1 00:00:06,920 --> 00:00:08,030 - [Instructor] There are many, many 2 00:00:08,030 --> 00:00:09,800 security monitoring tools, right? 3 00:00:09,800 --> 00:00:11,790 So this includes a traditional 4 00:00:11,790 --> 00:00:14,160 and next generation intrusion detection 5 00:00:14,160 --> 00:00:17,450 and prevention systems, anomaly detection to 6 00:00:17,450 --> 00:00:21,400 look for frequent large or lengthy network sessions, 7 00:00:21,400 --> 00:00:22,558 and many more, right? 8 00:00:22,558 --> 00:00:25,330 In the security operation center 9 00:00:25,330 --> 00:00:29,690 you actually have to combine this type of tools 10 00:00:29,690 --> 00:00:32,760 and also use threat intelligence recorder. 11 00:00:32,760 --> 00:00:36,750 So combine the telemetry information. 12 00:00:36,750 --> 00:00:40,620 Gather from IPS, firewall, server logs and everything 13 00:00:40,620 --> 00:00:44,030 but correlate them with threat intelligence, right? 14 00:00:44,030 --> 00:00:46,660 And threat intelligence are used for 15 00:00:46,660 --> 00:00:48,680 event research and analysis, right? 16 00:00:48,680 --> 00:00:51,140 So these threat intelligence can be imported 17 00:00:51,140 --> 00:00:55,792 into alerting tools to add detection and fidelity, right? 18 00:00:55,792 --> 00:00:59,370 Also deploy malware analysis tools to detect 19 00:00:59,370 --> 00:01:02,660 and block malware and zero-day exploits, right? 20 00:01:02,660 --> 00:01:04,700 As you learn in lesson 10, 21 00:01:04,700 --> 00:01:07,120 you can deploy full packet capture to see 22 00:01:07,120 --> 00:01:09,840 everything that is happening in your network. 23 00:01:09,840 --> 00:01:13,660 However, this requires large amounts of storage space 24 00:01:13,660 --> 00:01:16,480 but can be very useful for forensics, right? 25 00:01:16,480 --> 00:01:20,870 You can deploy things like NetFlow, Bro, Tshark 26 00:01:20,870 --> 00:01:23,980 and other tools to actually obtain packet metadata 27 00:01:23,980 --> 00:01:26,210 instead of full packet capture. 28 00:01:26,210 --> 00:01:29,730 And this actually is done since it doesn't require 29 00:01:29,730 --> 00:01:34,730 as much storage space as full packet captures of course. 30 00:01:35,150 --> 00:01:38,050 Cisco offers a managed security service where 31 00:01:38,050 --> 00:01:39,310 customers outsource their 32 00:01:39,310 --> 00:01:42,020 security operations center activities to Cisco. 33 00:01:42,020 --> 00:01:45,970 The service is actually called the Active Threat Analytics 34 00:01:45,970 --> 00:01:47,350 or ATA. 35 00:01:47,350 --> 00:01:49,180 I'm including the high level overview 36 00:01:49,180 --> 00:01:52,060 of the architecture of that service. 37 00:01:52,060 --> 00:01:55,180 So you can actually get an idea of the tools involved 38 00:01:55,180 --> 00:01:57,470 in the security operations center, right? 39 00:01:57,470 --> 00:01:59,410 And what are the tools that actually, 40 00:01:59,410 --> 00:02:01,910 at least some of the tools that Cisco uses 41 00:02:01,910 --> 00:02:05,450 for that service and in the security operations centers 42 00:02:05,450 --> 00:02:07,940 that they have around the world, right? 43 00:02:07,940 --> 00:02:09,480 Cisco created an open source 44 00:02:09,480 --> 00:02:13,220 big data security and analytics framework called OpenSOC, 45 00:02:13,220 --> 00:02:15,900 or the Open Security Operations Center. 46 00:02:15,900 --> 00:02:18,280 It was actually designed to consume and monitor 47 00:02:18,280 --> 00:02:21,410 network traffic from their customers, right? 48 00:02:21,410 --> 00:02:24,210 And specifically in large environments, right? 49 00:02:24,210 --> 00:02:26,340 Because it's very scalable. 50 00:02:26,340 --> 00:02:30,530 Now OpenSOC was then evolved into Apache Metron. 51 00:02:30,530 --> 00:02:33,060 And Apache Metron is a framework that allows you to 52 00:02:33,060 --> 00:02:36,360 consume process and analyze telemetry for 53 00:02:36,360 --> 00:02:39,570 many, many different vendors and different products, right? 54 00:02:39,570 --> 00:02:41,785 I'm including a link to Metron's website 55 00:02:41,785 --> 00:02:45,923 and their GitHub repository here for your reference.