1 00:00:06,880 --> 00:00:08,800 - Within the security operations center 2 00:00:08,800 --> 00:00:13,800 you have to process a lot of different alerts, right. 3 00:00:13,920 --> 00:00:16,380 And doing that manually, is close 4 00:00:16,380 --> 00:00:18,415 to impossible with the amount of data 5 00:00:18,415 --> 00:00:21,570 and the amount of traffic that most organizations, you know 6 00:00:21,570 --> 00:00:23,840 have to handle on a daily basis, right? 7 00:00:23,840 --> 00:00:27,000 You have to also search through suspicious indicators 8 00:00:27,000 --> 00:00:31,760 of compromise, like emails, log messages, domains, URLs 9 00:00:31,760 --> 00:00:35,540 IP addresses, et cetera, and then extract observables 10 00:00:35,540 --> 00:00:38,530 for enrichment to then determine 11 00:00:38,530 --> 00:00:42,470 whether these observables can be indeed breach 12 00:00:42,470 --> 00:00:45,430 or a specific attack, right? 13 00:00:45,430 --> 00:00:46,620 What you're seeing in the screen 14 00:00:46,620 --> 00:00:49,216 is basically Cisco threat response 15 00:00:49,216 --> 00:00:52,890 and we're actually using it through secure X. 16 00:00:52,890 --> 00:00:56,030 It has the ability to do an investigation, right? 17 00:00:56,030 --> 00:00:59,230 And now in the investigate panel, in the top, 18 00:00:59,230 --> 00:01:01,490 I do see that there's one incident 19 00:01:01,490 --> 00:01:04,630 from my host being investigated, right? 20 00:01:04,630 --> 00:01:07,810 And there are eight related things, right? 21 00:01:07,810 --> 00:01:10,270 And those things can be indicators 22 00:01:10,270 --> 00:01:13,440 of compromise, like suspicious, you know, URLs 23 00:01:13,440 --> 00:01:15,780 also other IP addresses that are communicating 24 00:01:15,780 --> 00:01:20,120 to that specific host as well as a specific file, right? 25 00:01:20,120 --> 00:01:22,550 So each of them, you can, of course deep dive 26 00:01:22,550 --> 00:01:24,790 and investigate, click on it, you know, and go 27 00:01:24,790 --> 00:01:28,270 to the investigation and also different observables. 28 00:01:28,270 --> 00:01:31,610 But specifically in this one, it is obvious 29 00:01:31,610 --> 00:01:35,150 that this device is actually communicating for 30 00:01:35,150 --> 00:01:37,460 potentially actual trading traffic 31 00:01:37,460 --> 00:01:40,120 from the organization, right? So you see here, 32 00:01:40,120 --> 00:01:43,140 you know that filtration being selected twice. 33 00:01:43,140 --> 00:01:44,570 And in that case, you know, it can be 34 00:01:44,570 --> 00:01:48,230 that probably the attacker has compromised the device 35 00:01:48,230 --> 00:01:50,320 and is now trying to evade some 36 00:01:50,320 --> 00:01:52,350 of the secure technology that you have in place 37 00:01:52,350 --> 00:01:56,680 and potentially actual trade data by also moving lateral 38 00:01:56,680 --> 00:01:58,970 basically doing lateral movement 39 00:01:58,970 --> 00:02:02,040 by compromising all the devices in the network 40 00:02:02,040 --> 00:02:05,470 Now in short, what it is, and this is 41 00:02:05,470 --> 00:02:06,480 just an example, right? 42 00:02:06,480 --> 00:02:09,850 But what is really important for you to understand 43 00:02:09,850 --> 00:02:12,750 is that not every single event, of course 44 00:02:12,750 --> 00:02:14,710 is a security incident, right? 45 00:02:14,710 --> 00:02:19,230 And then one security incident can have one or, you know 46 00:02:19,230 --> 00:02:22,570 dozens of different events, right? 47 00:02:22,570 --> 00:02:25,480 You have to actually look in the context 48 00:02:25,480 --> 00:02:26,630 of what's actually happening, 49 00:02:26,630 --> 00:02:29,910 and these utilities like Cisco threat response 50 00:02:29,910 --> 00:02:32,420 also StealthWatch, and many others, you know 51 00:02:32,420 --> 00:02:35,150 allow you to actually do that type of correlation. 52 00:02:35,150 --> 00:02:37,710 Now, in this screen, if I actually deep dive 53 00:02:37,710 --> 00:02:40,890 into the actual IEP address that we're investigating, right? 54 00:02:40,890 --> 00:02:44,630 So the 108.62.141.250 55 00:02:44,630 --> 00:02:47,660 it actually has several sightings, right? 56 00:02:47,660 --> 00:02:50,530 So basically different observables that we have 57 00:02:50,530 --> 00:02:55,240 seen different events and from many different types 58 00:02:55,240 --> 00:02:59,060 of security devices, like Gigamon threat insight, 59 00:02:59,060 --> 00:03:00,820 it's a third party application that is 60 00:03:00,820 --> 00:03:03,590 being integrated through secure X in here. 61 00:03:03,590 --> 00:03:06,610 You see Cisco's StealthWatch and four endpoints. 62 00:03:06,610 --> 00:03:08,990 And you also see a next generation 63 00:03:08,990 --> 00:03:10,780 firewall event services right? 64 00:03:10,780 --> 00:03:13,710 From like firewall fire power, threat defense 65 00:03:13,710 --> 00:03:14,880 and many others. 66 00:03:14,880 --> 00:03:16,460 And you see that the actual confidence 67 00:03:16,460 --> 00:03:20,168 is high for each of those different events. 68 00:03:20,168 --> 00:03:23,270 Now they are all related, you know, in this case 69 00:03:23,270 --> 00:03:26,500 it's actually potentially a malicious IP address. 70 00:03:26,500 --> 00:03:28,670 Again, trying to communicate from an 71 00:03:28,670 --> 00:03:31,330 internal host to transfer a file. 72 00:03:31,330 --> 00:03:35,150 And specifically in the StealthWatch enterprise, 73 00:03:35,150 --> 00:03:36,480 you actually see that, you know 74 00:03:36,480 --> 00:03:37,790 that was actually the case, right? 75 00:03:37,790 --> 00:03:40,570 It was actually trying to exfiltrate 76 00:03:40,570 --> 00:03:44,640 some file using FTP, right? File transfer proco 77 00:03:44,640 --> 00:03:47,880 or at least, you know, some connection, you know, out there. 78 00:03:47,880 --> 00:03:50,980 So this is the type of correlation and the type 79 00:03:50,980 --> 00:03:54,840 of activities that you need to increase your confidence 80 00:03:54,840 --> 00:03:58,180 or the fidelity of, you know, your observables 81 00:03:58,180 --> 00:04:00,700 and events to determine whether it's actually 82 00:04:00,700 --> 00:04:03,800 a security incident or potential breach 83 00:04:03,800 --> 00:04:05,363 in this case and so on.