1
00:00:00,520 --> 00:00:07,750
To be able to quickly investigate security events it is important to know where to start with so many

2
00:00:07,750 --> 00:00:11,960
source technologies that can be used to obtain event data.

3
00:00:11,980 --> 00:00:14,650
It can be overwhelming.

4
00:00:14,650 --> 00:00:21,940
In this video we are going to break down which source technologies should be used for each event type

5
00:00:23,740 --> 00:00:31,270
anomaly detection can be one of the most difficult events to detect dramatic changes in network behaviors

6
00:00:31,570 --> 00:00:34,770
need to be correlated to confirm these events.

7
00:00:35,780 --> 00:00:41,710
Not flow data is a perfect feed of the type of information needed to accomplish this.

8
00:00:41,720 --> 00:00:48,950
For example if not all data is used to monitor data usage to a web server then you'd be able to identify

9
00:00:48,950 --> 00:00:51,410
spikes in traffic to the server.

10
00:00:51,950 --> 00:00:59,680
If HTP traffic between the internal network and the web server is at a average of 50 megabits per second.

11
00:00:59,840 --> 00:01:04,910
But then one day shows that it's hitting 200 megabits per second than that enough little data could

12
00:01:04,910 --> 00:01:07,870
trigger an anomaly detection event.

13
00:01:09,140 --> 00:01:17,010
Choosing events as you probably guessed to are detected by ID as an IP GPS devices any packets traversing

14
00:01:17,010 --> 00:01:26,330
the network that match intrusion signatures will be visible in the ID ass or IP as Event Logs firewall

15
00:01:26,330 --> 00:01:34,670
events such as denial of service attacks sin floods and port scans can be discovered from firewall logs

16
00:01:36,750 --> 00:01:44,930
network application control also referred to as AVC can detect malicious application proxy logs can

17
00:01:44,930 --> 00:01:54,740
be used for identifying malicious Web site activity and finally anti-virus can be used to detect suspicious

18
00:01:54,740 --> 00:01:56,520
program activity.