1
00:00:06,890 --> 00:00:11,020
- Whenever you were preparing
for the SecOps exam,

2
00:00:11,020 --> 00:00:13,200
you know, you learned that there are

3
00:00:13,200 --> 00:00:15,590
many different security
technologies and products

4
00:00:15,590 --> 00:00:18,500
that can be used in the
security operations center

5
00:00:18,500 --> 00:00:19,990
or the SOC, right?

6
00:00:19,990 --> 00:00:22,370
And many organizations actually
use these type of products,

7
00:00:22,370 --> 00:00:25,610
of course, to not only
protect the organization

8
00:00:25,610 --> 00:00:28,800
but also to monitor their network traffic.

9
00:00:28,800 --> 00:00:31,680
And it is really important to understand

10
00:00:31,680 --> 00:00:33,910
what products and
technologies are actually used

11
00:00:33,910 --> 00:00:36,090
for what type of security
event types, right?

12
00:00:36,090 --> 00:00:38,550
And how to analyze these events.

13
00:00:38,550 --> 00:00:40,070
So let's start with intrusion detection

14
00:00:40,070 --> 00:00:40,903
and prevention, right?

15
00:00:40,903 --> 00:00:43,130
So here I'm actually showing

16
00:00:43,130 --> 00:00:45,450
the different types of analysis

17
00:00:45,450 --> 00:00:47,917
and features provided
by intrusion detection

18
00:00:47,917 --> 00:00:51,310
and prevention systems and
example products, right?

19
00:00:51,310 --> 00:00:55,740
So here, I'm actually showing
the different type of analysis

20
00:00:55,740 --> 00:01:00,740
and features provided by
anomaly detection and systems

21
00:01:00,980 --> 00:01:03,660
and example products as well, right?

22
00:01:03,660 --> 00:01:08,660
So again, you know, there's
different types of devices

23
00:01:08,840 --> 00:01:11,510
for intrusion prevention and
different type of devices

24
00:01:11,510 --> 00:01:14,690
and solutions for
abnormal detection as well

25
00:01:14,690 --> 00:01:18,860
that are very useful in the SOC, right?

26
00:01:18,860 --> 00:01:20,120
Now, here, I'm actually showing

27
00:01:20,120 --> 00:01:21,970
the different type of
analysis and features

28
00:01:21,970 --> 00:01:25,400
provided by malware analysis technologies

29
00:01:25,400 --> 00:01:26,990
and example products like, you know

30
00:01:26,990 --> 00:01:31,870
the Cisco AMP and, you
know, others as well, right?

31
00:01:31,870 --> 00:01:36,870
Now, you also in the SOC may
have to do full packet capture.

32
00:01:38,940 --> 00:01:41,300
And, you know, of course,
for the purpose of

33
00:01:41,300 --> 00:01:43,080
forensics and further analysis,

34
00:01:43,080 --> 00:01:47,320
I'm able to actually do that
type of, you know, collection

35
00:01:47,320 --> 00:01:48,530
of the full packet captures,

36
00:01:48,530 --> 00:01:51,150
just like we actually cover in
the previous lessons, right?

37
00:01:51,150 --> 00:01:54,473
So here I'm actually showing
the different types of analysis

38
00:01:54,473 --> 00:01:58,550
and features provided by
full packet capture solutions

39
00:01:58,550 --> 00:02:01,740
and also example products as well, right?

40
00:02:01,740 --> 00:02:04,680
Here, I'm actually showing the
different types of analysis

41
00:02:04,680 --> 00:02:07,150
and features provided by protocol

42
00:02:07,150 --> 00:02:09,170
and packet meta-data solutions, right?

43
00:02:09,170 --> 00:02:12,900
So one of the drawbacks
from a full packet captures

44
00:02:12,900 --> 00:02:16,740
is, of course, the need of a
lot of storage and, you know,

45
00:02:16,740 --> 00:02:19,080
processing power to actually, you know,

46
00:02:19,080 --> 00:02:21,390
not only store but also analyze,

47
00:02:21,390 --> 00:02:23,070
you know, the full pocket captures.

48
00:02:23,070 --> 00:02:26,490
So one of the things that
actually many organizations

49
00:02:26,490 --> 00:02:29,070
actually take advantage of is to do

50
00:02:29,070 --> 00:02:32,010
protocol and packet
meta-data analysis, right?

51
00:02:32,010 --> 00:02:34,770
So here I'm actually showing
the different type of analysis

52
00:02:34,770 --> 00:02:38,490
and features provided by
protocol and packet meta-data

53
00:02:38,490 --> 00:02:41,540
solutions and also example products.

54
00:02:41,540 --> 00:02:44,190
Now, depending on the
technology and products used,

55
00:02:44,190 --> 00:02:45,510
you may need to analyze

56
00:02:45,510 --> 00:02:48,300
thousands upon thousands
of logs and events, right?

57
00:02:48,300 --> 00:02:51,570
So, tools that provides capabilities

58
00:02:51,570 --> 00:02:54,790
to see the overall health of your network

59
00:02:54,790 --> 00:02:57,340
but also allows you to
actually do a deep dive

60
00:02:58,490 --> 00:03:00,510
on the details about each
of the security events

61
00:03:00,510 --> 00:03:03,230
and potential intrusions,
you know, assist.

62
00:03:03,230 --> 00:03:05,150
And one of the tools actually is

63
00:03:05,150 --> 00:03:07,060
the Cisco Firepower
Management Center, right?

64
00:03:07,060 --> 00:03:10,330
So the FMC, it actually
has drilled down views

65
00:03:10,330 --> 00:03:12,390
and table views of events

66
00:03:12,390 --> 00:03:15,520
that share some common characteristics

67
00:03:15,520 --> 00:03:19,180
that you can actually use
to narrow a list of events

68
00:03:19,180 --> 00:03:21,960
and then concentrate your analysis

69
00:03:21,960 --> 00:03:24,060
on a group of related events

70
00:03:24,060 --> 00:03:26,870
as I'm actually showing here, right?

71
00:03:26,870 --> 00:03:30,380
You can see two different type of messages

72
00:03:30,380 --> 00:03:32,870
related to SNMP in this case, right?

73
00:03:32,870 --> 00:03:35,800
And the count of times such event

74
00:03:35,800 --> 00:03:37,390
was actually encountering
the network, right?

75
00:03:37,390 --> 00:03:41,460
You know, to access the
type of intrusion event

76
00:03:41,460 --> 00:03:42,900
of workflow in the FMC,

77
00:03:42,900 --> 00:03:46,150
you can actually navigate
to analysis, intrusion,

78
00:03:46,150 --> 00:03:47,920
and then events, right?

79
00:03:47,920 --> 00:03:50,920
Now you can optionally limit
the number of intrusion events

80
00:03:50,920 --> 00:03:53,930
that actually appear on the event views

81
00:03:53,930 --> 00:03:58,930
as described in the intrusion
events drilled on page

82
00:03:59,030 --> 00:04:02,920
or the intrusion events table
view constraints, right?

83
00:04:02,920 --> 00:04:04,780
You know, of course here
you can actually see

84
00:04:04,780 --> 00:04:09,260
all the different events that
match the first message type

85
00:04:09,260 --> 00:04:11,860
or the threat shown before.

86
00:04:11,860 --> 00:04:14,430
You know, that we actually show before.

87
00:04:14,430 --> 00:04:16,360
Here, you can actually
see a detailed information

88
00:04:16,360 --> 00:04:19,190
about the source and
destination, IP addresses,

89
00:04:19,190 --> 00:04:23,020
geolocation information,
source and destination ports,

90
00:04:23,020 --> 00:04:25,160
and many other types
of information, right?

91
00:04:25,160 --> 00:04:27,600
So, and other, you know, good things

92
00:04:27,600 --> 00:04:31,130
that you can actually click on
each of the items in the FMC

93
00:04:31,130 --> 00:04:34,650
and either download the
packets to your local system

94
00:04:34,650 --> 00:04:37,340
or actually view the packet's details

95
00:04:37,340 --> 00:04:39,510
as I'm actually showing in here, right?

96
00:04:39,510 --> 00:04:42,280
So again, you know there
are many tools out there

97
00:04:42,280 --> 00:04:44,690
for this type of analysis

98
00:04:44,690 --> 00:04:47,760
and different tools that
can be used in the SOC.

99
00:04:47,760 --> 00:04:50,260
We summarize, you know,
some of these tools in here

100
00:04:50,260 --> 00:04:54,530
and also we reviewed some of
the examples of those tools

101
00:04:54,530 --> 00:04:57,860
including the Cisco
Firepower Management Console.

102
00:04:57,860 --> 00:05:01,327
And there are many, many
different options in the Cisco FMC

103
00:05:01,327 --> 00:05:03,550
and you know, these
tools that will actually

104
00:05:03,550 --> 00:05:08,160
help you prioritize,
classify, and analyze,

105
00:05:08,160 --> 00:05:10,940
you know, event information
and packet details

106
00:05:10,940 --> 00:05:13,113
within your organization to, of course,

107
00:05:13,113 --> 00:05:16,200
identify an attack,
identify a threat actor,

108
00:05:16,200 --> 00:05:21,163
and remediate that intrusion
within your organization.