WEBVTT 1 00:00:00.040 --> 00:00:03.520 Hey everyone, and welcome back for another deep dive. Today. 2 00:00:04.080 --> 00:00:06.080 We're going to be tackling a topic that you all 3 00:00:06.120 --> 00:00:12.000 flagged as super important, network security monitoring, and to guide us, 4 00:00:12.039 --> 00:00:14.320 we are going to be taking a deep dive into 5 00:00:14.599 --> 00:00:18.960 the book Network Security Monitoring by Chris Fry and Martin Eistrom. 6 00:00:19.039 --> 00:00:22.079 Oh A classic choice. Yeah, that book provides a great 7 00:00:22.079 --> 00:00:26.120 foundation for anyone who wants to understand this complex and 8 00:00:26.239 --> 00:00:27.399 always evolving field. 9 00:00:27.640 --> 00:00:30.800 Exactly. So, think of this deep dive as like us 10 00:00:31.000 --> 00:00:33.640 building a security monitoring fortress together. 11 00:00:33.799 --> 00:00:34.320 I like it. 12 00:00:34.600 --> 00:00:37.960 Brick by brick. We're going to explore why monitoring is 13 00:00:38.000 --> 00:00:40.640 so vital these days, how to pinpoint the critical areas 14 00:00:40.679 --> 00:00:42.920 you absolutely need to watch, and the best place is 15 00:00:42.920 --> 00:00:43.880 to gather that intel. 16 00:00:44.119 --> 00:00:45.960 Sounds good to me. Let's lay down that foundation. 17 00:00:46.079 --> 00:00:48.640 Okay, So, you know, we used to think anti virus 18 00:00:48.679 --> 00:00:51.759 software was like this impenetrable shield, right, but the book 19 00:00:51.799 --> 00:00:54.600 starts with this really chilling story and it just bursts 20 00:00:54.600 --> 00:00:58.240 that whole bubble. Remember that trojan horse disguised as a 21 00:00:58.320 --> 00:01:02.000 UPS tracking email over ninety percent Oh yeah, of anti 22 00:01:02.079 --> 00:01:04.560 virus programs just missed it completely. 23 00:01:04.760 --> 00:01:08.400 That's a good point. Yes, it's a stark reminder that 24 00:01:08.439 --> 00:01:11.840 the threat landscape has become something much more sophisticated. We 25 00:01:11.879 --> 00:01:16.359 are now up against organized cybercrime, and these attackers are 26 00:01:16.400 --> 00:01:17.400 constantly evolving. 27 00:01:17.560 --> 00:01:21.400 It's like they're always testing our defenses, you know, probing 28 00:01:21.439 --> 00:01:22.280 for weaknesses. 29 00:01:22.359 --> 00:01:23.680 Absolutely, and it's. 30 00:01:23.480 --> 00:01:25.599 Not even just the external threats that we have to 31 00:01:25.640 --> 00:01:26.920 worry about, right, No, oh, of course not. 32 00:01:27.959 --> 00:01:31.120 Insider threats can be just as devastating, whether they're intentional 33 00:01:31.239 --> 00:01:35.200 or accidental. Even small oversights by trusted employees can have 34 00:01:35.400 --> 00:01:37.000 huge security implications. 35 00:01:37.079 --> 00:01:41.599 Huge. So if our old methods are just crumbling around us, 36 00:01:42.000 --> 00:01:44.239 how do we build a more resilient defense? 37 00:01:44.439 --> 00:01:46.840 That's the question, isn't it. Yeah, Well, the book highlights 38 00:01:46.879 --> 00:01:49.719 a really powerful approach called policy based monitoring. 39 00:01:50.319 --> 00:01:51.840 Okay, can you break that down for us? 40 00:01:52.000 --> 00:01:54.519 Yeah? Have you ever noticed how after you spot one 41 00:01:54.560 --> 00:01:58.560 cockroach in your kitchen, don't remind me, you suddenly see 42 00:01:58.560 --> 00:02:01.200 them everywhere. You start to think that every little scurrying 43 00:02:01.239 --> 00:02:05.159 shadow is a threat. Policy based monitoring is all about 44 00:02:05.519 --> 00:02:10.000 setting clear security policies like blueprints for our fortress, and 45 00:02:10.039 --> 00:02:13.759 then focusing our attention on the activity that violates those policies. 46 00:02:14.000 --> 00:02:16.800 So instead of trying to swat at every fly. We're 47 00:02:16.840 --> 00:02:20.400 setting traps exactly for the specific pests that pose the 48 00:02:20.439 --> 00:02:21.199 greatest danger. 49 00:02:21.599 --> 00:02:23.639 That's a great way to put it. This approach is 50 00:02:23.680 --> 00:02:27.680 often contrasted with blacklist monitoring, where you try to block 51 00:02:28.039 --> 00:02:31.879 all known bad traffic. Okay, blacklisting can be effective for 52 00:02:31.960 --> 00:02:34.800 certain threats, but it's kind of like trying to stop 53 00:02:34.800 --> 00:02:37.280 a flood with a single sandbag. 54 00:02:36.960 --> 00:02:39.560 Right, because the bad guys are always finding new ways 55 00:02:39.639 --> 00:02:41.479 to seep through the cracks exactly. 56 00:02:41.560 --> 00:02:44.680 And that's where anomaly monitoring comes in, Okay, looking for 57 00:02:44.759 --> 00:02:48.080 deviations from the norm. Gotcha, you know, those unusual ripples 58 00:02:48.080 --> 00:02:50.759 in the network pond. But as you can imagine, this 59 00:02:50.800 --> 00:02:52.960 can sometimes lead to a lot of false alarms. 60 00:02:53.439 --> 00:02:54.319 I can see that. 61 00:02:54.319 --> 00:02:56.919 Like mistaking a harmless fish for a shark. 62 00:02:57.319 --> 00:02:57.599 Right. 63 00:02:57.680 --> 00:03:00.240 So finding the right balance between those different approach is 64 00:03:00.719 --> 00:03:03.319 key to building a robust monitoring system. 65 00:03:03.520 --> 00:03:06.360 So it seems like we need a strong understanding. 66 00:03:05.840 --> 00:03:07.639 Of our network, absolutely like a. 67 00:03:07.680 --> 00:03:09.759 Detailed map of our digital terrain. 68 00:03:10.240 --> 00:03:12.400 We call this creating a network taxonomy. 69 00:03:12.560 --> 00:03:15.560 Okay, network taxonomy. It sounds kind of intimidating. 70 00:03:15.560 --> 00:03:17.840 Oh it's not that bad. Think of it more like 71 00:03:17.879 --> 00:03:22.639 a blueprint classifying and documenting different areas of your network. Gotcha, 72 00:03:22.759 --> 00:03:25.000 So you might have a heavily codified data center, Yeah, 73 00:03:25.240 --> 00:03:28.560 a more exposed DMZ, a network for your partners and 74 00:03:28.639 --> 00:03:31.680 vendors and so on. Makes sense. Each area has its 75 00:03:31.719 --> 00:03:36.280 own level of risk and will require a tailored approach 76 00:03:36.319 --> 00:03:36.960 to monitoring. 77 00:03:37.159 --> 00:03:40.080 So we're not just building a single wall. We're constructing 78 00:03:40.199 --> 00:03:43.599 multiple layers of defense based on the sensitivity of the 79 00:03:43.599 --> 00:03:44.919 information and systems. 80 00:03:45.039 --> 00:03:48.639 Now you're getting it, and this map, this network taxonomy 81 00:03:48.919 --> 00:03:51.960 is going to help you prioritize your monitoring efforts. It's 82 00:03:51.960 --> 00:03:54.960 about focusing on the crown jewels of your network. Okay, 83 00:03:55.039 --> 00:03:57.039 the areas that would cause the most damage if they 84 00:03:57.039 --> 00:03:57.719 were compromised. 85 00:03:57.800 --> 00:03:59.719 That makes sense. So we've got the blueprints, we've got 86 00:03:59.759 --> 00:04:02.520 the app. How do we actually choose which systems and 87 00:04:02.639 --> 00:04:05.759 data are those crown jewels that need that extra vigilance. 88 00:04:06.080 --> 00:04:08.680 There are two key analyses that can really help us here, 89 00:04:09.400 --> 00:04:12.960 business impact analysis and revenue impact analysis. They help us 90 00:04:13.000 --> 00:04:16.399 identify the systems that are absolutely essential for keeping the 91 00:04:16.439 --> 00:04:17.879 lights on and the cash flowing. 92 00:04:18.319 --> 00:04:21.000 So if these systems go down, it's not just a 93 00:04:21.079 --> 00:04:24.759 minor inconvenience. Yeah, it's a potential disaster exactly. 94 00:04:25.399 --> 00:04:29.360 And we also need to consider any regulatory requirements. So 95 00:04:29.480 --> 00:04:33.519 systems that handle financial data might fall under SOX, and 96 00:04:33.560 --> 00:04:37.439 those with personal information may need to comply with GLBA. 97 00:04:37.560 --> 00:04:40.439 Failing to protect these systems could lead to some pretty 98 00:04:40.519 --> 00:04:43.040 hefty fines and reputational damage. 99 00:04:43.199 --> 00:04:45.879 It's like having extra layers of security for the vault 100 00:04:46.360 --> 00:04:48.720 where we keep the most valuable asset exactly. 101 00:04:48.759 --> 00:04:51.800 Remember the example of Blanco Wireless in the book. They 102 00:04:51.800 --> 00:04:56.120 prioritize monitoring the systems that store sensitive customer data because 103 00:04:56.120 --> 00:05:00.839 that information is both valuable to attackers and heavily regulated. 104 00:05:00.959 --> 00:05:04.199 So we've laid the groundwork, we've defined our policies, mapped 105 00:05:04.240 --> 00:05:07.560 our network, and identified our crown jewels. How do we 106 00:05:07.600 --> 00:05:10.399 actually go about monitoring these areas? Where do we get 107 00:05:10.399 --> 00:05:11.000 that intel? 108 00:05:11.240 --> 00:05:13.600 That's where event sources come in. Okay, think of them 109 00:05:13.600 --> 00:05:16.800 like our surveillance cameras, the systems and devices that generate 110 00:05:16.839 --> 00:05:20.720 logs and alerts, providing those crucial breadcrumbs of activity. 111 00:05:20.839 --> 00:05:22.879 Like the story in the book about that hacker who 112 00:05:22.879 --> 00:05:25.480 tried to cover his tracks by disabling the audit trail. 113 00:05:25.600 --> 00:05:28.600 Oh yeah, classic tactic. Yeah, But thankfully we have ways 114 00:05:28.600 --> 00:05:32.720 to outsmart them. These event sources provide the footprints, the 115 00:05:32.800 --> 00:05:36.319 digital fingerprints, okay, that help us reconstruct events and track 116 00:05:36.399 --> 00:05:37.959 down suspicious activity. 117 00:05:38.759 --> 00:05:41.560 So what are some of the most valuable event sources 118 00:05:41.600 --> 00:05:42.879 that we should be tapping into. 119 00:05:43.399 --> 00:05:48.199 Network intrusion detection systems or nids are essential, okay. They 120 00:05:48.199 --> 00:05:51.120 act is our first line of defense, analyzing network traffic 121 00:05:51.240 --> 00:05:52.560 for any suspicious patterns. 122 00:05:52.680 --> 00:05:55.519 So they're constantly scanning the perimeter looking for signs of. 123 00:05:55.519 --> 00:05:59.759 A breach exactly. But they're not perfect, okay. An IDs 124 00:05:59.800 --> 00:06:03.639 can be tricky to tune, and they often generate false positives, 125 00:06:04.079 --> 00:06:04.360 like a. 126 00:06:04.319 --> 00:06:06.279 Motion detector that's triggered by a gust. 127 00:06:06.120 --> 00:06:09.040 Of wind exactly. So it's not just about deploying the tools, 128 00:06:09.079 --> 00:06:12.759 it's about knowing how to calibrate them and interpret the signals. 129 00:06:12.800 --> 00:06:14.639 And beyond the NIDS, what else is there? 130 00:06:14.879 --> 00:06:19.040 We have system logs, especially from servers running Unix or Linux. 131 00:06:19.879 --> 00:06:24.279 These logs provide a detailed record of user activity, log 132 00:06:24.319 --> 00:06:27.040 in attempts, file changes, and more. 133 00:06:27.279 --> 00:06:29.800 So we can see who's entering which rooms in our 134 00:06:29.800 --> 00:06:32.240 digital fortress and what they're doing there exactly. 135 00:06:32.560 --> 00:06:36.319 Windows servers can also be configured to provide valuable security 136 00:06:36.360 --> 00:06:40.759 logs and database logs can be incredibly revealing as well. 137 00:06:40.839 --> 00:06:44.079 How So, they can show us who access specific data, 138 00:06:44.560 --> 00:06:47.279 which is essential for detecting any potential breaches. 139 00:06:47.399 --> 00:06:49.319 So it's like having a separate set of logs for 140 00:06:49.360 --> 00:06:52.680 the vault, precise tracking who's handling the crown jewels. 141 00:06:53.240 --> 00:06:56.759 And then we have network devices like riders and firewalls. 142 00:06:56.920 --> 00:06:59.839 They give us a broader view of traffic patterns, showing 143 00:07:00.120 --> 00:07:02.920 the paths attackers might take to reach our most sensitive areas. 144 00:07:03.000 --> 00:07:06.160 So we're not just watching the doors, we're also monitoring 145 00:07:06.160 --> 00:07:08.480 the roads leading to our fortress exactly. 146 00:07:09.079 --> 00:07:12.680 But it's important to choose our event sources strategically. Trying 147 00:07:12.680 --> 00:07:14.879 to monitor everything is like trying to drink from a 148 00:07:14.920 --> 00:07:15.480 fire hose. 149 00:07:15.639 --> 00:07:16.360 You'll just drown. 150 00:07:16.480 --> 00:07:19.560 You'll drown in data and you'll miss those crucial signals. 151 00:07:19.800 --> 00:07:22.879 So we need to prioritize focusing on the sources that 152 00:07:22.920 --> 00:07:26.920 provide the most relevant information for our specific needs. 153 00:07:27.040 --> 00:07:31.000 Absolutely, it's all about finding the right balance between coverage 154 00:07:31.000 --> 00:07:34.279 and clarity. Now that we know what to monitor, let's 155 00:07:34.399 --> 00:07:36.720 talk about how to make sure that the data we 156 00:07:36.800 --> 00:07:38.319 receive is reliable. 157 00:07:38.639 --> 00:07:42.439 Right, we wouldn't want our surveillance cameras to be malfunctioning. 158 00:07:42.600 --> 00:07:44.240 Exactly. We'll delve into that next. 159 00:07:44.560 --> 00:07:47.759 It's like having this state of the art security system. Yeah, 160 00:07:47.800 --> 00:07:50.920 but the cameras are glitching and the motion detectors are faulty, 161 00:07:50.959 --> 00:07:52.600 we're not really getting the full picture. 162 00:07:52.920 --> 00:07:55.240 That's a great point. So how do we make sure 163 00:07:55.240 --> 00:07:59.079 our event feeds are reliable and our monitoring systems are 164 00:07:59.120 --> 00:08:03.160 running smoothly. What's all about maintenance and vigilance, okay, you know, 165 00:08:03.240 --> 00:08:06.600 ensuring that our fortress walls are always strong. One crucial 166 00:08:06.600 --> 00:08:10.959 step is establishing those clear service level agreements or slas, 167 00:08:11.240 --> 00:08:14.319 right with the teams that are responsible for maintaining those 168 00:08:14.360 --> 00:08:16.279 systems that feed us our data. 169 00:08:16.360 --> 00:08:20.800 So it's about having clear lines of communication and accountability, absolutely, 170 00:08:20.879 --> 00:08:23.160 making sure everyone's on the same page when it comes 171 00:08:23.199 --> 00:08:25.360 to keeping that data flowing exactly. 172 00:08:25.600 --> 00:08:28.319 Yeah, and we can't forget about monitoring the monitors. 173 00:08:28.480 --> 00:08:29.160 Oh right. 174 00:08:29.360 --> 00:08:32.720 It's like having a backup generator for our security system, okay, 175 00:08:32.840 --> 00:08:35.919 you know, making sure everything stays operational even if there's 176 00:08:35.960 --> 00:08:36.759 a power adage. 177 00:08:36.799 --> 00:08:39.960 The book mentions tools like naggios for this. It's like 178 00:08:39.960 --> 00:08:42.639 giving our security system its own health checkup. 179 00:08:42.759 --> 00:08:48.240 Christly, we can monitor CPU usage, memory, consumption, disc space, 180 00:08:49.080 --> 00:08:51.639 all those vital signs that tell us if our monitoring 181 00:08:51.639 --> 00:08:53.279 systems are working at peak performance. 182 00:08:53.480 --> 00:08:56.039 And there are other tools out there as well, of course. 183 00:08:56.360 --> 00:08:58.519 Each with its own strengths and weaknesses. 184 00:08:58.799 --> 00:09:02.960 So it's about finding the fit exact for your specific environment. 185 00:09:03.279 --> 00:09:06.039 That's a great way to put it. And speaking of 186 00:09:06.279 --> 00:09:11.080 real world applications, the book provides some fascinating case studies 187 00:09:11.600 --> 00:09:14.000 that really illustrate how all of this comes together. 188 00:09:14.159 --> 00:09:17.519 Yeah, those stories really bring the concepts to life, I agree, 189 00:09:17.600 --> 00:09:21.720 showing us those potential pitfalls in the triumphs of security 190 00:09:21.720 --> 00:09:22.559 monitoring and action. 191 00:09:22.879 --> 00:09:25.320 Absolutely. One that really sticks out to me is the 192 00:09:25.360 --> 00:09:28.360 story of Ryan and and Sullia Networks. They were piloting 193 00:09:28.559 --> 00:09:32.720 a new technology with a kind of risky setup, a 194 00:09:32.759 --> 00:09:38.960 proxy server connecting to their VoIP infrastructure over the public Internet, 195 00:09:39.799 --> 00:09:44.200 and Ryan was tasked with monitoring this, but they hadn't 196 00:09:44.279 --> 00:09:47.039 established those clear security policies beforehand. 197 00:09:47.159 --> 00:09:51.720 So even though his team was diligently monitoring event sources, 198 00:09:51.879 --> 00:09:54.360 yes they were essentially flying blind. 199 00:09:54.600 --> 00:09:57.519 They had all this data pouring in, but they didn't 200 00:09:57.559 --> 00:09:58.159 know what to look for. 201 00:09:58.159 --> 00:10:01.240 It's like having a security camera point at the wrong area. 202 00:10:01.519 --> 00:10:02.080 Exactly. 203 00:10:02.159 --> 00:10:04.759 You might capture a crime happening in the background, but 204 00:10:04.799 --> 00:10:06.200 you're going to miss the main event. 205 00:10:06.200 --> 00:10:10.080 And as a result, they weren't able to effectively mitigate 206 00:10:10.200 --> 00:10:11.320 those potential. 207 00:10:10.960 --> 00:10:14.279 Risks during the pilot. That highlights just how crucial it 208 00:10:14.360 --> 00:10:17.240 is to define those policies up front. Absolutely like creating 209 00:10:17.279 --> 00:10:19.480 a security checklist for our monitoring team. 210 00:10:19.559 --> 00:10:21.799 We need to know what normal looks like right before 211 00:10:21.840 --> 00:10:23.240 we can identify abnormal. 212 00:10:23.360 --> 00:10:26.759 Okay. Another case study that I found really insightful was 213 00:10:26.879 --> 00:10:30.960 Pam's experience at Special Electric. They had granted direct Internet 214 00:10:31.039 --> 00:10:35.080 access to an extra net partner, which, as you can imagine, 215 00:10:35.200 --> 00:10:37.159 is a little bit like leaving a side door to 216 00:10:37.200 --> 00:10:38.440 your fortress wide open. 217 00:10:38.600 --> 00:10:40.919 It is a little risky, and as Pam was. 218 00:10:40.879 --> 00:10:45.159 Monitoring that extrat environment, she started noticing some red flags 219 00:10:45.840 --> 00:10:49.200 like what things like peer to peer file sharing and 220 00:10:49.960 --> 00:10:52.679 traffic obfuscation using tor. 221 00:10:53.879 --> 00:10:56.440 Those are definitely signs that something's amiss, right. 222 00:10:56.519 --> 00:10:59.559 It's like seeing footprints leading into your fortress, but no 223 00:10:59.639 --> 00:11:02.399 record of anyone entering through the main gate. That does 224 00:11:02.480 --> 00:11:04.559 make you wonder, suggests that the partner might be up 225 00:11:04.600 --> 00:11:07.159 to no good, putting Special Electrics network at risk. 226 00:11:07.399 --> 00:11:11.320 This underscores the importance of not just monitoring your own network, right, 227 00:11:11.639 --> 00:11:14.159 but also the activities of your partners and vendors. 228 00:11:14.279 --> 00:11:16.080 Yeah, it's all interconnected these days. 229 00:11:16.159 --> 00:11:19.559 It is. It's like having security patrols not just inside 230 00:11:19.559 --> 00:11:23.559 your fortress, but also monitoring the surrounding areas for potential threats. 231 00:11:23.600 --> 00:11:26.679 Okay. Then there's Michael's work at Donata Okay, where he 232 00:11:26.720 --> 00:11:27.919 faced a different challenge. 233 00:11:27.960 --> 00:11:28.559 Oh what was that? 234 00:11:28.759 --> 00:11:31.440 A lack of network documentation. So it's like trying to 235 00:11:31.480 --> 00:11:34.720 defend a fortress without a map. Yeah, not knowing where 236 00:11:34.759 --> 00:11:37.519 the weak points are or how to navigate the defenses. 237 00:11:37.679 --> 00:11:39.080 You're just shooting in the dark. 238 00:11:39.000 --> 00:11:43.000 Exactly when it came to prioritizing and responding to those 239 00:11:43.039 --> 00:11:47.799 security events. But Michael, he took the initiative to actually 240 00:11:47.879 --> 00:11:52.320 document Danada's network. Good for him, creating a detailed map 241 00:11:52.360 --> 00:11:54.600 of all their subnets and systems. 242 00:11:54.320 --> 00:11:57.600 So he finally gave them the blueprints they needed. 243 00:11:57.360 --> 00:11:59.200 To effectively defend their fortress. 244 00:11:59.320 --> 00:12:02.240 And once they had that network context, they were able 245 00:12:02.279 --> 00:12:06.960 to fine tune their monitoring and improve their incident response significantly. 246 00:12:07.320 --> 00:12:09.759 It's a testament to the importance of knowing your terrain. 247 00:12:09.960 --> 00:12:13.519 It really is Another interesting example is Helen's work at 248 00:12:13.519 --> 00:12:17.200 Cisco Okay. She was bombarded with false positives from their 249 00:12:17.279 --> 00:12:20.960 NIDS because the alerts lacked network context. 250 00:12:21.159 --> 00:12:23.679 Imagine a motion detector going off every time a leaf 251 00:12:23.720 --> 00:12:26.559 blows by. Oh yeah, you'd quickly start ignoring it. 252 00:12:26.679 --> 00:12:29.799 You'd become desensitized to the alarms and miss the real threats. 253 00:12:29.799 --> 00:12:31.039 So what does she do? Well? 254 00:12:31.039 --> 00:12:33.919 Helen spearheaded a project to add that network context to 255 00:12:33.960 --> 00:12:38.159 those alerts. She integrated their NIDS with their IP address 256 00:12:38.200 --> 00:12:42.320 management system, which gave them a much clearer picture of 257 00:12:42.360 --> 00:12:43.159 what was happening. 258 00:12:43.360 --> 00:12:45.879 So now they could see not just that there was movement, 259 00:12:46.320 --> 00:12:48.720 but who or what was moving and where they were 260 00:12:48.720 --> 00:12:50.279 coming from precisely. 261 00:12:51.000 --> 00:12:54.720 And that dramatically reduced the number of false positives, which 262 00:12:54.759 --> 00:12:57.440 allowed them to focus on the alerts that truly mattered. 263 00:12:57.720 --> 00:12:59.600 It's like filtering out the noise so you can hear 264 00:12:59.600 --> 00:13:01.559 the whisper of an intruder exactly. 265 00:13:02.200 --> 00:13:05.879 These case studies really drive home the point that security 266 00:13:06.000 --> 00:13:10.879 monitoring is a dynamic process, one that requires constant adaptation 267 00:13:10.919 --> 00:13:11.519 and refinement. 268 00:13:11.519 --> 00:13:13.000 That's a set it and forget it solution. 269 00:13:13.200 --> 00:13:18.039 It's an ongoing cycle of planning, implementation, monitoring, analysis. 270 00:13:17.679 --> 00:13:21.000 And improvement and speaking of real world examples, the book 271 00:13:21.000 --> 00:13:24.840 also highlights some organizations that are doing security monitoring exceptionally well. 272 00:13:24.960 --> 00:13:29.120 They are, and one is kpnsert okay, the Computer Emergency 273 00:13:29.120 --> 00:13:33.320 Response Team for KPN, a Dutch telecommunications company. They face 274 00:13:33.399 --> 00:13:37.159 unique challenges because they need to comply with both Dutch 275 00:13:37.279 --> 00:13:42.200 and European Union laws which can limit certain types of monitoring. 276 00:13:41.759 --> 00:13:43.879 So they have to be extra creative and strategic in 277 00:13:43.879 --> 00:13:45.159 their approach exactly. 278 00:13:45.879 --> 00:13:49.480 But they've managed to build a robust security monitoring program 279 00:13:49.879 --> 00:13:53.399 that leverages a variety of event sources like what including 280 00:13:53.480 --> 00:13:57.519 an IDs, NetFlow and system logs. And they also place 281 00:13:57.600 --> 00:14:00.919 a strong emphasis on proactive red hunting. 282 00:14:01.440 --> 00:14:04.080 So it's not just about manning the walls, it's about 283 00:14:04.120 --> 00:14:08.799 sending out reconnaissance patrols to identify potential threats before they 284 00:14:08.840 --> 00:14:10.080 even reach the fortress. 285 00:14:10.200 --> 00:14:14.039 Another great example is Northrop Grummin Global Aerospace and Defense 286 00:14:14.080 --> 00:14:15.039 Technology Company. 287 00:14:15.240 --> 00:14:17.519 Given the sensitive nature of their work, they have a 288 00:14:17.559 --> 00:14:19.480 single dashboard that shows them the big. 289 00:14:19.320 --> 00:14:24.000 Picture exactly, and they go beyond simply reacting to events. 290 00:14:24.639 --> 00:14:29.559 They actually use the data to drive those proactive security improvements. 291 00:14:29.639 --> 00:14:31.039 Can you give you an example. 292 00:14:30.840 --> 00:14:34.399 Yeah, So they analyze trends in those security events to 293 00:14:34.559 --> 00:14:40.080 identify potential weaknesses in their systems and then prioritize patch deployments. 294 00:14:40.799 --> 00:14:44.279 So they're not just patching holes, they're reinforcing the weakest 295 00:14:44.320 --> 00:14:46.360 points in their fortress walls. 296 00:14:46.200 --> 00:14:49.679 Based on real time intelligence. And they don't stop there. 297 00:14:50.440 --> 00:14:53.840 They use the data to inform their risk assessments and 298 00:14:53.879 --> 00:14:57.120 develop that targeted security awareness training for their employees. 299 00:14:57.639 --> 00:15:00.559 So it's about building a culture of security, yes, from 300 00:15:00.600 --> 00:15:01.360 the ground up. 301 00:15:01.600 --> 00:15:04.639 These examples really show how security monitoring can be much 302 00:15:04.639 --> 00:15:07.080 more than just a defensive measure. It can be a 303 00:15:07.120 --> 00:15:10.919 powerful tool for driving continuous improvement and strengthening your overall 304 00:15:10.960 --> 00:15:11.919 security posture. 305 00:15:12.080 --> 00:15:16.080 It's like turning data into those actionable insights, exactly, transforming 306 00:15:16.120 --> 00:15:19.360 that raw information into a shield that protects your organization 307 00:15:19.440 --> 00:15:22.799 from harm. It's like having a crystal ball that shows 308 00:15:22.879 --> 00:15:25.720 us not just what's happening, but also what might happen 309 00:15:25.759 --> 00:15:29.440 in the future, Yeah, allowing us to anticipate and mitigate 310 00:15:29.480 --> 00:15:31.679 those threats before they even strike. 311 00:15:32.440 --> 00:15:34.559 And the best part is you don't need a massive 312 00:15:34.600 --> 00:15:38.720 budget or a huge team of security experts to get started. 313 00:15:39.320 --> 00:15:43.000 The book emphasizes that even small steps can make a 314 00:15:43.200 --> 00:15:44.000 big difference. 315 00:15:44.120 --> 00:15:48.120 So it's about building that security monitoring fortress, one brick 316 00:15:48.240 --> 00:15:48.879 at a time. 317 00:15:49.360 --> 00:15:53.559 Absolutely, start by defining some basic security policies, even if 318 00:15:53.559 --> 00:15:57.240 they're just a few pages long. Identify your most critical assets, 319 00:15:57.360 --> 00:16:00.759 those crown jewels you absolutely can't afford to lose, and 320 00:16:00.759 --> 00:16:04.399 then select a few key event sources to monitor, focusing 321 00:16:04.440 --> 00:16:06.159 on the areas where you're most vulnerable. 322 00:16:06.480 --> 00:16:10.519 So prioritize, focus on the most impactful actions rather than 323 00:16:10.559 --> 00:16:11.799 trying to do everything at once. 324 00:16:11.919 --> 00:16:13.879 And don't be afraid to seek out help and guidance 325 00:16:13.879 --> 00:16:17.080 from experts. Yeah, there are tons of resources available, like 326 00:16:17.120 --> 00:16:19.600 what you Know, books like the one we've been discussing, 327 00:16:20.200 --> 00:16:22.320 online forums, security conferences. 328 00:16:22.559 --> 00:16:26.200 It's like having a security consultant on call exactly ready 329 00:16:26.200 --> 00:16:28.519 to answer your questions and guide you through the process. 330 00:16:28.840 --> 00:16:30.840 And don't underestimate the power of community. 331 00:16:30.919 --> 00:16:32.120 Oh right, you know. 332 00:16:32.200 --> 00:16:36.039 Connect with other security professionals. Yeah, share your experiences and 333 00:16:36.200 --> 00:16:38.879 learn from their mistakes and their successes. 334 00:16:38.960 --> 00:16:42.080 It's like having this network of allies all working together 335 00:16:42.399 --> 00:16:44.919 to strengthen their defenses against a common enemy. 336 00:16:45.399 --> 00:16:47.759 So as we wrap up this deep dive, okay, I'd 337 00:16:47.799 --> 00:16:49.840 like to leave our listener with this thought, hit me 338 00:16:49.879 --> 00:16:52.360 with it. You've now had a glimpse into the world 339 00:16:52.440 --> 00:16:56.519 of network security monitoring. You've learned about the essential elements, 340 00:16:57.000 --> 00:17:00.559 the strategies, the tools. Now the question is how will 341 00:17:00.600 --> 00:17:04.880 you apply this knowledge to your own organization. What are 342 00:17:04.920 --> 00:17:08.039 some of the unique challenges you might face, and how 343 00:17:08.039 --> 00:17:09.240 will you overcome them? 344 00:17:09.680 --> 00:17:13.359 That is a fantastic question for listeners to ponder. It 345 00:17:13.400 --> 00:17:16.559 is it's like we've given them the building blocks for 346 00:17:16.640 --> 00:17:19.839 their security monitoring fortress, and now it's up to them 347 00:17:20.000 --> 00:17:23.160 to assemble those blocks into a structure that meets their 348 00:17:23.200 --> 00:17:24.119 specific needs. 349 00:17:24.200 --> 00:17:27.039 Security is not a destination, it's a journey. It's an 350 00:17:27.079 --> 00:17:31.519 ongoing process, yes, of learning, adapting, and evolving to stay 351 00:17:31.559 --> 00:17:33.000 one step ahead of the attackers. 352 00:17:33.160 --> 00:17:35.559 Well said, thanks for joining me on this deep dive. 353 00:17:35.720 --> 00:17:38.960 Of course, it's been a fascinating exploration of a really 354 00:17:38.960 --> 00:17:42.240 critical topic has and to our listener, we hope this 355 00:17:42.319 --> 00:17:45.640 deep dive has given you a solid foundation in network 356 00:17:45.680 --> 00:17:51.000 security monitoring. Keep learning, keep experimenting, and keep building those defenses.