.970
If we can.

03:09.970 --> 03:15.700
So very important component of being a security Operations Center analyst now endpoints every single

03:15.700 --> 03:18.800
computer that we have in our environment is pretty much known as an endpoint.

03:18.830 --> 03:25.580
Our laptops or desktops, the servers those devices have what's known as an agent on them.

03:25.580 --> 03:29.930
And the agent, in essence, is watching what that computer is doing, websites.

03:29.930 --> 03:35.090
It's going to files that it's downloading, processes that are running on that computer.

03:35.090 --> 03:37.730
And like the Siem tool, there's a rule set.

03:37.730 --> 03:41.750
And those rule sets are looking for different activities that break those rules.

03:41.750 --> 03:45.440
And when those happen, what it will do is generate a detection.

03:45.440 --> 03:51.710
It says, hey, this user on this machine downloaded this file and we've identified this file as malicious.

03:51.710 --> 03:54.470
We have killed and quarantined that file.

03:54.500 --> 03:58.880
However, you probably need to investigate it and find out why were they getting that file?

03:58.880 --> 04:00.050
Where did it come from?

04:00.050 --> 04:03.590
How did that file come to land on that device?

04:03.590 --> 04:08.600
And depending on what kind of device it's on, that's really going to determine what needs to be done

04:08.600 --> 04:09.200
at that point.

04:09.200 --> 04:15.470
Is it a critical device like a server, or is it just an endpoint of maybe a laptop from somebody in

04:15.470 --> 04:16.310
the HR department?

04:16.340 --> 04:16.790
Right.

04:16.790 --> 04:22.400
But all of that comes together and as you're investigating these, you get to better understand exactly

04:22.400 --> 04:26.240
how and why those different activities occurred.

04:26.270 --> 04:30.590
Now we teach CrowdStrike as well as Sentinel one, both of them top tier tools.

04:30.620 --> 04:35.270
As a matter of fact, both of these are in the top three in the Gartner Magic Quadrant as well too,

04:35.300 --> 04:36.320
for EDR tools.

04:36.320 --> 04:37.580
So they're very high end.

04:37.580 --> 04:42.620
And again, you'll see these in SOC, uh, all over the globe.

04:42.740 --> 04:48.860
Now we talked earlier in the previous episode about documenting and ticketing.

04:48.890 --> 04:49.310
Right.

04:49.310 --> 04:52.820
So we teach two different ticketing tools in our environment.

04:52.820 --> 04:59.360
The first one is being able to actually write a ticket explaining the incident, explaining the security

04:59.360 --> 05:02.450
event with the who, the what, the when, the where, the why.

05:02.690 --> 05:06.110
Um, that's very important to paint the picture as to what happened.

05:06.140 --> 05:11.990
And this is kind of, kind of goes along with being able to provide the most amount of details so that

05:11.990 --> 05:17.810
your higher, higher levels up your your SOC manager, your CISO, can make appropriate decisions on

05:17.810 --> 05:23.480
improving the security of the environment Um, being able to write that ticket is a skill and it takes

05:23.480 --> 05:24.140
practice.

05:24.140 --> 05:29.130
So our analysts are writing those tickets when they're doing investigations, so that gives them that

05:29.130 --> 05:35.880
skill as well to another ticketing aspect is being able to communicate with other departments interdepartmental

05:35.880 --> 05:43.230
communications, specifically action items like resetting passwords, blocking URLs, adding an IP to

05:43.260 --> 05:49.830
the watch list so that we can make sure that if any activity comes from that external IP address, we

05:49.830 --> 05:56.220
can monitor that activity and make sure that nothing is allowed to enter our environment from that IP

05:56.220 --> 05:56.970
address.

05:57.180 --> 06:01.500
Um, even even corrections or fixes to rules.

06:01.500 --> 06:03.300
We can communicate with the engineering team.

06:03.330 --> 06:03.660
Right.

06:03.660 --> 06:09.000
So there's a lot of different things that we can do in JIRA ticketing, which allows us to communicate

06:09.000 --> 06:14.370
with those other departments, the help desk networking team, the vulnerability team, um, engineering

06:14.370 --> 06:19.710
so that they can take those items and fix them, adjust them, modify them, do whatever we need to

06:19.740 --> 06:23.520
do to ensure our environment is as secure as possible.

06:24.420 --> 06:28.830
Another component is being able to understand exactly what is in your environment.

06:28.830 --> 06:31.780
So, um, attack surface management.

06:31.780 --> 06:34.240
What devices are connected to our network?

06:34.270 --> 06:36.310
Is it a laptop?

06:36.310 --> 06:37.360
Is it a desktop?

06:37.360 --> 06:38.440
Is it a switch?

06:38.470 --> 06:39.820
Is it a car?

06:39.850 --> 06:44.350
If you see on this screen there's actually a car that's been connected to our network.

06:44.590 --> 06:48.460
That car was actually connected to our guest network.

06:48.460 --> 06:52.300
And if I've actually investigated if you investigate it, it's a Tesla model three.

06:52.330 --> 06:58.720
If you've done investigations and you know about vulnerabilities, you know that Tesla model three is

06:58.750 --> 07:01.810
actually have a vulnerability that can be exploited.

07:01.810 --> 07:07.330
Now it's pretty rare, but this would be a decision that maybe somebody in your higher ups might want

07:07.360 --> 07:07.720
to make.

07:07.750 --> 07:11.260
Do we want to allow this device to connect to our network?

07:11.290 --> 07:16.330
Should that be something that we take some sort of action against to eliminate a possible exploit?

07:16.360 --> 07:18.700
Being able to be utilized in our environment.

07:18.700 --> 07:27.040
And most corporations have some sort of public facing web presence websites and so forth.

07:27.040 --> 07:33.370
So being able to do web scans to ensure that there's no exploits that can be carried out on those websites,

07:33.400 --> 07:37.600
databases, um, Cross-site scripting.

07:37.780 --> 07:39.010
SQL injections.

07:39.040 --> 07:39.970
Things of that nature.

07:40.000 --> 07:41.560
Different types of attacks like that.

07:41.560 --> 07:47.590
So our analysts get the opportunity to not only carry out those activities on test sites, but also

07:47.620 --> 07:54.160
our own websites as well, to be able to help learn how to do that and also monitor our environment

07:54.160 --> 08:00.820
and make sure that they understand exactly what can happen and what to do in those circumstances.

08:00.850 --> 08:04.900
Well, thank you, Richard, for taking the time to spend with us today and to go over some of the tools

08:04.900 --> 08:07.780
that we can expect to see in a security operations center.

08:07.900 --> 08:10.300
Any last thoughts before we let you go for the day?

08:11.740 --> 08:18.310
I would say that getting into cyber security or working in cyber security is an amazing opportunity.

08:18.310 --> 08:19.660
I absolutely love it.

08:19.840 --> 08:20.980
Um, it's a lot of fun.

08:20.980 --> 08:22.630
It's kind of like being a cyber cop.

08:22.660 --> 08:24.370
I guess that's kind of an easy way to say it.

08:24.370 --> 08:29.710
So if you're studying for Cisa plus, I'm assuming you're you're building your knowledge and experience

08:29.710 --> 08:34.000
in cyber and, uh, keep keep focusing, keep working hard.

08:34.000 --> 08:38.260
Get as much practice as you possibly can and continue to push forward.

08:38.980 --> 08:39.160
All right.

08:39.160 --> 08:40.570
Well, thank you very much for your time.

08:40.570 --> 08:42.070
And we will see you next time.