WEBVTT 0:00:03.600000 --> 0:00:06.160000 Hello everyone and welcome. 0:00:06.160000 --> 0:00:09.760000 In this video we're going to be taking a look at some of the essential 0:00:09.760000 --> 0:00:12.500000 SOC tools and technologies. 0:00:12.500000 --> 0:00:17.160000 Now obviously by this point you should be familiar with what these tools 0:00:17.160000 --> 0:00:24.000000 are but we need to cover them formally in terms of what they are, what 0:00:24.000000 --> 0:00:32.760000 they're used for and generally speaking as a SOC analyst. 0:00:32.760000 --> 0:00:38.220000 So in a SOC or a SOC team various tools and technologies are utilized 0:00:38.220000 --> 0:00:43.660000 to detect, analyze, respond to and mitigate security threats and each 0:00:43.660000 --> 0:00:47.720000 tool plays a specific role in strengthening an organization's security 0:00:47.720000 --> 0:00:53.020000 posture. The key thing to note is that these SOC tools all work together 0:00:53.020000 --> 0:00:57.040000 or should work together in order to streamline the workflow involving 0:00:57.040000 --> 0:01:01.880000 the collection of logs A, B the detection and investigation of suspicious 0:01:01.880000 --> 0:01:07.960000 events and C the tracking, handling and measurement of each incident or 0:01:07.960000 --> 0:01:12.760000 the actual metrics as it were. 0:01:12.760000 --> 0:01:18.260000 So that begs the question, what are these essential SOC tools and technologies? 0:01:18.260000 --> 0:01:23.080000 Well, as it says in this particular slide, the following is a list of 0:01:23.080000 --> 0:01:28.240000 the core or key tools used in a SOC that you'll typically see now. 0:01:28.240000 --> 0:01:33.080000 Depending on the size and maturity of the organization and likewise the 0:01:33.080000 --> 0:01:38.480000 SOC, you'll not see everything but generally speaking in a what I call 0:01:38.480000 --> 0:01:51.240000 a functional or fully operational SOC you'll have a scene that also have 0:01:51.240000 --> 0:01:54.320000 a SOAR which is starting to become more common now. 0:01:54.320000 --> 0:01:58.900000 We'll actually talk a little bit about we will actually cover what a SOAR 0:01:58.900000 --> 0:02:01.380000 is in the next set of videos. 0:02:01.380000 --> 0:02:05.920000 We then have the NDR which is network detection and response and then 0:02:05.920000 --> 0:02:08.980000 the standard stuff that's been there for quite a while, the intrusion 0:02:08.980000 --> 0:02:13.560000 detection systems but then we also have the intrusion prevention systems 0:02:13.560000 --> 0:02:19.860000 and then tools or platforms that are usually overlooked in the beginning 0:02:19.860000 --> 0:02:25.160000 when setting up a SOC are a threat intelligence platform and very important 0:02:25.160000 --> 0:02:28.360000 the incident management system. 0:02:28.360000 --> 0:02:33.280000 So these are the tools or platforms or technologies that you typically 0:02:33.280000 --> 0:02:39.440000 find in a SOC and in this video we're going to touch on pretty much one 0:02:39.440000 --> 0:02:44.720000 to five and then in the next set of videos we're going to touch on the 0:02:44.720000 --> 0:02:48.360000 threat intelligence platforms and all the rest. 0:02:48.360000 --> 0:02:53.800000 So let's start off with a SEAM or security information and event management 0:02:53.800000 --> 0:02:59.300000 system. So a SEAM is a centralized platform that collects, aggregates 0:02:59.300000 --> 0:03:04.420000 and analyzes security data or logs from various sources. 0:03:04.420000 --> 0:03:08.040000 The data could be in the form as I just said, could be in the form of 0:03:08.040000 --> 0:03:13.560000 logs, events, network devices, servers and applications and it provides 0:03:13.560000 --> 0:03:18.820000 real-time visibility, threat detection and alerting and I've listed here 0:03:18.820000 --> 0:03:22.420000 some of the key features of a SEAM or what makes a SEAM a SEAM. 0:03:22.420000 --> 0:03:26.660000 The first and most important, at least in my mind, is log aggregation. 0:03:26.660000 --> 0:03:32.800000 So the ability of a SEAM to collect logs from multiple data sources. 0:03:32.800000 --> 0:03:37.620000 So those sources will be firewall, servers, applications, various types 0:03:37.620000 --> 0:03:39.560000 of endpoints, etc. 0:03:39.560000 --> 0:03:43.980000 You then have correlation which is equally as important as log aggregation, 0:03:43.980000 --> 0:03:47.880000 which is the process of analyzing and correlating security events to detect 0:03:47.880000 --> 0:03:52.380000 anomalies and potential threats because otherwise you'd have to sort of 0:03:52.380000 --> 0:03:55.920000 sift through all the logs manually, regardless as to whether they've been 0:03:55.920000 --> 0:03:59.500000 displayed in a certain nice way and formatted. 0:03:59.500000 --> 0:04:02.900000 You'd have to go through everything manually in order to sort of come 0:04:02.900000 --> 0:04:07.780000 to it to essentially arrive at an assumption that this looks suspicious, 0:04:07.780000 --> 0:04:12.520000 whereas the correlation aspect of a SEAM is it actually does a lot of 0:04:12.520000 --> 0:04:17.380000 that filtering for you and shows you stuff that again is worth investigating. 0:04:17.380000 --> 0:04:23.300000 You then have alerting, which again, quite important, this involves generating 0:04:23.300000 --> 0:04:27.500000 alerts based on predefined or custom detection rules. 0:04:27.500000 --> 0:04:31.920000 So with a SEAM, you should have the ability to come up with predefined 0:04:31.920000 --> 0:04:36.740000 rules that then trigger alerts for whatever type of suspicious activity 0:04:36.740000 --> 0:04:39.620000 you're trying to be alerted to. 0:04:39.620000 --> 0:04:45.980000 But in most cases, most SEAMs nowadays usually come with a very good set 0:04:45.980000 --> 0:04:51.820000 of predefined detection rules that trigger alerts, things like PowerShell 0:04:51.820000 --> 0:04:54.400000 execution, stuff like this. 0:04:54.400000 --> 0:04:57.440000 You then have dashboards and reporting. 0:04:57.440000 --> 0:05:03.320000 So a SEAM should provide visual dashboards for and of course, generating 0:05:03.320000 --> 0:05:05.680000 reports, which is quite important. 0:05:05.680000 --> 0:05:09.940000 And then I wouldn't say this is that important or SEAM should have this, 0:05:09.940000 --> 0:05:12.780000 but generally speaking, a lot of them do. 0:05:12.780000 --> 0:05:14.660000 And that is compliance monitoring. 0:05:14.660000 --> 0:05:18.900000 So this helps you meet compliance requirements by logging and documenting 0:05:18.900000 --> 0:05:24.240000 security events and also getting sort of a real time score of your compliance 0:05:24.240000 --> 0:05:27.620000 to a particular compliance standard. 0:05:27.620000 --> 0:05:31.040000 So that's the SEAM in our generally speaking. 0:05:31.040000 --> 0:05:35.960000 Now, the next question you may have is why is a SEAM essential in a SOC? 0:05:35.960000 --> 0:05:40.360000 Well, a, it provides centralized visibility into security events. 0:05:40.360000 --> 0:05:44.620000 B, enables real time threat detection through correlation rules. 0:05:44.620000 --> 0:05:48.300000 C, supports incident investigation by maintaining a historical log of 0:05:48.300000 --> 0:05:50.240000 security events. 0:05:50.240000 --> 0:05:52.300000 And D, aids in regulatory compliance. 0:05:52.300000 --> 0:05:57.640000 As I just mentioned, examples of those compliance standards are, you know, 0:05:57.640000 --> 0:06:00.380000 GDPR, hyper PCIDSS. 0:06:00.380000 --> 0:06:03.300000 And, you know, that takes us to the final point here. 0:06:03.300000 --> 0:06:05.500000 What are some popular SEAMs now again? 0:06:05.500000 --> 0:06:08.900000 You know, I would assume that a lot of you are familiar with what a SEAM 0:06:08.900000 --> 0:06:11.440000 is and know of the common options out there. 0:06:11.440000 --> 0:06:17.300000 So you have Splunk Microsoft Sentinel, IBM Qradar, Elastic Stark, Elastic 0:06:17.300000 --> 0:06:20.040000 Stark, sorry, log rhythm. 0:06:20.040000 --> 0:06:23.280000 You also have, you know, some third party, some additional third party 0:06:23.280000 --> 0:06:29.300000 solutions that sort of combine ELK, you know, with other bits and bobs 0:06:29.300000 --> 0:06:35.100000 of functionality like the Wazoo, depending on how you pronounce it, SEAM 0:06:35.100000 --> 0:06:40.480000 and XDR now. But those are the popular options there. 0:06:40.480000 --> 0:06:42.880000 And that brings us to the EDR. 0:06:42.880000 --> 0:06:46.000000 So endpoint detection and response, which a lot of you should be familiar 0:06:46.000000 --> 0:06:49.980000 with, you know, because, you know, it really doesn't apply or is not just 0:06:49.980000 --> 0:06:54.900000 limited to blue teaming, your general security of computers in an organization 0:06:54.900000 --> 0:06:58.860000 will typically involve having a need ER. 0:06:58.860000 --> 0:07:03.300000 So EDR solutions focus on detecting, investigating and responding to threats 0:07:03.300000 --> 0:07:07.320000 on endpoints like workstations, servers and mobile devices. 0:07:07.320000 --> 0:07:11.600000 So what are some of the key features of an EDR? 0:07:11.600000 --> 0:07:15.700000 A real time endpoint monitoring that sort of required, otherwise, you 0:07:15.700000 --> 0:07:21.460000 know, the an EDR isn't an EDR if there isn't any real time endpoint monitoring. 0:07:21.460000 --> 0:07:25.320000 So what this means is, you know, the EDR continuously monitors endpoint 0:07:25.320000 --> 0:07:27.940000 activity for suspicious behavior. 0:07:27.940000 --> 0:07:29.860000 You then have threat detection. 0:07:29.860000 --> 0:07:34.220000 So the EDR identifies malware and somewhere in finalists attacks on endpoints. 0:07:34.220000 --> 0:07:40.120000 And then automated response, this is sort of the response, the response 0:07:40.120000 --> 0:07:44.220000 aspect of EDR or the response functionality. 0:07:44.220000 --> 0:07:47.600000 But more importantly, you need to know that it's automated. 0:07:47.600000 --> 0:07:53.680000 So the EDR automatically quarantines affected files or isolates compromised 0:07:53.680000 --> 0:07:57.240000 endpoints, which is, you know, very, very important. 0:07:57.240000 --> 0:08:00.760000 In certain cases, you have the EDRs have forensic capabilities. 0:08:00.760000 --> 0:08:06.980000 So this means that they record endpoint activities for post incident investigation. 0:08:06.980000 --> 0:08:09.000000 And then you have behavioral analysis. 0:08:09.000000 --> 0:08:14.060000 So again, in certain cases, when the case of some modern or, you know, 0:08:14.060000 --> 0:08:19.480000 say up to day TDRs in terms of how they work, they have incorporated behavioral 0:08:19.480000 --> 0:08:24.760000 analysis that utilizes machine learning to detect anomalous behavior or 0:08:24.760000 --> 0:08:27.180000 anomaly based detection as it's called. 0:08:27.180000 --> 0:08:31.020000 And again, same, same sort of methodology. 0:08:31.020000 --> 0:08:35.460000 Why is an EDR essential in a SOC or to a SOC, I should say? 0:08:35.460000 --> 0:08:38.420000 Well, it should be fairly obvious by this point. 0:08:38.420000 --> 0:08:42.840000 A, it enables real time visibility and response to endpoint based threats, 0:08:42.840000 --> 0:08:46.720000 provides deep forensic analysis for understanding attacker techniques, 0:08:46.720000 --> 0:08:52.000000 helps in automated containment of infected systems, helps detect advanced 0:08:52.000000 --> 0:08:56.820000 persistent threats or ant persistent threats that bypass traditional signature 0:08:56.820000 --> 0:08:59.120000 based antivirus solutions. 0:08:59.120000 --> 0:09:02.060000 And some popular EDRs are crowd strike falcon. 0:09:02.060000 --> 0:09:06.040000 Again, keep the jokes to the site for now Sentinel-1 marks of defender 0:09:06.040000 --> 0:09:10.800000 for endpoint and carbon black, which is really, really good. 0:09:10.800000 --> 0:09:15.080000 Not that I'm recommending, but my experience has been good with carbon 0:09:15.080000 --> 0:09:19.480000 black. And then you have the SOAR, which is the security orchestration 0:09:19.480000 --> 0:09:21.040000 automation and response. 0:09:21.040000 --> 0:09:25.640000 Right now, as I said, we'll cover the SOAR in its own video in quite a 0:09:25.640000 --> 0:09:28.900000 bit of detail to sort of explain the key features. 0:09:28.900000 --> 0:09:33.560000 But generally speaking, SOAR platforms help orchestrate and automate incident 0:09:33.560000 --> 0:09:35.480000 response processes. 0:09:35.480000 --> 0:09:39.340000 They enable SOC teams to automatically respond to security incidents, 0:09:39.340000 --> 0:09:43.740000 reducing manual efforts and response time. 0:09:43.740000 --> 0:09:48.580000 So the key to understanding what a SOAR is, is in the name or the abbreviated 0:09:48.580000 --> 0:09:53.220000 name. So we can now sort of explore that a little bit by taking a look 0:09:53.220000 --> 0:09:55.320000 at the key features of a SOAR. 0:09:55.320000 --> 0:09:59.480000 So we have automation, orchestration, playbook, execution, case management, 0:09:59.480000 --> 0:10:04.120000 collaboration. So in the case of automation, the SOAR automates repetitive 0:10:04.120000 --> 0:10:08.140000 tasks like alert, triage, ticket creation, and of course, stuff like IP 0:10:08.140000 --> 0:10:12.940000 blocking. In terms of orchestration, which, you know, just if you take 0:10:12.940000 --> 0:10:17.000000 that by, if you just take the definition of the word orchestration, it 0:10:17.000000 --> 0:10:18.460000 should tell you what this means. 0:10:18.460000 --> 0:10:20.980000 But what does it mean in the context of security? 0:10:20.980000 --> 0:10:25.580000 Well, in this case, the SOAR integrates with other security tools like 0:10:25.580000 --> 0:10:28.120000 your CIM or EDR firewalls, etc. 0:10:28.120000 --> 0:10:33.500000 to coordinate responses, right, to specific types of alerts or specific 0:10:33.500000 --> 0:10:34.800000 types of events. 0:10:34.800000 --> 0:10:38.840000 You know, it's all dependent on you or how you configure it. 0:10:38.840000 --> 0:10:42.380000 You then have playbook execution, which is really, really useful in in 0:10:42.380000 --> 0:10:47.420000 that the SOAR executes predefined response playbooks automatically or 0:10:47.420000 --> 0:10:52.140000 manually. And we'll again go through what our playbooks are in the context 0:10:52.140000 --> 0:10:56.840000 of a SOC and more specific to instant response. 0:10:56.840000 --> 0:10:59.960000 But moving on, we have case management. 0:10:59.960000 --> 0:11:05.040000 So the SOAR provides a centralized system for tracking and managing incidents. 0:11:05.040000 --> 0:11:10.220000 And finally, collaboration, the SOAR facilitates team collaboration for 0:11:10.220000 --> 0:11:12.920000 incident investigations. 0:11:12.920000 --> 0:11:15.000000 Again, same methodology. 0:11:15.000000 --> 0:11:20.480000 Why is a SOAR essential to, why is it essential in a SOC or to SOC operations, 0:11:20.480000 --> 0:11:22.740000 at least nowadays? 0:11:22.740000 --> 0:11:26.780000 A, it reduces response time by automating common tasks, which is very 0:11:26.780000 --> 0:11:31.760000 important. It minimizes human error during instant response, standardizes 0:11:31.760000 --> 0:11:35.940000 responses through automated playbooks, increases efficiency and allows 0:11:35.940000 --> 0:11:38.780000 analysts to focus on complex threats. 0:11:38.780000 --> 0:11:43.400000 And some popular SOAR solutions are, you know, Palo Alto Cortex-XO, IBM 0:11:43.400000 --> 0:11:48.300000 Resilience, Plunk SOAR, that is formerly Phantom, swim lane, 40 SOAR. 0:11:48.300000 --> 0:11:52.920000 There's quite a few options out there, although they are quite costly. 0:11:52.920000 --> 0:11:57.640000 So we'll actually get to the SOAR in its own video. 0:11:57.640000 --> 0:12:00.660000 But then we have network detection and response. 0:12:00.660000 --> 0:12:05.580000 Again, in this particular case, we will dive into each of these technologies 0:12:05.580000 --> 0:12:08.500000 in the next set of courses within this learning path. 0:12:08.500000 --> 0:12:12.220000 So I just want to give you sort of an overlay or overview of everything 0:12:12.220000 --> 0:12:16.620000 so that when we get to that particular point when we're doing our network 0:12:16.620000 --> 0:12:21.480000 and host analysis and stuff like this, you'll already know what an NDR 0:12:21.480000 --> 0:12:24.440000 is generally speaking, but then you'll get to see it in action. 0:12:24.440000 --> 0:12:29.340000 So NDR tools provide detailed and granular visibility into network traffic 0:12:29.340000 --> 0:12:33.680000 and use advanced analytics to detect suspicious behavior, lateral movement 0:12:33.680000 --> 0:12:38.720000 and command and control or C2 activities within the network. 0:12:38.720000 --> 0:12:41.460000 So what are some of the key features of an NDR? 0:12:41.460000 --> 0:12:43.480000 Well, a network traffic analysis. 0:12:43.480000 --> 0:12:47.460000 So the NDR monitors inbound and outbound network traffic. 0:12:47.460000 --> 0:12:50.460000 Okay. Secondly, anomaly detection. 0:12:50.460000 --> 0:12:53.420000 What does it do with that traffic or has its monitoring it? 0:12:53.420000 --> 0:13:02.820000 Well, the NDR detects abnormal behavior such as data it analyzes encrypted 0:13:02.820000 --> 0:13:05.280000 traffic without decrypting it. 0:13:05.280000 --> 0:13:08.780000 We also have some NDRs have threat hunting capabilities. 0:13:08.780000 --> 0:13:13.200000 So the NDR supports proactive threat hunting by identifying hidden threats 0:13:13.200000 --> 0:13:17.180000 or threats that are trying to mask their activity on the network level. 0:13:17.180000 --> 0:13:21.940000 That is, and then of course automated response, which is very, very useful 0:13:21.940000 --> 0:13:26.860000 in that the NDR can integrate with firewalls and other tools for automated 0:13:26.860000 --> 0:13:34.940000 blocking, depending on predefined based on predefined rules or conditions. 0:13:34.940000 --> 0:13:40.360000 So an example of this is you can configure, you can sort of come up with 0:13:40.360000 --> 0:13:46.040000 a predefined rule to block access to port 22 on a particular server. 0:13:46.040000 --> 0:13:53.740000 If there is, let's say, a certain amount of connections regardless of 0:13:53.740000 --> 0:13:58.120000 the IP within an hour, you know, that's an example of, you know, the level 0:13:58.120000 --> 0:14:02.900000 of control you have within NDR in terms of, you know, the network layer. 0:14:02.900000 --> 0:14:04.800000 So that begs the question. 0:14:04.800000 --> 0:14:08.320000 Again, why is an NDR essential in a SOC? 0:14:08.320000 --> 0:14:12.820000 Well, a it provides network level visibility to detect stealthy threats. 0:14:12.820000 --> 0:14:16.720000 B identifies lateral movement and suspicious traffic patterns. 0:14:16.720000 --> 0:14:25.180000 It complements because now, you know, you're sort of setting up layers 0:14:25.180000 --> 0:14:30.040000 of security where if the end point, if the EDR can be bypassed, which, 0:14:30.040000 --> 0:14:35.380000 you know, that is an actual threat, then you can still detect suspicious 0:14:35.380000 --> 0:14:38.520000 or malicious activity on the network layer. 0:14:38.520000 --> 0:14:42.400000 And finally, it helps detect zero-day attacks and unknown threats, because 0:14:42.400000 --> 0:14:45.320000 again, it's not focused on the endpoints. 0:14:45.320000 --> 0:14:47.520000 It's really focused on network activity. 0:14:47.520000 --> 0:14:51.480000 So again, we'll not dive into the specifics of what that means. 0:14:51.480000 --> 0:14:53.800000 We'll get to it eventually. 0:14:53.800000 --> 0:14:58.600000 So some popular NDR solutions include dark trays, vector AI, extra hop, 0:14:58.600000 --> 0:15:00.440000 Cisco's, stealth watch and core light. 0:15:00.440000 --> 0:15:04.220000 Again, a lot of these solutions that I've just listed out here, sort of 0:15:04.220000 --> 0:15:10.900000 the top, you know, the most widely used options, but also I highly recommend 0:15:10.900000 --> 0:15:14.800000 you perform some research on them to sort of understand their feature 0:15:14.800000 --> 0:15:18.920000 set with regards to some of the key features that I listed out in the 0:15:18.920000 --> 0:15:24.140000 previous slide. And then of course, we have the classic IDS IPS solutions, 0:15:24.140000 --> 0:15:27.080000 which is your intrusion detection and prevention system. 0:15:27.080000 --> 0:15:29.020000 So what is an IDS? 0:15:29.020000 --> 0:15:32.940000 Again, it's an abbreviation for intrusion detection system. 0:15:32.940000 --> 0:15:38.420000 An IDS identifies and alerts, identifies and alerts your own suspicious 0:15:38.420000 --> 0:15:41.040000 or malicious network activity. 0:15:41.040000 --> 0:15:44.420000 You then have your IPS, which is intrusion prevention system, which not 0:15:44.420000 --> 0:15:53.900000 only works on the network layer for the most part, but what are some of 0:15:53.900000 --> 0:15:56.600000 the key features of an IDS IPS system? 0:15:56.600000 --> 0:15:58.100000 Well, a signature based detection. 0:15:58.100000 --> 0:16:02.840000 So it identifies threats by matching patterns to known attack signatures. 0:16:02.840000 --> 0:16:06.880000 You then have anomaly based detection. 0:16:06.880000 --> 0:16:10.160000 So you know, detects unknown attacks by identifying anomalous network 0:16:10.160000 --> 0:16:13.080000 behavior. You then have traffic analysis. 0:16:13.080000 --> 0:16:18.100000 So you know, it monitors network packets for signs of malicious activity. 0:16:18.100000 --> 0:16:22.620000 In certain cases, there's, you know, active prevention IPS, where, you 0:16:22.620000 --> 0:16:25.740000 know, it automatically blocks malicious packets in real time. 0:16:25.740000 --> 0:16:29.400000 So for an advanced feature, if you will, and then alerting and logging. 0:16:29.400000 --> 0:16:33.740000 So it generates this is sort of the key that it needs to do, you know, 0:16:33.740000 --> 0:16:37.500000 generates alerts and logs suspicious activities. 0:16:37.500000 --> 0:16:41.540000 So the, you know, you're probably already thinking of snort if you haven't 0:16:41.540000 --> 0:16:46.060000 already. But why is an IDS or, you know, IPS essential in a SOC? 0:16:46.060000 --> 0:16:50.520000 Well, a, it provides real time visibility into potential network attacks. 0:16:50.520000 --> 0:16:54.680000 B helps block known attack vectors before they reach critical systems. 0:16:54.680000 --> 0:16:59.280000 Very important that C acts as an additional security layer, complementing 0:16:59.280000 --> 0:17:01.300000 the C, EDR and NDR. 0:17:01.300000 --> 0:17:04.520000 And now you can sort of see, you know, starting off with the C, as we 0:17:04.520000 --> 0:17:08.940000 did in this video, all the way to the IDS IPS that they work together, 0:17:08.940000 --> 0:17:14.680000 they collaboratively work together to enhance security, or they complement 0:17:14.680000 --> 0:17:16.560000 each other, if you will. 0:17:16.560000 --> 0:17:20.740000 And finally, you know, final reason that I've listed out here, you know, 0:17:20.740000 --> 0:17:26.300000 as to why an IDS is essential to have for a SOC is that it, you know, 0:17:26.300000 --> 0:17:30.400000 helps reduce false positives by filtering out non threatening traffic. 0:17:30.400000 --> 0:17:37.520000 And some popular IDS IPS solutions include snort, Surikata, Cisco firepower, 0:17:37.520000 --> 0:17:40.160000 which is IPS, Palo Alto networks. 0:17:40.160000 --> 0:17:43.240000 That's an IPS security onion, which is IDS IPS. 0:17:43.240000 --> 0:17:46.640000 So you should be familiar with the majority of some of these, because 0:17:46.640000 --> 0:17:49.340000 in certain cases, they are open source. 0:17:49.340000 --> 0:17:54.200000 So fantastic IDS IPS solution is security onion, or it at least offers 0:17:54.200000 --> 0:18:00.520000 you with that functionality in addition to, you know, we also have the 0:18:00.520000 --> 0:18:03.960000 classic snort, which is, you know, I can't tell you how many times I've 0:18:03.960000 --> 0:18:09.120000 used snort, either on my home lab, or when building a, I wouldn't say, 0:18:09.120000 --> 0:18:15.080000 you know, a full or a large complicated SOC, but you know, getting things 0:18:15.080000 --> 0:18:18.260000 going, you know, snort is always a great option. 0:18:18.260000 --> 0:18:24.260000 In any case, what we're now going to take a look at just to tie everything 0:18:24.260000 --> 0:18:27.880000 together is how these tools work together in a SOC. 0:18:27.880000 --> 0:18:30.980000 So starting off with the scene, there's, you know, the primary focus, 0:18:30.980000 --> 0:18:35.120000 which is collecting analyzing and correlating security data. 0:18:35.120000 --> 0:18:37.980000 What is its role in the SOC in terms of SOC operations? 0:18:37.980000 --> 0:18:43.320000 Well, in this particular case, or in the case of the C, it provides centralized 0:18:43.320000 --> 0:18:46.920000 visibility and alerting, you then have the EDR. 0:18:46.920000 --> 0:18:51.060000 So what is the primary focus of an EDR to monitor endpoints for suspicious 0:18:51.060000 --> 0:18:56.080000 behavior? What is its role in the SOC to detect and respond to threats 0:18:56.080000 --> 0:18:59.100000 on endpoints or endpoint threats, as it were? 0:18:59.100000 --> 0:19:02.360000 We then have the SOAR, which is, you know, we've already gone through 0:19:02.360000 --> 0:19:05.200000 in terms of what it is, but what's the primary focus? 0:19:05.200000 --> 0:19:08.280000 Well, to automate and orchestrate instant response. 0:19:08.280000 --> 0:19:13.380000 And what is its role in the SOC to reduce response time and improve efficiency 0:19:13.380000 --> 0:19:17.720000 of the SOC analyst or, you know, the SOC operations in general? 0:19:17.720000 --> 0:19:21.680000 We then have the NDR, which is, you know, the primary focus here is to 0:19:21.680000 --> 0:19:23.660000 monitor network traffic for anomalies. 0:19:23.660000 --> 0:19:29.700000 And what is its role in the SOC to detect stealthy threats and lateral 0:19:29.700000 --> 0:19:33.340000 movement? And then the IDS IPS solution. 0:19:33.340000 --> 0:19:38.100000 So what's the primary focus here to detect and block network-based attacks? 0:19:38.100000 --> 0:19:39.620000 What's the role in the SOC? 0:19:39.620000 --> 0:19:43.660000 You know, it helps prevent known attacks and provides real-time detection. 0:19:43.660000 --> 0:19:45.720000 That's going to be it for this video. 0:19:45.720000 --> 0:19:47.860000 And I'll be seeing you in the next video.