WEBVTT 0:00:03.860000 --> 0:00:07.040000 Hello everyone and welcome to this video. 0:00:07.040000 --> 0:00:11.940000 In this video we are going to be taking a look at the difference between 0:00:11.940000 --> 0:00:15.000000 incident detection and incident response. 0:00:15.000000 --> 0:00:17.640000 Now again, why is this important? 0:00:17.640000 --> 0:00:22.820000 The reason this is important is because these two terms, not that they 0:00:22.820000 --> 0:00:29.000000 are used interchangeably, they may be misconstrued as the same thing in 0:00:29.000000 --> 0:00:30.620000 terms of what they entail. 0:00:30.620000 --> 0:00:37.160000 So if you work in a SOC or in the event you end up working in a SOC, either 0:00:37.160000 --> 0:00:42.100000 as a SOC analyst or an incident responder, you need to understand the 0:00:42.100000 --> 0:00:48.920000 difference between instant detection and the activities that fall within 0:00:48.920000 --> 0:00:54.260000 that remit as well as incident response by this point you should know 0:00:54.260000 --> 0:00:57.420000 a little bit about what incident response entails. 0:00:57.420000 --> 0:01:03.640000 So the idea is going to be to really focus on incident detection and sort 0:01:03.640000 --> 0:01:08.160000 of let that juxtapose itself against incident response so that you can 0:01:08.160000 --> 0:01:10.500000 see the differences between the two. 0:01:10.500000 --> 0:01:14.580000 Now, obviously as their name suggests, the differences between the two 0:01:14.580000 --> 0:01:18.720000 and what they entail should be fairly obvious but I think it's important 0:01:18.720000 --> 0:01:20.700000 to go through formally at least. 0:01:20.700000 --> 0:01:26.300000 So incident detection and incident response insecurity operations, incident 0:01:26.300000 --> 0:01:31.040000 detection and incident response are critical phases of the incident management 0:01:31.040000 --> 0:01:35.140000 lifecycle. Now, while both are essential for protecting organizational 0:01:35.140000 --> 0:01:40.980000 assets, they serve distinct purposes but are interconnected in ensuring 0:01:40.980000 --> 0:01:43.380000 an effective security posture. 0:01:43.380000 --> 0:01:46.720000 So that begs the question, what is incident detection? 0:01:46.720000 --> 0:01:51.580000 Incident detection is the process of identifying and recognizing potential 0:01:51.580000 --> 0:01:56.900000 security incidents by analyzing logs, monitoring alerts and detecting 0:01:56.900000 --> 0:02:00.260000 anomalies that indicate malicious activity. 0:02:00.260000 --> 0:02:04.780000 So it essentially involves the use of automated security tools, continuous 0:02:04.780000 --> 0:02:09.360000 monitoring and proactive threat hunting to detect unauthorized or suspicious 0:02:09.360000 --> 0:02:15.160000 behaviors before they escalate or are escalated as it were. 0:02:15.160000 --> 0:02:19.680000 So what are the key components or activities that you typically find in 0:02:19.680000 --> 0:02:20.960000 incident detection? 0:02:20.960000 --> 0:02:25.920000 So you have a log collection and aggregation, real-time monitoring, threat 0:02:25.920000 --> 0:02:30.520000 intelligence integration, correlation and alerting, as well as a certain 0:02:30.520000 --> 0:02:31.800000 amount of threat hunting. 0:02:31.800000 --> 0:02:36.280000 So in the case of log collection and aggregation, this involves collecting 0:02:36.280000 --> 0:02:40.280000 logs from systems, endpoints, network devices and applications or any 0:02:40.280000 --> 0:02:46.600000 other system or application or endpoint that you actually require or are 0:02:46.600000 --> 0:02:48.260000 required to monitor. 0:02:48.260000 --> 0:02:50.220000 You then have real-time monitoring. 0:02:50.220000 --> 0:02:55.740000 So this is where you utilize the SEAM to detect anomalies or suspicious 0:02:55.740000 --> 0:03:01.480000 activity. You also monitor the firewall, IDS, IPS, EDR and cloud security 0:03:01.480000 --> 0:03:08.220000 solutions for any potentially malicious activity. 0:03:08.220000 --> 0:03:10.720000 You then have threat intelligence integration. 0:03:10.720000 --> 0:03:15.280000 So you enrich data with IOCs, which are indicators of compromise in order 0:03:15.280000 --> 0:03:17.360000 to detect known threats. 0:03:17.360000 --> 0:03:19.420000 You then have correlation and alerting. 0:03:19.420000 --> 0:03:24.000000 So you use the SEAM and EDR tools to correlate events and generate alerts 0:03:24.000000 --> 0:03:27.420000 for suspicious behavior or activity. 0:03:27.420000 --> 0:03:28.980000 You then have threat hunting. 0:03:28.980000 --> 0:03:32.400000 So this involves proactively searching for advanced persistent threats 0:03:32.400000 --> 0:03:38.060000 or APTs as they abbreviate as that evade standard security controls. 0:03:38.060000 --> 0:03:41.840000 So that brings us to the incident detection responsibility matrix. 0:03:41.840000 --> 0:03:45.100000 So you sort of have an idea as to what incident detection is all about, 0:03:45.100000 --> 0:03:48.340000 given that we've just covered that in the previous slide. 0:03:48.340000 --> 0:03:51.480000 But now you may be asking yourself, well, you've mentioned quite a few 0:03:51.480000 --> 0:03:57.280000 things there, apart from the process of log collection management and 0:03:57.280000 --> 0:03:59.640000 as well as detection. 0:03:59.640000 --> 0:04:04.400000 I mentioned threat hunting, threat intelligence, etc. 0:04:04.400000 --> 0:04:09.720000 So who is responsible for incident detection? 0:04:09.720000 --> 0:04:12.800000 Well, I've sort of broken it down into this matrix that sort of gives 0:04:12.800000 --> 0:04:17.980000 you an idea as who's responsible, starting off with the tier one SOC analyst. 0:04:17.980000 --> 0:04:23.160000 So they continuously monitor alerts, triage events and escalate serious 0:04:23.160000 --> 0:04:27.260000 threats. He then has the threat intel team, which is you know, plays a 0:04:27.260000 --> 0:04:31.660000 role in incident detection by providing insights into evolving threats 0:04:31.660000 --> 0:04:36.280000 and update various detection mechanisms that are in place. 0:04:36.280000 --> 0:04:38.100000 He then has security engineers. 0:04:38.100000 --> 0:04:42.560000 If indeed, you know, a SOC has the provision for security engineers, but 0:04:42.560000 --> 0:04:48.060000 their job is to ensure security systems or tools like the CEM or EDR are 0:04:48.060000 --> 0:04:53.860000 tuned effectively to capture relevant security telemetry or logs. 0:04:53.860000 --> 0:04:58.480000 Or in essence, their job is to ensure that the CEM is getting as much 0:04:58.480000 --> 0:05:00.120000 information as possible. 0:05:00.120000 --> 0:05:05.940000 And this information is organized in a way, you know, as to, you know, 0:05:05.940000 --> 0:05:12.160000 reduce false positives or to just display the really important stuff. 0:05:12.160000 --> 0:05:15.980000 You then have threat hunters who conduct hypothesis driven searches for 0:05:15.980000 --> 0:05:18.060000 hidden or undetected threats. 0:05:18.060000 --> 0:05:23.220000 So when we talk about incident detection, this is what is involved in 0:05:23.220000 --> 0:05:26.380000 that particular process of phase. 0:05:26.380000 --> 0:05:28.840000 And this is who is responsible. 0:05:28.840000 --> 0:05:33.520000 And, you know, I've sort of outlined what these responsibilities are so 0:05:33.520000 --> 0:05:37.940000 that you can clearly understand, you know, who does what with regards 0:05:37.940000 --> 0:05:39.960000 to incident detection. 0:05:39.960000 --> 0:05:43.720000 So that brings us to incident response, which you should be fairly familiar 0:05:43.720000 --> 0:05:45.540000 with by this point. 0:05:45.540000 --> 0:05:48.780000 So I'm going to keep on driving the point home. 0:05:48.780000 --> 0:05:54.720000 So incident response, you know, abbreviated as IR is the process of investigating 0:05:54.720000 --> 0:05:58.720000 containing eradicating and recovering from confirmed security incidents. 0:05:58.720000 --> 0:06:03.500000 So it essentially ensures that threats are effectively neutralized. 0:06:03.500000 --> 0:06:07.000000 And that systems are restored to normal operations while minimizing damage 0:06:07.000000 --> 0:06:12.200000 or downtime. Incident response also involves post incident reviews and 0:06:12.200000 --> 0:06:15.080000 process improvements to enhance future responses. 0:06:15.080000 --> 0:06:18.840000 So incident detection, as the name suggests, is all about, you know, is 0:06:18.840000 --> 0:06:26.460000 pretty much all activities geared towards, you know, detecting, detecting 0:06:26.460000 --> 0:06:30.000000 detecting incidents, and then incident response is all about responding 0:06:30.000000 --> 0:06:32.180000 to these incidents. 0:06:32.180000 --> 0:06:38.020000 So they are, you know, pretty much part of the same larger process. 0:06:38.020000 --> 0:06:43.720000 But the incident detection is very specific as I outlined in the responsibility 0:06:43.720000 --> 0:06:48.080000 matrix and incident response involves, you know, different set of actions. 0:06:48.080000 --> 0:06:54.580000 However, incident response relies on sufficient or accurate incident detection. 0:06:54.580000 --> 0:07:01.340000 So that brings us to the, that brings us before I actually cover the key 0:07:01.340000 --> 0:07:03.460000 components of incident response. 0:07:03.460000 --> 0:07:08.200000 I just want to touch or go back to the responsibility matrix, just so 0:07:08.200000 --> 0:07:10.180000 I can clarify something. 0:07:10.180000 --> 0:07:17.520000 So what I wanted to clarify was the fact that, as I said, a lot of these, 0:07:17.520000 --> 0:07:25.060000 you know, sort of ancillary responsibilities or tasks in certain cases, 0:07:25.060000 --> 0:07:30.240000 depending on the size and maturity of the SOC, maybe, you know, handled 0:07:30.240000 --> 0:07:34.320000 by the SOC tier one, two, and three analysts. 0:07:34.320000 --> 0:07:38.660000 An example of that is, you know, the security engineering role, whereby 0:07:38.660000 --> 0:07:43.960000 the SOC analysts essentially take a responsibility of ensuring the security 0:07:43.960000 --> 0:07:49.480000 systems or tools like the seams or EDRs are tuned, you know, correctly, 0:07:49.480000 --> 0:07:53.820000 or, you know, attuned to so so that they, you know, essentially display 0:07:53.820000 --> 0:07:58.040000 or give the SOC analysts the information that they wanted, you know, the 0:07:58.040000 --> 0:07:58.900000 way they wanted. 0:07:58.900000 --> 0:08:04.240000 So that brings us now to the key components of incident response, which 0:08:04.240000 --> 0:08:08.160000 you should again be familiar with already, you know, the, you know, the, 0:08:08.160000 --> 0:08:11.760000 pretty much the phases of incident response preparation, identification 0:08:11.760000 --> 0:08:16.780000 and validation containment, eradication, recovery, post incident review. 0:08:16.780000 --> 0:08:20.740000 So in the case of preparation, this involves establishing an incident 0:08:20.740000 --> 0:08:25.080000 response plan, playbooks and procedures, as well as checklists if you're, 0:08:25.080000 --> 0:08:28.900000 if you want to include that, you then have identification and validation. 0:08:28.900000 --> 0:08:32.900000 So this involves confirming the presence of an actual security incident 0:08:32.900000 --> 0:08:37.900000 that has been escalated to you, you then have containment, which is isolating 0:08:37.900000 --> 0:08:41.360000 affected systems and blocking malicious activity to limit the attacks 0:08:41.360000 --> 0:08:47.040000 impact, or, you know, threat surfaces, as it were, you then have eradication, 0:08:47.040000 --> 0:08:51.020000 which involves removing malware, you know, patching vulnerabilities, not 0:08:51.020000 --> 0:08:55.600000 really closing, and ensuring attackers cannot regain access, pretty much, 0:08:55.600000 --> 0:09:00.600000 you know, removal of any malicious software, any malware, and then mitigating, 0:09:00.600000 --> 0:09:04.480000 you know, potential misconfigurations or vulnerabilities. 0:09:04.480000 --> 0:09:08.780000 You then have recovery, which is, you know, self-explanatory, but what 0:09:08.780000 --> 0:09:13.380000 it entails is, you know, restoring the affected systems and services while 0:09:13.380000 --> 0:09:16.380000 validating their security. 0:09:16.380000 --> 0:09:21.200000 So, you know, you're not doing or recovering or restoring systems haphazardly 0:09:21.200000 --> 0:09:26.460000 in a rush, you're doing so while maintaining, you know, security. 0:09:26.460000 --> 0:09:28.260000 You then have post incident review. 0:09:28.260000 --> 0:09:32.120000 So, you know, this involves conducting lessons learned sessions to refine 0:09:32.120000 --> 0:09:35.400000 the incident response procedures. 0:09:35.400000 --> 0:09:41.960000 So, in terms of the incident response responsibility matrix, we have the 0:09:41.960000 --> 0:09:44.180000 incident response team and the C-set. 0:09:44.180000 --> 0:09:48.280000 I just added those to that so that you're sort of in alignment after the 0:09:48.280000 --> 0:09:52.240000 explanation I gave you, or after we went through the various types of 0:09:52.240000 --> 0:09:55.100000 incident response teams in a previous video. 0:09:55.100000 --> 0:10:00.560000 But this could be, you know, you could be as granular as you want in terms 0:10:00.560000 --> 0:10:03.620000 of saying, you know, instead of incident response team, it could just 0:10:03.620000 --> 0:10:07.660000 be a SOC tier two analyst or an incident responder. 0:10:07.660000 --> 0:10:12.260000 And, you know, also with the addition of the C-set here, you can see that 0:10:12.260000 --> 0:10:17.360000 apart from the standard incident response team or a incident responder 0:10:17.360000 --> 0:10:22.900000 and the C-set, which is, you know, you're never going to have these two, 0:10:22.900000 --> 0:10:24.420000 you know, majority of the cases. 0:10:24.420000 --> 0:10:27.800000 But regardless of that, you have the forensics team, which as I mentioned 0:10:27.800000 --> 0:10:32.700000 in a previous video, sort of specialty roles or teams, and then the IT 0:10:32.700000 --> 0:10:36.120000 team. So, in the case of the incident response team and C-set, you know, 0:10:36.120000 --> 0:10:41.800000 this involves conducting technical investigation, containment, eradication 0:10:41.800000 --> 0:10:44.520000 and recovery in the case of the C-set. 0:10:44.520000 --> 0:10:48.980000 This, in this particular case would involve coordinating the overall response 0:10:48.980000 --> 0:10:54.280000 process, communicating with stakeholders and ensuring regulatory compliance. 0:10:54.280000 --> 0:10:59.300000 In the case of the digital forensics team or forensic specialists, as 0:10:59.300000 --> 0:11:03.540000 it were, this involves investigating digital artifacts to determine attack 0:11:03.540000 --> 0:11:07.720000 vectors and gather evidence. 0:11:07.720000 --> 0:11:11.640000 And then you have the IT teams who assist in system recovery, patching 0:11:11.640000 --> 0:11:17.060000 and applying, patching and applying remediation actions or mitigations, 0:11:17.060000 --> 0:11:21.580000 as it were. So, again, this is sort of the ideal responsibility matrix. 0:11:21.580000 --> 0:11:29.160000 I'm sort of outlining it as if these teams are existed within a SOC, but, 0:11:29.160000 --> 0:11:32.880000 you know, just wanted to give you an idea as to who is involved in incident 0:11:32.880000 --> 0:11:36.740000 response broadly speaking, which you, again, are probably already aware 0:11:36.740000 --> 0:11:38.880000 of by this point. 0:11:38.880000 --> 0:11:45.880000 So, I've created a very nice image here to demonstrate this. 0:11:45.880000 --> 0:11:48.200000 And the full screen, so you can see it. 0:11:48.200000 --> 0:11:53.200000 So, this is a detection and response in action example scenario where 0:11:53.200000 --> 0:11:55.140000 we have a SOC here. 0:11:55.140000 --> 0:11:58.140000 And, you know, I've sort of added numbers to the steps. 0:11:58.140000 --> 0:12:03.000000 And you can see that, you know, this is just simulating an organizational 0:12:03.000000 --> 0:12:07.760000 network where we have employee workstations here. 0:12:07.760000 --> 0:12:11.580000 And then you have the, you know, tier one, tier two analysts, as well 0:12:11.580000 --> 0:12:16.120000 as the incident team. 0:12:16.120000 --> 0:12:18.220000 But you can see step one. 0:12:18.220000 --> 0:12:19.520000 So, we have the SOC here. 0:12:19.520000 --> 0:12:24.640000 The SOC detects multiple failed login attempts from an unfamiliar IP address. 0:12:24.640000 --> 0:12:30.000000 Okay. So, we have the SEEM here and we can see that step two an alert 0:12:30.000000 --> 0:12:33.720000 is triggered, you know, from the SEEM or by the SEEM and the SOC tier 0:12:33.720000 --> 0:12:38.820000 one, the SOC tier one analyst who is responsible for incident detection. 0:12:38.820000 --> 0:12:44.480000 And that's the key, you know, pretty much says, okay, this looks like 0:12:44.480000 --> 0:12:46.080000 something we need to investigate it. 0:12:46.080000 --> 0:12:49.580000 Now, it's part of the, it's part of this process. 0:12:49.580000 --> 0:12:53.860000 You know, step three, you can see at the tier one analyst escalates the 0:12:53.860000 --> 0:12:59.080000 alert to the tier two team or the tier two analyst who confirms that it 0:12:59.080000 --> 0:13:02.940000 is a brute force attack or brute force attack is occurring. 0:13:02.940000 --> 0:13:07.620000 Here we have the SOC tier two analyst or analysts, if you will. 0:13:07.620000 --> 0:13:12.680000 And we can see step four, the tier two analyst, you know, in the event 0:13:12.680000 --> 0:13:16.560000 there is an incident response team, you know, you can see the incident 0:13:16.560000 --> 0:13:18.860000 is escalated to the IR team. 0:13:18.860000 --> 0:13:24.600000 And right of the year you have an incident responder who you can, you 0:13:24.600000 --> 0:13:26.660000 can actually see he performs two actions. 0:13:26.660000 --> 0:13:30.680000 So step five, the IR team blocks the attackers IP and resets the compromised 0:13:30.680000 --> 0:13:33.860000 account on one of the effective systems. 0:13:33.860000 --> 0:13:38.660000 And then step six, they conduct this again could be performed by the digital 0:13:38.660000 --> 0:13:42.340000 forensics team. So that's why I sort of mentioned that responsibility 0:13:42.340000 --> 0:13:46.540000 matrix. But in this case, let's just assume that the incident response 0:13:46.540000 --> 0:13:50.200000 team is responsible for performing, you know, forensics, which in most 0:13:50.200000 --> 0:13:54.280000 case they are. But you can see that they conduct a forensic investigation 0:13:54.280000 --> 0:13:57.560000 to ensure normal back doors were installed. 0:13:57.560000 --> 0:14:01.680000 And then again, I'm not going to continue with the the additional steps. 0:14:01.680000 --> 0:14:06.700000 But what happens is that the final step step seven, you can see the SOC 0:14:06.700000 --> 0:14:10.760000 updates detection rules to better recognize future brute force attempts. 0:14:10.760000 --> 0:14:14.540000 So this is incident detection and response in action incident detection 0:14:14.540000 --> 0:14:20.420000 is really step one and two response, you know, pretty much takes over 0:14:20.420000 --> 0:14:26.080000 or is outlined or illustrated from step three all the way to four, five, 0:14:26.080000 --> 0:14:28.500000 six, as well as seven to a certain extent. 0:14:28.500000 --> 0:14:33.780000 So hopefully this explains, you know, what incident detection and response 0:14:33.780000 --> 0:14:40.480000 is or are what the entail and how they sort of operate in tandem. 0:14:40.480000 --> 0:14:43.920000 So that was an example there. 0:14:43.920000 --> 0:14:48.060000 And with that being said, that brings us to the end of this video. 0:14:48.060000 --> 0:14:51.160000 And there's really nothing much to add. 0:14:51.160000 --> 0:14:55.080000 And you know, that being said, I'll be seeing you in the next video.