1 00:00:06,950 --> 00:00:08,340 - [Instructor] It is important that you have 2 00:00:08,340 --> 00:00:11,340 a way to interpret common data values 3 00:00:11,340 --> 00:00:13,240 into a universal format, 4 00:00:13,240 --> 00:00:15,995 and that you actually have a good data model 5 00:00:15,995 --> 00:00:17,730 within your organization. 6 00:00:17,730 --> 00:00:20,490 So you may ask, so what is actually a data model, right? 7 00:00:20,490 --> 00:00:22,480 So what are you talking about? 8 00:00:22,480 --> 00:00:23,810 A data model is actually 9 00:00:23,810 --> 00:00:28,810 a hierarchical structure mapping of semantic knowledge 10 00:00:29,070 --> 00:00:31,470 about one or more datasets. 11 00:00:31,470 --> 00:00:33,760 By having a good data model 12 00:00:33,760 --> 00:00:35,930 for all your security event data, 13 00:00:35,930 --> 00:00:38,970 it will actually allow you to build an assortment 14 00:00:38,970 --> 00:00:43,710 of specialized and also very fast queries of those datasets, 15 00:00:43,710 --> 00:00:44,543 right? 16 00:00:44,543 --> 00:00:46,400 That's why it's actually important 17 00:00:46,400 --> 00:00:48,660 for you to have a good data model. 18 00:00:48,660 --> 00:00:50,685 Now, in order for you to be able to create 19 00:00:50,685 --> 00:00:52,730 an effective data model, 20 00:00:52,730 --> 00:00:55,670 you have to first understand the sources 21 00:00:55,670 --> 00:00:58,430 of the security event data in your infrastructure. 22 00:00:58,430 --> 00:01:01,650 Here, I'm actually showing a security information 23 00:01:01,650 --> 00:01:03,770 and events management system or SIEM 24 00:01:04,752 --> 00:01:08,840 that is actually retrieving data from different sources, 25 00:01:08,840 --> 00:01:12,059 including IPS devices, firewalls, 26 00:01:12,059 --> 00:01:16,690 NetFlow generation devices, servers, endpoints, 27 00:01:16,690 --> 00:01:19,313 and syslog from infrastructure devices as well. 28 00:01:20,340 --> 00:01:21,720 Depending on how the event data 29 00:01:21,720 --> 00:01:25,390 is actually structured from those sources 30 00:01:25,390 --> 00:01:30,390 and how different fields within that data are actually 31 00:01:30,730 --> 00:01:33,900 extracted, related, and organized, 32 00:01:33,900 --> 00:01:35,945 that's how it can actually affect 33 00:01:35,945 --> 00:01:39,110 your data model architecture, right? 34 00:01:39,110 --> 00:01:41,240 And now, the good news is also that 35 00:01:41,240 --> 00:01:44,989 there are actually tools, such as Splunk and many others, 36 00:01:44,989 --> 00:01:49,940 that already accept data from well known security devices 37 00:01:49,940 --> 00:01:51,290 and other sources. 38 00:01:51,290 --> 00:01:54,280 And this tool allows you to actually arrange that data 39 00:01:55,170 --> 00:01:58,780 to have and also get additional fields 40 00:01:58,780 --> 00:02:03,400 that allows you to actually do complex and simple searches 41 00:02:05,240 --> 00:02:10,240 and field extractions and look ups within your organization. 42 00:02:11,740 --> 00:02:14,370 Now there's also a problem within the industry 43 00:02:14,370 --> 00:02:17,760 on the different ways security tools and humans 44 00:02:17,760 --> 00:02:20,160 refer to security events, incidents, 45 00:02:20,160 --> 00:02:21,633 and related information. 46 00:02:21,633 --> 00:02:24,070 This is why specifications like 47 00:02:24,070 --> 00:02:28,465 the vocabulary for event recording and incident sharing, 48 00:02:28,465 --> 00:02:32,070 otherwise known as VERIS, actually have been created, 49 00:02:32,070 --> 00:02:32,903 right? 50 00:02:32,903 --> 00:02:36,010 So, here I'm actually showing the VERIS website. 51 00:02:36,010 --> 00:02:38,370 VERIS was actually originally created 52 00:02:38,370 --> 00:02:41,980 by folks from Verizon and other organization. 53 00:02:41,980 --> 00:02:45,960 And actually it is a set of metrics designed to 54 00:02:45,960 --> 00:02:49,930 provide a common language for describing security incidents 55 00:02:49,930 --> 00:02:53,510 in a structured and a reputable manner, right? 56 00:02:53,510 --> 00:02:57,410 The overall of VERIS is actually to lay a foundation 57 00:02:57,410 --> 00:03:02,410 on which we can constructively and cooperatively learn 58 00:03:02,710 --> 00:03:06,333 from our experiences to actually better manage risk.