SOC 101: Real-time Incident Response Walkthrough
Vložit
- čas přidán 5. 01. 2021
- Interested to see exactly how security operations center (SOC) teams use SIEMs to kick off deeply technical incident response (IR) processes? To some, it might seem daunting watching IR folks do memory and network forensics; how do they know where to look and what to look for if there are 100,000 devices on the network? On this in-depth demo, cybersecurity consultant and InfoSec skills author, Keatron Evans, looks at how the process works and why a good SIEM solution is no longer a 'nice to have' but an absolute requirement for any organization's cyber threat intelligence.
LEARN MORE:
Download our free eBook "Why You Need an Incident Response Plan": www.exabeam.com/library/why-y...
GET A DEMO:
Get a hands-on demo of the Exabeam products: www.exabeam.com/demo
ABOUT EXABEAM:
Exabeam is a global cybersecurity leader that delivers AI-driven security operations. The company was the first to put AI and machine learning in its products to deliver behavioral analytics on top of security information and event management (SIEM). Today, the Exabeam Security Operations Platform includes cloud-scale security log management and SIEM, powerful behavioral analytics, and automated threat detection, investigation and response (TDIR). Its cloud-native product portfolio helps organizations detect threats, defend against cyberattacks, and defeat adversaries. Exabeam learns normal behavior and automatically detects risky or suspicious activity so security teams can take action for faster, more complete response and repeatable security outcomes.
Detect. Defend. Defeat.™ Learn how at: www.exabeam.com/
CONNECT WITH US:
Twitter: / exabeam
Instagram: / exabeam
LinkedIn: / exabeam
Blog: www.exabeam.com/blog/ - Věda a technologie
Been an Ent Architect for 25+ yrs and that’s the best clearest, most concise explanation of determining how best to find hidden processes on computers. Thanks.
Thank you for watching!
I felt this 12 minutes like 5 minutes. That's when you can tell it's a good video. Entertaining, informative and educational.
Thanks for watching!
ّ
😊چ
ۃ
ۃچ
ےچج
ّچجچچچ
ځ،
چ
ځ
ّچ
ّ
ّ
ّ
ّجک
ځ
ّ،کجکج
Ooo
Finally, a real look into the trenches of SOC and IR.
Please keep up a good work!
Thank you for watching!
As a new soc analyst, I found this video very valuable! I got so much insight in such a short amount of time as well as how you should investigate and look into activities. Thanks a ton!
This is great. It is rare to find such a good walkthrough on this stuff. Thanks!
I'm trying to get a job as a SOC Analyst Tier 1. I was told that Exabeam was used in addition to Splunk. I am grateful for these videos as they really give a good demonstration and let the viewer see how this works. The dashboard looks great and user friendly, and the ability to move from the dashboard to investigating the alert is a nice thing to see.
Good content! I look forward to part 2.
This was excellent: short, informative, and clear. Thank you!
Dang Keatron you break it down like this was a sermon !! This is awesome
This was an amazing video! I recently got a job as a IR team member after a few years of being a network analyst. Although I have the foundations, I am very new to the job itself so this type of video helps me so much! I will definitely be subscribing!
How long have you been doing IT? Do you recommend any certs?
We're so glad you found it useful!
@@wilfredoperez1804 I've been in the field about 10 years total now if you include education. I currently only have my CompTIA Sec+ and Net+ but for some reason HR departments love those. I don't think they're worth all that much personally, but the amount of offers I got after getting my Sec+ was crazy. I also would recommend looking into the GIAC certifications if you are getting serious about this sort of stuff! I hope you are able to make it into the field easily!
Could you please give me your contact number, am also trying to soc analyst
Exactly the kind of content I needed!! Thanks a billion
Thank you for watching!
Whew would recommend this video to anyone! Thank you for a value add!
Why does this only have 1.5k views?
Great walkthrough sir.
Trending upward!
It has 20k views now.
Sorry to be so offtopic but does anyone know of a tool to log back into an instagram account..?
I stupidly forgot my password. I appreciate any help you can give me.
@Khari Kyle Instablaster =)
@Nasir Kyng thanks so much for your reply. I got to the site thru google and Im in the hacking process now.
Seems to take quite some time so I will reply here later with my results.
That was a great video. I learned a lot. Thank you so much for posting this.
Thank you!
great job, esp.2prep 4 interviews this was handy, keep it comin, youll get 1m subs
It’s a good video. Thank you for giving us a light on this matter.
Thank you for watching!
A+ material. i will be ready for my upcoming table top exercise. Thanks a bundle!
Thank you!
This is the content I’m looking for earned subscriber 🎉
Thanks Keatron! Subbed to YOUR channel!
Thank you for sharing. I have been trying to get an entry-level job as a SOC, and 😐it's an exciting role.
Great video
Thanks for the great behind the scenes look into SIEM monitoring. It's sad that I have a degree from a technical college, and there were hardly any labs, just all theory. I naturally have an investigative mindset so this really intrigues me and I would love to get back into training. Keatron, where does one start?
Thank you so much for this insightful video.
Thank you for watching!
Great demonstration, thank you!
Thank you!
awesome video. thanks for the detailed explanation
Thank you for watching!
I’m only 4:18 in and I must say this is an excellent video.
Great video!!
Absolutely fantastic info
Thank you!
Great video! Thank you!
Thank you!
Awesome Stuff!
Hi, thanks for the video. Although you mentioned it, using the md5 command is a lot better and quicker as it gives you the instant hash which you can copy and paste into VT.
Thank you!
Amazing video. Thanks so much
Thank you for watching!
Wow this was so helpful
just getting in and this was fun to watch
Thank you!
Thanks for watching!
Excellent 👍🏾
This was very educative .
Thank you!
Just super cool. This is why its so fun
Outstanding!!!!
You're outstanding! Thank you!
Thank you for the video.
Really great. I appreciate honestly
Thank you!
Thank you %100 works
great video!
Thanks!
Great video thank you
This was an awesome video
Thank you!
Thank you
really useful, thanks bro
Thank you!
Thanks. Very useful.
Thank you!
Thanks man
Thanks sir
ITS REALLY WORKED LOL THANK YOU DUDE
Thank you!
Wow this was so informative. I really needed it, same question bothered me, how do you know when to dig deeper into an alert. Thanks
Thank you!
GENIUS
Great vid m8!
If I may make 2 suggestions (you might already know...): if you first do the RAM memdump be4 using netstat and so on, you wont throw something out of the RAM because you just used two programs. Second, you can also upload a hash of the rootkit to VirusTotal and not the file itself, so not to alert anyone...
All in all a great and informative video! Keep up the good work!
Doing a memdump required putting something external on the machine, running netstat did not. The memory dump is far more disruptive than running netstat which is local. Thanks for watching!
Sir your videos are great . I am looking for trial version to update my skills . Do you offer free trial version?
Great video but i tried to download the exabeam but cant. do i have to pay for full download?
dude tNice tutorials is super good! subbed
You have an alert suggesting there may be an issue, but it was not clear that something was definitively wrong. This is the investigative process for the INV team. Once you know it is a true positive and worthy of time for containment and analysis by a dedicated team (impact to organization) it is then transferred to IR. At least in my experience. This is a good rundown of a tier 2 INV investigation.
I wasn't aware Victor Wooten was into cyber security!
Awesome comment! I've been playing since I was a kid.
fanstatic video please make more video tutorials.
Will do, thanks!
It looks simple. not too much coding. Finally i have a dreamjob i'm dreaming about.
Can you make more videos like this please
Hello. Why we did not see that connections/processes on a victim's machine? Was the rootkit hiding that and only having a dump outside of the victims' machine made the rootkit not interfere the proper outcome of connection/processes?
Yes, the rootkit was not allowing Windows to "show" you the connections.
what should be the design or architecture of a SOC Center? Please provide and assist my new SOC Center.
Please I have a question. Is security+ course okay for new Comer into cyber security
Hi, if you don't use virustotal to identify malware, what commercial tool do you use? Also, please make more videos. I will support the channel!
Wanted to check on SOC. Can there be an IT SOC and an OT SOC. Is it right to say so. Or is it just one SOC and have a SIEM separately for IT and OT.
In one of our groups we had this endless debate about SOC, each side backed with their own experience and opinions. What do you think is the right approach, any document/whitepaper you can share that you know of.
Is RSA security analytics siem tool good?
Hey I know this guy!! Lol
this is a good staff, How to do it on kubernetes?
Is this open source? I would like to practice
Trying to get into SOC T1. What if instead of uploading the rootkit executable on VirusTotal, you instead extracted its hash and compared it to the virustotal database? Wouldn't that be safer?
Watching this in 2023 and seeing 3:55 is wild 😭
This looks difficult to do all of these steps, what type of position do this type of work
It's not difficult, just takes practice.
❤❤❤❤
That damn Barbara!
3:45 How do you know info about somebody’s behaviour if they use a VPN?
You gonna jam on that bass or not?
Is that windows XP?
Thanks for sharing, it’s really interesting.
I don’t know much about IT, but isn’t it risky to use any automated system to flag up problems? Such system is only as good as its algorithms and the way the administrator configures it.
Re the incident. Maybe this lady works remotely from Ukraine?
Last but not least, shouldn’t the company’s IT admin check her activity? Please, tell me that Admins can do that despite the employees using VPN, otherwise the system would be safe-ish from external attacks but totally vulnerable to internal attacks.
Thanks.
The problem in cyber security is that in certain countries at least the full of unqualified and I’m not talking about vendor certificate ….I’m talking about people that cannot communicate correctly that don’t have the underpinning knowledge and most importantly cannot do qualitative and quantitated analysis and that’s the big big problem all you get is somebody with a network plus Network pluse security plus and they think that the bees knees Jesus help us have seen it too many times in this industry it’s a joke…..And to top it all off the private sector are ridiculous they just take anybody on that just fits the specific criteria which isn’t that great overall and they rely on especially in the UK Certifications which can be good in some part and that’s why and are used to do this kind of work for some years and you get the young ones coming in who are not really that well trained doing a piss poor job
As long as you know how to communicate then you’ll be fine! Just read more books and learn how to properly articulate your words better.
There’s lot of foreign professionals in this industry that just knows how to have those basics communication
@@universalsec9040 any tips on improving communication. communication is one of my weakest points
Like
I didn't understand where and why did you got the memory dump?
How did he get into victim device
memory dump is got from windows machine and if u notice that the windows machine doesn't shown the evil process while seeing through command prompt. But the process is running , so we get information about the evil process running by dumping the memory using tool. and we analyze the memory dump file in kali
Incident response without a SIEM - is it even possible?
I mean it's tough in an enterprise environment, but I guess anything is possible. The question is, can you do EFFECTIVE incident response without a SIEM in an enterprise environment.
@@KeatronEvans good point. I mentioned SIEM to a manager recently but our discussion came to the fact that the team didn't have anyone to constantly monitor the system and then act/report on anomalies.
Didnt work for me
Anyway apologies for my rant it’s just what I see every day in this industry and I love this industry I wish it was served better with decently educated people And while there are the fast majority are not
is that windows 7 :o
That’s plenty of tools you can do to analyse but what people forget is it needs to be done superfast and if they cannot think on their feet they’re a waste of time
You again lol 😂 you are so bad energy
Part of learning to think on your feet is repetition. We go superfast, just not when trying to educate people lol.
+
👆👆👆👆👆HE SAVE MY FILE AND DECRYPT IT.HE’S THE BEST HACKER IN THE WORLD !!!
why wouldn't u just ask her if she VPN'ed from Ukraine? ":hi, yea were u in ukraine yesterday? no? did u have a VPN on that was pointing to Ukraine? no?" hmmm
It's Ukraine, not the Ukraine.
SuperCybex can provide a cyber defense services for businesses with 50-5000 employees throughout the US to help identify cyber threats and mitigate the risks. Whether your business needs firewalls, network upgrades, or cyber defense and training, we can provide a complete solution including Incident Response
Great video!!
Thanks!