WEBVTT 1 00:00:00.040 --> 00:00:03.439 Welcome back. Everyone, ready to dive into some serious network security. 2 00:00:03.600 --> 00:00:04.879 Absolutely, let's get practical. 3 00:00:05.440 --> 00:00:09.080 Today's deep dive is all about intrusion analysis, and we're 4 00:00:09.160 --> 00:00:13.599 using practical intrusion analysis by doctor Stevenol as our guide. 5 00:00:13.679 --> 00:00:17.280 Great choice. Doctor Nol really gets into the nitty gritty before. 6 00:00:17.000 --> 00:00:19.239 We get to the fund stuff, the intrusions. We need 7 00:00:19.280 --> 00:00:21.199 to make sure everyone's on the same page about how 8 00:00:21.239 --> 00:00:22.800 networks work. The fundamentals. 9 00:00:22.879 --> 00:00:25.879 Yeah, the foundation. I think the most crucial network fundamental 10 00:00:26.000 --> 00:00:30.239 is understanding how data actually travels across networks. Think about 11 00:00:30.239 --> 00:00:33.200 it like this, Okay, I'm listening. Imagine each little piece 12 00:00:33.240 --> 00:00:36.920 of data is like a digital envelope, right, Each packet 13 00:00:37.280 --> 00:00:39.679 needs a clear address to get where it needs to go, like. 14 00:00:39.679 --> 00:00:42.840 A digital postal service. So that's where IP addressing comes in. 15 00:00:43.000 --> 00:00:47.000 Exactly. Each device has its own unique address, either IPv 16 00:00:47.159 --> 00:00:48.640 four or that newer. 17 00:00:48.399 --> 00:00:50.359 IPv six ray I've heard of those. 18 00:00:50.560 --> 00:00:53.679 And then these IP addresses are all structured and organized 19 00:00:53.960 --> 00:00:57.320 through subnetting. Subnetting, Yeah, think of it like dividing a 20 00:00:57.399 --> 00:01:01.119 city into neighborhoods makes things easier to manage in more secure. 21 00:01:01.399 --> 00:01:04.560 Makes sense, But how do we actually see this data 22 00:01:04.560 --> 00:01:05.359 moving around. 23 00:01:05.599 --> 00:01:08.719 We use tools called packet sniffers. They're like little windows 24 00:01:08.760 --> 00:01:10.480 into the network traffic, so. 25 00:01:10.400 --> 00:01:13.519 We can peek inside those digital envelopes exactly. 26 00:01:13.719 --> 00:01:16.319 But we can't just plug in anywhere. We need to 27 00:01:16.400 --> 00:01:18.840 use special techniques to access those packets. 28 00:01:18.879 --> 00:01:20.239 What kind of techniques, Well. 29 00:01:20.120 --> 00:01:23.239 There's SPAN and tappeece. Span is kind of like making 30 00:01:23.280 --> 00:01:26.519 a copy of the data stream, and tapps are like 31 00:01:26.560 --> 00:01:28.400 a dedicated connection to that traffic. 32 00:01:28.640 --> 00:01:33.280 So SPAN copies tfps connect directly. Got it. I see 33 00:01:33.319 --> 00:01:37.760 how knowing this is crucial for intrusion analysis onto the intrusions. 34 00:01:37.959 --> 00:01:41.680 Intrusion detection systems or idss are the next step. They 35 00:01:41.680 --> 00:01:45.000 are always on the lookout for anything suspicious on your network, like. 36 00:01:44.959 --> 00:01:47.760 Two hundred and forty seven security guards, but for our 37 00:01:47.879 --> 00:01:48.840 data exactly. 38 00:01:48.920 --> 00:01:52.040 And there are two main types of idss, signature based 39 00:01:52.040 --> 00:01:52.879 and anomaly based. 40 00:01:53.000 --> 00:01:53.640 That's the difference. 41 00:01:53.640 --> 00:01:57.120 Signature based IDs are like fingerprint scanners. They compare the 42 00:01:57.159 --> 00:02:01.280 network traffic against a huge database of known attacks. 43 00:02:00.680 --> 00:02:02.120 Looking for those telltale signs. 44 00:02:02.439 --> 00:02:06.560 Yeah, and then anomaly based IDs are more like behavioral analysts. 45 00:02:06.640 --> 00:02:09.639 They look for anything that deviates from normal network activity. 46 00:02:09.759 --> 00:02:11.960 So if something is acting out of character, they notice 47 00:02:12.000 --> 00:02:12.639 it right. 48 00:02:12.840 --> 00:02:16.439 It's super useful for detecting brand new attacks, ones we've 49 00:02:16.479 --> 00:02:17.319 never seen before. 50 00:02:17.560 --> 00:02:21.000 That's amazing. But attackers are always trying to stay one 51 00:02:21.000 --> 00:02:21.960 step ahead, aren't they. 52 00:02:22.080 --> 00:02:24.719 They are, and they have all sorts of tricky techniques 53 00:02:24.759 --> 00:02:28.080 to evade detection by those idss like what Well. One 54 00:02:28.080 --> 00:02:34.319 clever tactic is TCP stream reassembly manipulation TCP bracedown data 55 00:02:34.639 --> 00:02:36.599 into smaller segments for transmission. 56 00:02:36.719 --> 00:02:36.879 OK. 57 00:02:37.080 --> 00:02:39.560 Attackers can mess with those segments, making it hard for 58 00:02:39.599 --> 00:02:42.240 the IDs to put the pieces back together and see 59 00:02:42.240 --> 00:02:43.120 what's really going on. 60 00:02:43.280 --> 00:02:45.439 Tricky, So how do we deal with that? 61 00:02:45.439 --> 00:02:48.120 That's where target based ressembly comes in. It tries to 62 00:02:48.159 --> 00:02:51.639 reconstruct the network traffic as seen by the target system itself, 63 00:02:52.159 --> 00:02:54.319 even with all the attackers' manipulation. 64 00:02:54.080 --> 00:02:56.039 Like solving a puzzle, but you can still see the 65 00:02:56.039 --> 00:02:57.800 picture on the box exactly. 66 00:02:57.960 --> 00:02:59.919 It helps us see the true nature of the attack. 67 00:03:00.199 --> 00:03:03.319 So are there any ideas that use this target based reassembly? 68 00:03:03.599 --> 00:03:06.280 Oh? Yeah, Snort and bro are two great examples. They 69 00:03:06.280 --> 00:03:07.360 are both open source too. 70 00:03:07.639 --> 00:03:10.560 I think I've heard of snort. It's signature based, right 71 00:03:10.680 --> 00:03:11.000 it is. 72 00:03:11.240 --> 00:03:13.919 Snort is super flexible and it is a huge rule 73 00:03:13.960 --> 00:03:16.719 set that can be customized to fit your specific needs. 74 00:03:16.960 --> 00:03:20.680 Wow, a customizable security card. So how do you write 75 00:03:20.719 --> 00:03:22.159 these Snort signatures? 76 00:03:22.400 --> 00:03:24.840 Well, there are a few different techniques. One is called 77 00:03:25.000 --> 00:03:28.240 unique string matching, where you look for a really specific 78 00:03:28.280 --> 00:03:30.039 pattern in the network traffic. 79 00:03:29.960 --> 00:03:31.719 So like a secret phrase exactly. 80 00:03:31.960 --> 00:03:36.080 Another technique is know the vulnerability. The signature focuses on 81 00:03:36.120 --> 00:03:39.039 the exact conditions that allow a certain exploit to work. 82 00:03:39.560 --> 00:03:41.400 You have to know how the attacker does it to 83 00:03:41.400 --> 00:03:41.800 write it. 84 00:03:41.879 --> 00:03:44.560 I see. So it's about understanding the attackers' methods and 85 00:03:44.599 --> 00:03:46.159 then targeting those weaknesses. 86 00:03:46.240 --> 00:03:48.840 You got it. And Snort even has a special feature 87 00:03:48.840 --> 00:03:51.400 called flow bits to track the state of a session, 88 00:03:51.479 --> 00:03:53.879 so you can get really granular with your detection. 89 00:03:54.199 --> 00:03:57.080 Pretty neat. So what about BRO? What's its specialty? 90 00:03:57.520 --> 00:04:01.400 Bro is anomaly based. Instead of just looking for patterns, 91 00:04:01.639 --> 00:04:04.719 it tries to understand the bigger picture of network behavior. 92 00:04:04.879 --> 00:04:07.400 So it's more like a detective piecing together clues. 93 00:04:07.680 --> 00:04:11.479 Yeah, more like Schrolock Holmes. Plus it has amazing scripting capabilities. 94 00:04:11.919 --> 00:04:14.599 You can set it up to take specific actions based 95 00:04:14.639 --> 00:04:15.479 on certain events. 96 00:04:15.639 --> 00:04:19.240 So Bro is the detective and Snore is the security guard. 97 00:04:19.480 --> 00:04:22.600 I like that, but to really fight back. We need 98 00:04:22.639 --> 00:04:25.759 to understand how these attackers find their targets. 99 00:04:25.839 --> 00:04:26.920 Let's get into their heads. 100 00:04:27.079 --> 00:04:31.040 Knowing the vulnerability life cycle is key. Every vulnerability goes 101 00:04:31.079 --> 00:04:35.199 through a whole process, you know, from discovery to disclosure 102 00:04:35.720 --> 00:04:38.480 and then will attackers start creating exploits. 103 00:04:38.639 --> 00:04:41.480 So it's a race against time to fix those vulnerabilities 104 00:04:41.519 --> 00:04:43.040 before the bad guys exploit them. 105 00:04:43.199 --> 00:04:46.040 Exactly. It's like a constant cat and mouse game. Doctor 106 00:04:46.079 --> 00:04:48.360 Noel has a really good example of the book. He 107 00:04:48.439 --> 00:04:51.839 walks us through a vulnerability in a file download application. 108 00:04:51.959 --> 00:04:55.120 What's the application, It's called flashcat. He uses tools like 109 00:04:55.199 --> 00:04:58.399 TCP dump and wire shark to break down the exploit. 110 00:04:58.759 --> 00:05:00.759 They're like digital Mega to find glasses. 111 00:05:00.839 --> 00:05:01.360 I like that. 112 00:05:01.399 --> 00:05:03.600 What happens He shows you how to create a snort 113 00:05:03.680 --> 00:05:07.360 signature that could actually catch this specific attack. And it's 114 00:05:07.360 --> 00:05:10.879 not just about detecting it, it's about understanding exactly how 115 00:05:10.920 --> 00:05:12.319 the vulnerability works. 116 00:05:12.160 --> 00:05:13.519 To create a targeted defense. 117 00:05:13.680 --> 00:05:16.040 You got it. And this brings us to a huge 118 00:05:16.079 --> 00:05:21.199 part of network security these days, Web application firewalls were WEFs. 119 00:05:21.360 --> 00:05:23.959 Oh yeah, doubles. I've been wanting to learn more about 120 00:05:23.959 --> 00:05:25.680 those Web applications are. 121 00:05:25.600 --> 00:05:29.079 Everywhere they are and weefs are like having security guards 122 00:05:29.079 --> 00:05:32.319 specifically for your web applications. They filter out all that 123 00:05:32.399 --> 00:05:33.639 malicious traffic. 124 00:05:33.360 --> 00:05:36.000 So they protect those vulnerabilities and web apps that we 125 00:05:36.079 --> 00:05:36.959 hear so much about. 126 00:05:37.120 --> 00:05:39.519 Exactly. You know about the oas top ten right. 127 00:05:39.519 --> 00:05:41.560 Yeah, the top ten web app vulnerability. 128 00:05:41.560 --> 00:05:45.079 Oh right, cross site scripting, squel injection, file injection, all 129 00:05:45.120 --> 00:05:47.879 those nasty things WEFs help protect against them. 130 00:05:48.000 --> 00:05:50.319 Makes sense, But why can't regular ideas do that. 131 00:05:50.639 --> 00:05:54.160 They are designed to understand web application protocols and traffic 132 00:05:54.199 --> 00:05:55.279 the same way WEFs are. 133 00:05:55.480 --> 00:05:58.160 Ah, they need that specialized knowledge exactly. 134 00:05:58.519 --> 00:06:01.480 WEFs can actually look at the age TTP requests and 135 00:06:01.519 --> 00:06:05.959 responses and spot suspicious patterns or known attack signatures. 136 00:06:05.480 --> 00:06:07.079 And then block them, right yep. 137 00:06:07.439 --> 00:06:10.920 They can also enforce different security policies. There's the positive 138 00:06:10.920 --> 00:06:14.160 security model, which only allows known good. 139 00:06:13.959 --> 00:06:16.680 Traffic, so only the good guys get in, exactly. 140 00:06:16.839 --> 00:06:20.759 Yeah. Then there's the negative security model, blocking known bad traffic. 141 00:06:21.360 --> 00:06:24.240 And there's even a learning mode where the wife observes 142 00:06:24.279 --> 00:06:27.800 normal behavior and learns to flag anything unusual. 143 00:06:27.439 --> 00:06:29.000 So it learns what normal looks like. 144 00:06:29.160 --> 00:06:31.560 Exactly, a lot of people use mod security. It's a 145 00:06:31.600 --> 00:06:34.199 pretty popular open source whaff waves. 146 00:06:33.920 --> 00:06:36.759 Are really interesting, so much to learn. But web aaps 147 00:06:36.759 --> 00:06:38.800 aren't the only thing we need to worry about, right, Nope. 148 00:06:38.839 --> 00:06:41.360 Wireless networks have their own set of challenges. They can 149 00:06:41.439 --> 00:06:42.519 be way more vulnerable. 150 00:06:42.680 --> 00:06:45.519 I can see that no wires to tap into exactly. 151 00:06:46.120 --> 00:06:49.759 That's where wireless intrusion detection and prevention solutions come in. 152 00:06:50.279 --> 00:06:52.120 Wireless idsps, so. 153 00:06:52.199 --> 00:06:55.040 Like a special security system just for wireless nets. 154 00:06:55.120 --> 00:06:57.800 We've got it. There are two main types, access point 155 00:06:57.839 --> 00:06:59.360 based and dedicated sensors. 156 00:06:59.399 --> 00:07:00.000 That's a difference. 157 00:07:00.199 --> 00:07:04.600 Access Point based solutions monitor traffic from the access points perspective. 158 00:07:05.399 --> 00:07:09.519 Dedicated sensors passively listen for wireless activity like little spies. 159 00:07:09.639 --> 00:07:12.560 Sounds sneaky. So what kind of wireless threats are out 160 00:07:12.560 --> 00:07:13.959 there or what should we watch out for? 161 00:07:14.199 --> 00:07:16.920 Rogue access points are a big one. Someone could set 162 00:07:17.000 --> 00:07:19.160 up a fake access point to trick people into. 163 00:07:18.959 --> 00:07:20.839 Connecting and then steal their data. 164 00:07:21.240 --> 00:07:25.759 You got it. Then there's reconnaissance and cracking tools. Attackers 165 00:07:25.839 --> 00:07:28.439 use them to gather information about your network and try 166 00:07:28.439 --> 00:07:29.319 to break your encryption. 167 00:07:29.480 --> 00:07:31.079 And then there's man in the middle attacks. 168 00:07:32.120 --> 00:07:37.319 You know it. Someone secretly positions themselves between two devices 169 00:07:37.519 --> 00:07:41.360 to intercept and potentially manipulate the communication. 170 00:07:41.000 --> 00:07:44.279 So it's like they're eavesdropping and changing the messages exactly. 171 00:07:44.800 --> 00:07:48.759 But there are ways to fight back. Hike isolation techniques 172 00:07:48.800 --> 00:07:53.480 can restrict access for unauthorized devices, and location detection methods 173 00:07:53.519 --> 00:07:56.399 can use signal strength to pinpoint where threats are coming 174 00:07:56.399 --> 00:07:56.920 from so. 175 00:07:56.839 --> 00:07:58.079 We can find them and stop them. 176 00:07:58.279 --> 00:08:00.560 You got it. It's all about being proactive. 177 00:08:00.920 --> 00:08:03.879 So I've talked about digital security, but what about physical security? 178 00:08:03.959 --> 00:08:05.120 That old school stuff. 179 00:08:05.360 --> 00:08:08.000 Ah, great point, It's easy to overlook, but it's still 180 00:08:08.040 --> 00:08:11.319 so important. And you know what, physical and cybersecurity are 181 00:08:11.399 --> 00:08:14.360 kind of blending together these days. How So, take physical 182 00:08:14.399 --> 00:08:18.600 access control systems or paycs. They use things like RFID, 183 00:08:18.879 --> 00:08:22.360 smart cards, and IP enabled video surveillance to control who 184 00:08:22.439 --> 00:08:24.319 can physically access certain areas. 185 00:08:24.560 --> 00:08:26.720 So it's not just about locks and keys anymore. 186 00:08:27.000 --> 00:08:30.639 Nope, we're using technology to manage access in both the 187 00:08:30.639 --> 00:08:32.240 physical and digital worlds. 188 00:08:32.399 --> 00:08:33.279 That's really interesting. 189 00:08:33.360 --> 00:08:36.519 Imagine someone tries to get into a secure area using 190 00:08:36.519 --> 00:08:40.519 a stolen ID card. An integrated system could instantly trigger 191 00:08:40.559 --> 00:08:42.720 an alert in the network security system. 192 00:08:42.799 --> 00:08:45.080 The security guards could stop them right away. 193 00:08:45.120 --> 00:08:48.360 Exactly. Physical and digital security working together. 194 00:08:48.440 --> 00:08:49.919 It's like a security dream team. 195 00:08:50.320 --> 00:08:51.919 Okay, I think I'm started to see how those two 196 00:08:51.960 --> 00:08:52.759 worlds are blurring. 197 00:08:53.039 --> 00:08:55.279 They are. And there's one more area I want to 198 00:08:55.279 --> 00:08:59.679 talk about. One I find really fascinating. Geographic intrusion detection 199 00:09:00.120 --> 00:09:00.799 or GID. 200 00:09:01.279 --> 00:09:03.679 Okay, GID, I don't think I've heard of that before. 201 00:09:03.799 --> 00:09:09.200 The ID takes geographic information systems or GIS and combines 202 00:09:09.240 --> 00:09:12.120 it with security data, so now we can understand and 203 00:09:12.240 --> 00:09:14.639 track attacks geographically, so like. 204 00:09:14.600 --> 00:09:16.799 We can actually see where the attacks are coming from 205 00:09:16.840 --> 00:09:17.840 on a map exactly. 206 00:09:17.879 --> 00:09:19.639 It gives you a whole new perspective. It's like having 207 00:09:19.679 --> 00:09:22.120 a bird's eye view of the digital battlefield. 208 00:09:22.120 --> 00:09:24.799 I love that analogy. Okay, tell me more about GID. 209 00:09:25.120 --> 00:09:28.799 Well, there's this key concept in GID called the cornerstone theory. 210 00:09:29.159 --> 00:09:33.799 Cornerstone theory, it's the idea that attackers leave geographic footprints. 211 00:09:34.200 --> 00:09:36.960 You can track their scanning and attack patterns, and it 212 00:09:37.000 --> 00:09:39.440 all ties back to certain locations. 213 00:09:38.879 --> 00:09:41.559 So like a trail of digital breadcrumbs, but on a 214 00:09:41.600 --> 00:09:42.679 map exactly. 215 00:09:43.039 --> 00:09:46.240 And we use the different geolocation techniques to track those attackers. 216 00:09:46.360 --> 00:09:47.200 Okay, Like what. 217 00:09:47.440 --> 00:09:51.639 There are IP based geolocation databases that try to connect 218 00:09:51.639 --> 00:09:57.240 IP addresses to physical locations. Then there are DNSLC records 219 00:09:57.440 --> 00:10:01.200 which try to add location information to the dome name system. 220 00:10:01.000 --> 00:10:02.919 So we know where those domains are based. 221 00:10:03.000 --> 00:10:05.720 Yeah. And then there's trace root analysis. We can map 222 00:10:05.759 --> 00:10:07.840 out the path of data packets as they hop across 223 00:10:07.840 --> 00:10:09.840 the network, and that can often lead us back to 224 00:10:09.919 --> 00:10:10.720 a physical. 225 00:10:10.399 --> 00:10:13.120 Location, so it's like following the data trail exactly. 226 00:10:13.480 --> 00:10:17.360 And finally there's multilateration. It uses network latency to estimate 227 00:10:17.399 --> 00:10:19.440 an attacker's geographic location. 228 00:10:19.279 --> 00:10:21.039 So we're using the speed of the Internet to track 229 00:10:21.080 --> 00:10:21.519 them down. 230 00:10:21.559 --> 00:10:24.320 Pretty much. It's all very sophisticated. 231 00:10:23.519 --> 00:10:27.279 Stuff I can imagine, but if you can master these techniques, 232 00:10:27.519 --> 00:10:29.919 they can be incredibly powerful tools. 233 00:10:30.240 --> 00:10:33.279 They can. Doctor Noel has a really interesting case study 234 00:10:33.320 --> 00:10:36.360 in the book. He shows how GID can be used 235 00:10:36.360 --> 00:10:40.440 to uncover a really complex attack, one that traditional security 236 00:10:40.480 --> 00:10:41.919 tools might have completely missed. 237 00:10:42.159 --> 00:10:44.559 That's incredible. So it's like having a secret weapon. 238 00:10:45.360 --> 00:10:47.960 It can be, yeah, but like any weapon, you need 239 00:10:48.000 --> 00:10:49.399 to know how to use it right. 240 00:10:49.600 --> 00:10:52.200 Knowledge is power. Well, I think we've covered a ton 241 00:10:52.240 --> 00:10:54.399 of ground in this first part of our deep dive. 242 00:10:54.559 --> 00:11:00.279 We have networking fundamentals, intrusion detection, web application firewalls, even 243 00:11:00.360 --> 00:11:01.960 geographic intrusion detection. 244 00:11:02.120 --> 00:11:04.039 The world of network security is. 245 00:11:04.120 --> 00:11:07.080 Vast, it is and it's always changing, but I think 246 00:11:07.120 --> 00:11:09.679 we gave our listeners a good overview of the basics. 247 00:11:10.080 --> 00:11:12.879 You know, sometimes I think we security folks get so 248 00:11:12.960 --> 00:11:15.240 focused on all the technical stuff that we forget something 249 00:11:15.279 --> 00:11:18.799 really important. That's a communicating our findings, Like we understand 250 00:11:18.840 --> 00:11:22.759 all these complex concepts. Yeah, but explaining it to someone 251 00:11:22.799 --> 00:11:24.519 who's not a security expert, well. 252 00:11:25.120 --> 00:11:28.320 Yeah, that can be tough, especially when you're dealing with 253 00:11:29.360 --> 00:11:31.759 mountains of data and technical jargon. 254 00:11:32.080 --> 00:11:34.879 Right. That's why I love data visualization. It's like taking 255 00:11:34.919 --> 00:11:37.320 all those messy logs and security events and turning them 256 00:11:37.360 --> 00:11:39.039 into something anyone can understand. 257 00:11:39.240 --> 00:11:41.879 So instead of staring at spreadsheets, we can actually see 258 00:11:41.919 --> 00:11:44.559 what's happening, spot patterns, trends, things like that. 259 00:11:44.679 --> 00:11:47.519 Exactly. It's like having a map that guides you through 260 00:11:47.639 --> 00:11:51.159 a complex landscape. You can see the big picture and 261 00:11:51.200 --> 00:11:53.200 also zoom in on specific details. 262 00:11:53.240 --> 00:11:56.720 Okay, I like that analogy. So what kinds of visualizations 263 00:11:56.759 --> 00:12:00.840 are particularly helpful in the security world, Well, it. 264 00:12:00.799 --> 00:12:03.200 Really depends on the data and what we're trying to show. 265 00:12:03.279 --> 00:12:08.159 Line charts are great for showing trends over time, like 266 00:12:08.200 --> 00:12:09.399 how many attacks you've seen. 267 00:12:09.200 --> 00:12:10.879 In the past month, right, easy to see if things 268 00:12:10.919 --> 00:12:12.600 are getting better or worse exactly. 269 00:12:12.960 --> 00:12:16.320 And bar charts are really good for comparing different things, 270 00:12:16.360 --> 00:12:17.519 like different types of attacks. 271 00:12:17.559 --> 00:12:20.279 Okay, so different charts for different purposes. What if you 272 00:12:20.279 --> 00:12:22.600 want to see the relationship between two things. 273 00:12:22.559 --> 00:12:25.840 Scatterplots are perfect for that. They can show you if 274 00:12:25.879 --> 00:12:29.200 there's a correlation, like if a certain type of attack 275 00:12:29.320 --> 00:12:31.480 is more common on certain days of the week. And 276 00:12:31.519 --> 00:12:34.799 then you have heat maps. They're amazing for visualizing things 277 00:12:34.879 --> 00:12:35.960 like density or. 278 00:12:36.039 --> 00:12:38.759 Distribution, so we could see where the attacks are concentrated, 279 00:12:38.799 --> 00:12:40.600 like a heat map of the network exactly. 280 00:12:40.679 --> 00:12:42.480 It helps you quickly identify the hotspots. 281 00:12:42.720 --> 00:12:46.639 So many cool visualizations. Are there any tools or frameworks 282 00:12:46.639 --> 00:12:49.080 that are particularly helpful for creating these? 283 00:12:49.159 --> 00:12:54.480 Yeah? Tons, there's SVIs, this Secure Visual Information system. It's 284 00:12:54.559 --> 00:12:57.440 great for visualizing security data in a way that's easy 285 00:12:57.440 --> 00:12:58.120 to understand. 286 00:12:58.200 --> 00:12:58.679 What else? 287 00:12:58.879 --> 00:13:02.279 Vizmet developed Etri is another good one. It's really good 288 00:13:02.279 --> 00:13:05.080 for visualizing network traffic in real time. 289 00:13:05.000 --> 00:13:05.519 Real time. 290 00:13:05.720 --> 00:13:08.519 Yeah, and then there's Splunk, which is probably the most popular. 291 00:13:08.559 --> 00:13:11.159 It can handle huge amounts of data from all sorts 292 00:13:11.200 --> 00:13:11.720 of sources. 293 00:13:11.840 --> 00:13:14.360 I've heard a splunk. So many great options, but I'm 294 00:13:14.360 --> 00:13:18.080 curious how would we use these visualizations in a real 295 00:13:18.120 --> 00:13:19.039 world scenario. 296 00:13:19.399 --> 00:13:22.240 Let's say you're doing a security audit for a big company. 297 00:13:22.720 --> 00:13:26.200 You've got tons of data from firewalls, intrusion detection systems, 298 00:13:26.559 --> 00:13:28.559 vulnerability scans, everything. 299 00:13:28.240 --> 00:13:29.799 Mountains of data. 300 00:13:29.399 --> 00:13:32.399 Exactly, and you have to present your findings to a 301 00:13:32.399 --> 00:13:36.039 bunch of people, some technical, some not trying to explain 302 00:13:36.080 --> 00:13:37.799 it all with words and spreadsheets. 303 00:13:38.360 --> 00:13:40.039 YEI yeah, that would be a nightmare. 304 00:13:40.480 --> 00:13:43.960 But with data visualization, it's a whole different story. You 305 00:13:44.000 --> 00:13:48.240 can create these compelling visuals that show the company's security 306 00:13:48.279 --> 00:13:50.559 posture in a way that everyone can understand. 307 00:13:50.799 --> 00:13:53.120 So you're not just giving them data, You're telling them 308 00:13:53.159 --> 00:13:54.600 a story exactly. 309 00:13:55.240 --> 00:13:56.879 You could use a heat map to show them where 310 00:13:56.879 --> 00:14:00.360 the most suspicious activity is happening on their network. You 311 00:14:00.399 --> 00:14:04.240 could use bar charts to compare their security to industry standards. 312 00:14:04.519 --> 00:14:07.159 Ah, so they can see where they need to improve. 313 00:14:07.279 --> 00:14:10.039 You got it. It's way more effective than just giving 314 00:14:10.080 --> 00:14:13.840 them a dry technical report. Plus it makes it easier 315 00:14:13.840 --> 00:14:16.159 to get buy in for security improvements, right. 316 00:14:16.000 --> 00:14:17.240 Because they can actually see. 317 00:14:17.080 --> 00:14:20.720 The risks exactly. Speaking of which, let's talk about the 318 00:14:20.720 --> 00:14:21.799 business side of security. 319 00:14:21.919 --> 00:14:24.679 Oh yeah, the money. How do we justify investing in 320 00:14:24.720 --> 00:14:25.840 all the security stuff? 321 00:14:26.000 --> 00:14:28.960 That's a great question. In today's world, you have to 322 00:14:29.000 --> 00:14:32.320 show the value of every investment. Security is no different. 323 00:14:32.480 --> 00:14:33.440 So how do we do that? 324 00:14:33.799 --> 00:14:36.440 Well, first, we need to understand the cost of a 325 00:14:36.480 --> 00:14:39.639 security breach, and there's more to a thing you might think, 326 00:14:39.879 --> 00:14:44.000 like what. There are the direct costs, of course, things 327 00:14:44.039 --> 00:14:47.879 like losing data, having to recover your systems, legal fees, 328 00:14:48.240 --> 00:14:51.639 and maybe even findes if you didn't follow regulations. 329 00:14:51.799 --> 00:14:53.320 That adds up quickly, it does. 330 00:14:53.639 --> 00:14:56.759 But then there are the indirect costs. Those are harder 331 00:14:56.759 --> 00:14:58.960 to measure but can be just as bad. Give me 332 00:14:59.000 --> 00:15:03.080 an exampletation. Think about what happens when a company has 333 00:15:03.120 --> 00:15:06.320 a big data breach. People lose trust, they might not 334 00:15:06.360 --> 00:15:07.639 want to do business with you anymore. 335 00:15:07.720 --> 00:15:10.200 Right, You lose customers and maybe even potential investors. 336 00:15:10.279 --> 00:15:13.440 Exactly so, the cost of a breach goes way beyond 337 00:15:13.559 --> 00:15:16.120 just the immediate financial hit. You have to factor in 338 00:15:16.159 --> 00:15:18.879 the long term impact on your brand and your relationship 339 00:15:18.879 --> 00:15:19.519 with customers. 340 00:15:19.600 --> 00:15:21.679 It's about the big picture, it is, and. 341 00:15:21.559 --> 00:15:23.759 That's why it's so important to make a strong business 342 00:15:23.759 --> 00:15:26.720 case for security. Investments. We need to move away from 343 00:15:26.759 --> 00:15:29.559 the fear tactics and focus on the data. Show them 344 00:15:29.559 --> 00:15:30.000 the numbers. 345 00:15:30.039 --> 00:15:32.320 Okay, so how do we present a good business case? 346 00:15:32.480 --> 00:15:34.559 Well, there are a few financial tools we can use. 347 00:15:34.840 --> 00:15:36.159 ROI is a common. 348 00:15:35.840 --> 00:15:38.399 One, Return on investment. I've heard of that one. 349 00:15:38.600 --> 00:15:42.919 It's about measuring how profitable an investment is. And then 350 00:15:42.960 --> 00:15:47.080 there's net present value or MPV, which takes into account 351 00:15:47.159 --> 00:15:48.279 the time value of money. 352 00:15:48.360 --> 00:15:50.240 Okay, I'm following. What else? 353 00:15:50.519 --> 00:15:53.320 And then there's the internal rate of return or IRR. 354 00:15:53.960 --> 00:15:56.919 It calculates how profitable an investment is over time. 355 00:15:56.919 --> 00:15:59.759 So it can show them how investing in security will 356 00:15:59.799 --> 00:16:01.840 pay off in the long run exactly. 357 00:16:02.159 --> 00:16:04.639 And as we see more and more cyber attacks, there's 358 00:16:04.639 --> 00:16:08.879 another tool that's becoming really important. Cyber liability insurance. 359 00:16:09.399 --> 00:16:11.679 Cyber liability insurance, what's that. 360 00:16:11.799 --> 00:16:14.440 It's like a safety net for businesses. Yeah, if you 361 00:16:14.440 --> 00:16:17.120 get hit with a cyber attack, this insurance can help 362 00:16:17.159 --> 00:16:21.240 cover the costs things like those legal fees we talked about, 363 00:16:21.519 --> 00:16:25.360 notification expenses, credit monitoring for your customers, maybe even some 364 00:16:25.399 --> 00:16:26.159 of those fines. 365 00:16:26.240 --> 00:16:28.440 So it helps you recover financially from an attack. 366 00:16:28.559 --> 00:16:31.559 You got it. It's becoming a must have for any 367 00:16:31.600 --> 00:16:33.240 business that's serious about security. 368 00:16:33.320 --> 00:16:35.960 This whole discussion about the business side of security has 369 00:16:36.000 --> 00:16:37.039 been really eye opening. 370 00:16:37.120 --> 00:16:39.519 I'm glad to hear that it's not just about the technology, 371 00:16:39.559 --> 00:16:40.879 it's about the business impact. 372 00:16:41.039 --> 00:16:43.919 And I see how data visualization can really help bridge 373 00:16:43.960 --> 00:16:46.600 that gap between the technical folks and the business folks, 374 00:16:46.799 --> 00:16:50.120 help everyone understand the risks and the opportunities exactly. 375 00:16:50.480 --> 00:16:53.279 When you can visualize the data, it becomes a lot 376 00:16:53.320 --> 00:16:55.159 more real and a lot easier to grasp. 377 00:16:55.240 --> 00:16:57.240 Well, I think we've covered a lot of ground in 378 00:16:57.320 --> 00:17:01.840 the second part of our deep dive datuation the financial 379 00:17:01.879 --> 00:17:06.079 side of security, cyberliability, insurance, it's all connected. 380 00:17:06.240 --> 00:17:09.480 It is. Doctor Noel really makes you think about security 381 00:17:09.480 --> 00:17:10.519 from a different perspective. 382 00:17:10.599 --> 00:17:13.799 It does security is an investment, not just an expense. 383 00:17:14.279 --> 00:17:16.440 But let's take a break for now and absorb all 384 00:17:16.480 --> 00:17:19.240 this information. We'll be back soon to wrap up our 385 00:17:19.279 --> 00:17:25.279 deep dive into practical intrusion analysis. Welcome back. So we've 386 00:17:25.319 --> 00:17:28.240 talked about all these great tools and techniques, but how 387 00:17:28.279 --> 00:17:30.480 do we actually put all of this into practice. How 388 00:17:30.519 --> 00:17:32.559 do we create a solid security plan? 389 00:17:32.640 --> 00:17:35.039 Well, that's where security standards and frameworks come in. Think 390 00:17:35.079 --> 00:17:37.440 of them like blueprints for building a secure network. 391 00:17:37.480 --> 00:17:38.519 Blueprints okay, yeah. 392 00:17:38.519 --> 00:17:41.480 They give you a structured approach, a roadmap for implementing 393 00:17:41.519 --> 00:17:44.160 all the security measures. One of the most well known 394 00:17:44.279 --> 00:17:47.519 is the ISO twenty seven zero zero one two seven 395 00:17:47.680 --> 00:17:50.200 zero zero series. It covers a ton of. 396 00:17:50.200 --> 00:17:53.400 Ground, so it's like a comprehensive guide to information security. 397 00:17:53.480 --> 00:17:56.880 You got it. And then there are industry specific frameworks 398 00:17:57.359 --> 00:18:01.400 like the PCIDSS, the Payment Card into Street Data Security Standards. 399 00:18:01.400 --> 00:18:04.559 Oh yeah, pci DSS, I've heard of that one. It's 400 00:18:04.599 --> 00:18:06.720 all about protecting credit card data, right. 401 00:18:06.640 --> 00:18:09.480