1
00:00:06,360 --> 00:00:08,110
- [Instructor] One of the common tasks

2
00:00:08,110 --> 00:00:09,900
in the Security Operations Center

3
00:00:09,900 --> 00:00:13,680
is for you to identify potential data loss

4
00:00:13,680 --> 00:00:16,500
from a specific traffic profiles

5
00:00:16,500 --> 00:00:19,320
and a specific things and observables

6
00:00:19,320 --> 00:00:22,220
that you may obtain from the network.

7
00:00:22,220 --> 00:00:26,580
In my case, I'm actually sharing
the StealthWatch dashboard

8
00:00:26,580 --> 00:00:29,760
and you see that there
is a specific source

9
00:00:29,760 --> 00:00:32,810
the 10.201.3.149,

10
00:00:32,810 --> 00:00:34,910
which basically is being highlighted

11
00:00:34,910 --> 00:00:38,530
a few times of a potential data loss

12
00:00:38,530 --> 00:00:40,360
for a potential data loss incident.

13
00:00:40,360 --> 00:00:43,340
So you see that there's
some data that is being sent

14
00:00:43,340 --> 00:00:46,410
but the maximum amount
of bytes is 10 megs.

15
00:00:46,410 --> 00:00:49,360
And you see a few other entries.

16
00:00:49,360 --> 00:00:53,983
One specifically highlights
the user Ken, as you see.

17
00:00:54,950 --> 00:00:57,460
And if you click on the details,

18
00:00:57,460 --> 00:00:59,090
it will actually take you to this page

19
00:00:59,090 --> 00:01:01,290
where you see the security event

20
00:01:01,290 --> 00:01:04,520
for that a specific transaction.

21
00:01:04,520 --> 00:01:06,270
So again, you'll see the source,

22
00:01:06,270 --> 00:01:09,230
the 10.201.3.149.

23
00:01:09,230 --> 00:01:11,930
And it says that security
events is suspected data loss.

24
00:01:11,930 --> 00:01:15,140
And it's because it's an indication

25
00:01:15,140 --> 00:01:19,070
that that host has uploaded
an abnormal amount of data

26
00:01:19,070 --> 00:01:20,490
outside of the host.

27
00:01:20,490 --> 00:01:22,840
Now again, this is just one example

28
00:01:22,840 --> 00:01:25,840
out of many that you can detect,

29
00:01:25,840 --> 00:01:27,900
potential ex-filtration of traffic

30
00:01:27,900 --> 00:01:29,580
and sensitive information.

31
00:01:29,580 --> 00:01:31,110
There are other capabilities

32
00:01:31,110 --> 00:01:33,770
that help you detect
the payloads of packets

33
00:01:33,770 --> 00:01:37,330
to see if there's potentially
credit card information,

34
00:01:37,330 --> 00:01:40,750
personal identifiable
information, and so on.

35
00:01:40,750 --> 00:01:41,990
This is just one example,

36
00:01:41,990 --> 00:01:44,980
but it's one of the
biggest tasks that you have

37
00:01:44,980 --> 00:01:46,260
in the Security Operations Center

38
00:01:46,260 --> 00:01:49,170
is to identify potential data loss

39
00:01:49,170 --> 00:01:51,650
from different traffic profiles

40
00:01:51,650 --> 00:01:53,200
and different traffic patterns.