Cybersecurity Mentors Podcast

Tools and Skills to Master as a Security Analyst - Part 1

Cybersecurity Mentors Season 2 Episode 5

Share episode

This episode is part one of two that focuses on essential tools and skills for aspiring security analysts. In this episode we discuss SIEM tools, vulnerability management, and endpoint protection. Check out the link for the resources. 

• Importance of SIEM tools for analyzing log data 
• Vulnerability management as a critical cybersecurity hygiene practice 
• Regular vulnerability scans and prioritizing remediation efforts 
• The evolution of endpoint protection and current threats 
• Real-world implications of failing to manage vulnerabilities 
• Practical tips and resources for gaining hands-on experience 
• Encouragement for community engagement and shared learning

Link to resources

Mentorship - sign up for a free session

Send us fan mail via text

Steve:

Could you teach me First learn stand, then learn fly. Nature ruled on your son, not the mind.

John:

I know what you're trying to do. I'm trying to free your mind, neo, but I can only show you the door. You're the one that has to walk through it.

Steve:

What is the most inspiring thing I ever said to you Don't be an idiot Changed my life. Welcome to the Cybersecurity Mentors Podcast. In today's episode, we'll dive into some of the tools and resources to help you learn the responsibilities of a security analyst. John, what do you think?

John:

Yeah, yeah, I mean, the way we're structuring this is if, if we were looking to hire a security analyst, um, and what are the things we're looking for? What skills, what tools? You know? What are we going to evaluate you on? What are we going to see? What you know how to do and what you understand? That's how we're thinking about this.

Steve:

Absolutely, and this also help. A lot of you who might be getting started might be finishing, you know, your Google certificate, might be finishing your security plus cert, and you maybe dabbled in some TriHackMe labs, but now you're looking for something more to kind of put you atop of everybody else who's kind of at the same boat as you, and by you focusing on some of these tools and gaining some hands on experience with these tools set up, running them, all that, that will put you definitely a step ahead of the competition.

John:

So let's get started yeah, and I think some, as you do all these courses and you take these courses, which are are there are some good ones out there that cover these tools. Um, the hard part is what is it like to use these in a real sock or as a real analyst? What?

John:

is it really like and it's hard. That's, the hard part is to get that across in a course and we're not gonna be able to do that all in this episode, but we're gonna try to help give you some related stories and things from our experiences of like, hey, this is what we did and how it worked out for us or how we use it, just to kind of give you some of that context as well.

Steve:

That's correct. So let's get started. So what we're going to do is we're going to introduce six different areas. So we're going to talk about sim tools. We're going to talk about vulnerability management, we're going to talk about endpoint protection, we're going to talk about network monitoring, we're going to touch on incident response and phishing simulation. So we're going to talk about a lot, and we're going to try to get it all done in one episode. We may have to chop this episode into two. We'll see how it goes. Let's do it.

John:

All right. So SIM tools, yeah.

Steve:

Sim tools, yeah, let's talk about SIM tools, and I don't care what you say. To me it's Sim, not Seem. But, we can argue about that in the chat. That's fine, let's get going yeah, yeah.

John:

So Sim Seem, whatever. What does the acronym Sim stand for?

Steve:

So it stands for security, information and event management, and this is a tool that helps you collect and analyze different amounts of logs from various systems within your organization or your company, and it helps you identify unusual or suspicious behavior. So it's like a central area where you can monitor your organization and your environment.

John:

Yeah, the way I like to describe it is you've got lots of data sources that are being ingested and then you've got correlation happening, so you've got I just always say connecting the dots. Right, You've got this data source and this data source and something is connecting the two sources together to see if they're related, right, you know this happened and then this happened from two different data sources, but there's so much data, as an analyst, that you're looking at you can't look at it all and you can't correlate it all, so a sim is supposed to help you connect those dots, this and then this, you know, together is important, these separate, maybe not as important, but together connected, correlated.

John:

That makes it, you know, worth investigating, worth looking into.

Steve:

Absolutely investigating, worth looking into, absolutely. So, with different SIMs, you will set yourself some alerts or some flags, some key things that you're looking for as long as just kind of a baseline of what's normal in your environment. Right, if you have, for example, if you have, geolocation information going into your SIM? Right, let's say you use Duo and you have a employee that normally is logging in from New York and all of a sudden they're logging in from I don't know, let's say Spain, and that may be accurate.

Steve:

That person may be out there, you know, doing business, vacationing, whatever it is, but if you're seeing someone logging in from New York and then five minutes later logging in from Spain, there's no way that that can happen. So you could set yourself an alert where it's like impossible travel. Right, it is impossible to travel from New York to Spain in five minutes. That is something that we do ourselves at Clemson. It's something that we use our logs going into Splunk, and we have different alerts and flags that say, hey, this is impossible travel. Let's flag on this so that someone can investigate further. So what else are you thinking, john, for a sim?

John:

Yeah, you know. So there's networking events, there's authentication events, there are application server events. You know web servers, right, you've got active directory, you've got a. There's a ton of data. I mean, you know we have terabytes of data, right, and that's not even everything that we try to to connect and correlate, which is which is challenging, um, and there's kind of the old school mindset of just put it all in there. You know, get everything you can into the sim. And then you know all those companies they love that because they charge you based off of how much you ingest, how much log data you send them Like, yeah, we can take it all Just send it over, we're ready.

John:

And. And then those price tags and those bills the yearly bills got expensive and still are expensive. So that shifted a bit to log what you need, but you still need a lot. You know it's challenging. It's definitely a challenging thing of like. There's still a lot of data out there you need, but you still need a lot. It's challenging, it's definitely a challenging thing of like. There's still a lot of data out there you need and you want to have. And the way I'll just talk about this real quick the way we've thought about it and shifted a bit is your intelligence. A lot of your threat intelligence and other intelligence is in your tool, let's say your EDR. A lot of that's baked into the tool already and you have. You know you still want correlation between the different data sources, but then you've got these other log aggregators slash, sim, kind of that you want to go back to right.

Steve:

So you have an incident that happens, something bad happens.

John:

You dig into your tools first, normally unless you've got something already correlating, and then you may need to go find out more. So you might go to that SIM or log aggregation tool, um, like Splunk, and go dig in what happened, how did it happen, what was going on here? So you start doing that. You know incident response, investigation phase of this, find out more information. So those, those are great, because that you know it's challenging to do that by hand, which is the way we used to do it.

Steve:

So yeah, yeah, I would also like to say that you know talking about that high price bill, right? If you are in an organization that may be limited when it comes to funding, right, you don't have the luxury, like these big companies, to throw everything, even bathroom sensor data, into your.

Steve:

Splunk right or into your SIM tool, then you need to focus on your crown jewels. So you need to identify what those are and focus on those areas, but also focus on think about it. If you're going through an investigation, incident response, something happens and you have to figure out what happened, how it happened, when, why you know. If you can at least do that for your crown jewels to begin with, then that should kind of help you and guide you on certain types of logs that are needed for you to put those puzzle pieces together and figure out exactly what the heck happened. If you're investigating an incident, would you agree?

John:

Yeah, a good example to that is Windows event logs. There's so many event logs that happen on a regular basis and you can send every windows event log. Now, if somebody asked me what do you know, what do you want, what do you need? I would love to have everything. I would, yeah, I want to have everything. Because you don't know you need it until you need it when something bad happens and you got to go figure out what happened. And when you don't have the log data, it sucks right. So ideally you can, yeah, forever right, but that's just not practical anymore. So you there's ways to go through and figure out well, what, what do? What's at least the most? What's the 80, 20, what are the logs, the events that we can log that are going to give us the most bang for the buck. And hey, we can't keep everything. So we got to be, be, you know, practical with what we can't keep.

Steve:

Yeah, absolutely yeah, so what are um? Do you have any good stories of how a sim has saved our behinds? Or or maybe a specific investigation. That kind of using our sim really helped out yeah, I mean um.

John:

Well, I'll go back. I thought about this when we were preparing and the first sim that I ever used and and were I was the administrator or configurator and the actual user of it, because I was the only person using it. But um was a tool called cisco mars and it's it's like generation one of a sim. It's really old school um, but its claim to fame was kind of a general, general purpose sim. It could pull in all kinds of data sources I mean the whole purpose, right pull the data, pull the data in, correlate the data. It didn't do a great job of that. It did help because we didn't have anything right. But its biggest problem was it could only only for certain data types and the data had to be formatted that it could actually ingest, right, so it couldn't ingest everything. So its challenge was trying to get it into the system and we're always dealing with something like well, this, this data, can't be ingested, or this data can, and whatever. So that was a big challenge. Um. Then from there we moved to Splunk and Splunk's big claim was like we can ingest everything, right, which was also supportive of their business model, which which it can't, I mean compared to Cisco Mars, that kind of a sim and Splunk. It was night and day like being able to ingest, hey, whatever CSV text file you name it, we can pull it in. That was amazing, we can pull it in. That was amazing.

John:

And then the way that the search function, the functionality, worked in mars was terrible. Trying to search it was kind of like click boxes and filter and things like that. It was really bad. And then when you got something like splunk, it was like, wow, I can search this, like if I was searching through google, this is really fast, really easy, easier, easier, at least put it that way. Maybe not easy, but easier that was. It was. It was a great change, it was definitely a great leap and that's why Cisco Mars is not around anymore.

John:

But yeah, I mean, there's definitely times where and I've said this before you you know going through and working through logs in Splunk I guess a good example would be we used to manually search through the, the bro logs we had for Zeek, and those logs would be like working through using grep and trying to find bad things, things.

John:

So you have all these log data for bro or zeke now of network traffic and you literally would be grepping through those logs, searching through those logs to help you find bad things. Well, when you ingested those logs into splunk and it auto summed and grouped and gave you the top 10 and all that stuff and then you could search it way easier, it was a it was a game changer. It definitely helped out a lot being able to pull that data in. Now I still like that I have had. I have that skill and I've had to do it the hard way. I don't think it's good to have to do it the hard way, but having done it the hard way, I really appreciate the tool that we had, the tools that we have today right To be able to do it faster and more efficiently and to get to the bad quicker.

Steve:

Right, absolutely, absolutely. And I think you know tying AI into all this. It's going to be a game changer. I mean, we've already seen some of these big companies, you know, bringing AI into SIM tools and whatnot, so I'm curious to see where things will go. There's just a lot of automation now. Playbooks that you can create, you know, have things take action on their own. So it's definitely something for us to keep exploring and talking about, for sure.

Steve:

But some of you may ask well, how are security analysts using some tools in their day-to-day? Well, we've already kind of talked about some of that which you're monitoring your logs. You're monitoring for suspicious behavior, things out of the ordinary. You are creating alerts. So if you know what is something that is, you know, for example, the impossible, the impossible travel alert that I would discussed earlier if it's things that your company finds important to identify, then you are creating those alerts. You are testing them, you're editing them, you know creating those as they come and then you're generating reports for compliance purposes Someone may want to know.

Steve:

You know, in the last year, you know how many people you know travel to Russia or China or something I don't know. Just giving you an example there, but also creating dashboards to kind of give your if you have a SOC or if you have your other security team kind of an easier way to look at what's actually going on. What's going on, what's happening? Do we see some red flags? Do we see some alerts going off? Where do we need to shift our focus first? So those are a few of the things that I can think of any others, john uh, you know, dashboards is a thing you know.

John:

Creating, creating a dashboard to help you visualize sometimes they're eye candy that you put up on your big displays, right, all the monitors just to show off, um, yeah, yeah, it's still a thing, right, it's still. It's still important when the, when the big wigs show up, um, but yeah, dashboards can be useful, though, to quickly visualize what you're looking at, sum it, total it, you know, average it. All those good things, it's not a bad thing. They can be useful. Sometimes, like I I said, they can be frivolous, but, uh, you know, that's, that's a thing. Um, the alerting, the triage, pulling in intelligence feeds, intel feeds into it to help you also trigger alerts. Um, a lot of triaging, you know. Mining the logs, threat hunting you can use, you know, use a sim tool. You can use a SIM tool to help you do threat hunting of. Hey, this is a known bad. Let's go look and see if we have any of that in our environment. Um, you know it, it is. It's an essential tool.

Steve:

Absolutely. So what are some um, I guess, any recommendations that you could give someone that you know may not have experience with some tool, may not have even known what it is until today, just now watching our video, where they can kind of get some some hands on experience.

John:

Yeah, I mean the good news is is there? The two biggest ones I would say right now still are Splunk and Elastic, and you can play with those free. You can actually spin up a free cloud instance of Splunk or I think you can still download it and run it locally A free version that you have so much you can actually pull into the free cloud version. You have X amount you can pull into it, but you can go do that today and spin it up and there you go, you've got it running now. Now you got to figure out how to use it, but you at least can get started with it. With Elastic, it's open source, or there is open source elastic as well, and you can download that and have a more manual process of installing it, configuring it, which is going to be.

John:

It's going to be hard, it's not going to be simple. It's never simple when it comes to those things but it is a good example. It is a good uh, a good work through of understanding how it's built, how it stood up. You know the under workings of it now. You don't how it stood up. You know the underworkings of it Now. You don't have to know that, like I went through a Splunk admin school class and um, and you don't need to know all the inner workings behind it, but it doesn't hurt, it doesn't hurt to actually understand. Well, hey, this is what Splunk can do, this is what it can't do, but, um, that's a good starting point, just so that you know back.

John:

Well, good example with Mars, like you couldn't, there was no free version. There were, there were no free options. You had to buy it to use it, to learn it, right? So here you go, here's the thing, figure it out. Well, you are fortunate that that's not the case. You can go ahead and get some hands on with it. You just want to get hands on in a way that's going to give you some examples that are more real world, like examples.

Steve:

Absolutely, and we're going to post some of these recommendations that we have or that we're going to talk about in this episode today. We'll post it in our show notes or in the description and we'll share that with you all and it's things that you know. Most of these are videos that you can go and watch and kind of help you, walk you through the steps of installing Splunk or installing Elastic and running it. A couple other recommendations you know we're pretty big fans of TriHackMe. There are some TriHackMe labs already that have you using Splunk to figure out a couple things within an investigation. So we'll add those in there, recommend those to you as well, and we'll do that for all of the other sections as well, but just wanted to throw that out there.

John:

So anything else around SEM tools no, I think the skills that are important if you're thinking about what, where do I want to be, how do I want to be seen and valued when it comes to sim are understanding how to, how it works ideally, understanding the, the query logic and language behind it, because they are different. Just because you know how to query things in splunk doesn't mean you know how to query things in elastic. They're different. For whatever you know then they're they're different. Um, so the the further along you are in understanding how to use those tools when you do look to land a job, the better you know. Ok, I've never queried before in Splunk. Now I have thrown people into interview situations with scenarios specifically in Splunk logs to see how they deal with it, and even most of them didn't it had no Splunk experience, okay, but the the other skill that we would look for is how you analyze data, cause ultimately, it's about the data. You've got all this data that you have in front of you and it's a wall of information, and even with those folks that that we interviewed, I wasn't like, oh, you don't know Splunk Sorry, you're out of here. It was, let's see how you deal with looking through all of these logs and what is it that you see? How do you interpret this? Information to weed through the noise, because ultimately that's what you're doing, and I've said this before information to weed through the noise, because ultimately that's what you're doing, and I've said this before.

John:

It's like the analogy you're you're a submarine sonar operator. I'm actually gonna find us. I was like thinking I'm gonna find a sonar operator and interview them because I am so curious. Like what is it? They probably don't have many more. They probably use whatever chat, gpt, ai, sonar, um. But like you got this big sonar right and you've got the, the sweeping thing. You know, hunt for red october, think about that. And it's pinging. The pings are out there and then you know if you ever see, if you ever seen red october. It's so good because they can hear what kind of submarine it is by the noise of the propeller, the screws on the propeller, like they're like oh, my god that's a.

John:

That's a russian submarine just passes by like they're underwater. That's how good you need to be. This is what you need to be.

John:

You need to be so good that, whenever you can't get there, until you get there, but whenever you're looking at these logs, you're like it's a Russian submarine, you know. But what I'm saying, what I mean by that, is that you, you are able to decipher all this information and weed it down and narrow it down to what's important, right? What is it actually? Correlating Cause the tool. You can't always trust a tool. Trust but verify, so the tool may give you, give you, get you there, but you need to take it to the next level. That's why we still need humans, thank goodness, to help us actually figure out what, what's what and why things are happening, and connect and really connect the dots. Like the tool helps you, but sometimes you not always, but a lot of times you still need the human to actually be like okay, yeah, this is bad, let's jump on this and figure this out, right, yeah, so those are the things that we want you to think through If you're put in that situation is the skill how do I use the tool?

John:

I understand the tool, I know how to query in the tool, I know how to find things in the tool, I know how the logs work, yada, yada, yada Um, but also getting those reps in, even if it's not real data, it's, it's simulated or it's fake or whatever, so that I can. I can have seen different types of logs. I've seen weird things in windows logs. I've seen weird things in apache logs. I've seen weird things in authentication multi-factor logs, whatever. Whatever you, whatever, you can do that stuff. You can do all that stuff for free, right? So that's what we're looking for.

Steve:

All right, that was a lot, but that was great. I mean it was great. I hope you guys are taking notes or just go back and rewind it. But that was a lot of information. But all right, thank you, john, I think. I mean I really don't have anything else to say or to add to that. I think we can wrap up SimTools.

John:

Sounds good, let's do it.

Steve:

So number two, vulnerability management. All right, so what is vulnerability management? Management, so it's a process where you identify, you assess and you mitigate security weaknesses in an organization. Now, it is something that may seem very basic to some of those of you who have some security experience or have been in security for a while, but if you go back and I need to do this, I need to get these numbers If you go back and look at some of the biggest breaches that have happened, it is because people do not patch, people do not fix vulnerabilities that have been out there for forever and you basically have a weakness that a bad person comes in and takes advantage of.

Steve:

And it is so simple and it's some of the most fundamental, basic things you can do for your security just hygiene, just for your organization and you'd be surprised how many people overlook it and don't give it the attention and importance that it deserves. So why is vulnerability management important? Right, because attackers, bad guys, are always looking. They're scanning the internet. As soon as a vulnerability comes out of nowhere zero day, or even if it's a vulnerability that's been out for forever they are scouring the internet, are scanning non-stop to try and find something that is vulnerable and as soon as they find it, it's like sharks when you drop some blood in the water, they are just on it.

John:

So, um, john, your thoughts yeah, it's hard, right, it's hard. There's new vulnerabilities every day um so this is not going away. I don't see any time soon there's we vulnerabilities every day.

John:

Um, so this is not going away. I don't see any time soon. There's we are always going to be dealing with vulnerabilities and patching vulnerabilities and trying to stay up with the newest vulnerability and be behind. We're always going to be behind because there's there's problems with it that we we don't know everything that's in our environment. We don't have it all identified. Right, if we don't know everything that's in our environment, we don't have it all identified, if you don't know everything that's in your environment, then how do you know if it's affected by that new vulnerability that came out? It's super important, super essential to any security program. But a good security program is to fight this battle. It's a battle on a daily basis of identifying the threats, identifying the vulnerabilities and looking for what the risk is based off of exposure and trying to get those things patched as soon as possible.

Steve:

Absolutely, absolutely. So what are some of the things that a security analyst may be doing around vulnerability management? So, helping with running regular vulnerability scans across the environment to check for vulnerabilities, outdated software, misconfigurations, you name it. So, kind of running those scans, reviewing the reports that come back that show you what this vulnerability scanner has found and then, like John said, prioritizing, figuring out okay, well, we have so many vulnerabilities with a severity of critical meaning you need to fix this yesterday. We have so many with a severity of high, medium, low, you name it.

Steve:

Well then, you have to take into, you have to take other things into consideration, right, is it internet facing Meaning? Is it open to the world or is it just open to internally into your organization? Right? Is it open to the world or is it just open to internally into your organization? Right? Are there exploits out there? Like, are they? Are there exploits out there that you could go Google and find a YouTube video of some guy showing you how to take advantage of this vulnerability? I mean those.

Steve:

Obviously, you have to take care of those, right, and there's a couple of other things that you need to consider when you're creating this priority list that you go and present to your team, lead your manager, whatever sysadmins, whoever it may be, and say, hey guys, this is where we need to focus and this is why right, this is why this is important. I'm not just coming at you with just a report and saying, fix everything. I at you with just a report and saying fix everything. I mean obviously that'd be great, but we need to prioritize and then just again, working with those teams the server team or sysadmins to help patch and have a constant patching cycle in your organization so that it's every week you know you're scanning your, you know your testing patches, your patching systems, whatever it is, um, but yeah, so that is kind of some of the things that you would be doing as a security analyst If you're involved in vulnerability management. Anything else to add to that? John?

John:

uh, patching is life. So you know, yes, you're just like networking is King.

Steve:

Yeah, p, networking is king. Patching is life. Patching is life. We should make these t-shirts, john.

John:

I know I know it's unfortunate that it is what it is. You know you're going to always be patching. There's always something new. Whenever I throw some new vulnerability out to our admins or something, I was like sorry bro, sorry bro, patching is life.

Steve:

Especially on a Friday afternoon.

John:

I know, I know, but it is what it is. One other thing I thought about was you know, there's also other things. There's so many, right, you've got your typical vulnerability scanning. You've got your web vulnerability scanning. You've got your network hardware checks. You've got your network hardware checks. You've got your application? It's, yes, there's.

John:

You know people think, well, you know, tenable, nessus, whatever. That's just one thing there's vulnerabilities in everything. So you gotta, there's all the things you're trying to keep up with to identify if there is a vulnerability, and it's, it's like I said, it's never, it's never going to end. Um, there's a good article out there. Um, I think it's by Graham Norton. It's called everything is broken and, um, I, I I referenced that, but also my boss references it to others because it's it's a good article to say, and yeah, it's, it's human, it's really human error. Um, right, everybody wants everything right away and they're trying to make money. Everybody knows this. It's like they're trying to push products out the door. Um, so, yeah, it's, it's ongoing.

John:

But one other thing I thought about was, just, with vulnerability stuff is, there's also the hardening scans. You know you may be doing scans that have, like, against a benchmark, the CIS benchmarks that you can compare against. It's like hey, you know, are you following best practice to be configured in a hardened way and those are great to throw in there and there again, as an analyst, you would be interpreting this information and maybe passing it up to you know, up the chain, to a manager or whatever, but at least you're you're the first pass, potentially of hey, this is the vulnerabilities I found and here's how the reports look and here's some evaluation, because I've got a good story that I can share a little bit about. Yeah, you can't just trust your tools, right, trust, but verify.

Steve:

So for me personally, if you're coming in as a security analyst looking for an entry-level job, if you know or you've worked with Tenable or Nessus Qualys I'm blanking on some of the others but if you know what they are, you know what they're used for, if you've run some scans, if you've reviewed some reports and you've kind of dissected that and prioritized like those are the things that if we can work that into your resume and I see that, then I'm going to be like all right, that's great, that's something that I'm looking for, that's something that I need looking for, that's something that I need. So so that's gonna. You know, that's that's good to see.

Steve:

We are going to add a couple links for some things that we would recommend that you could do. Some of these are for free. Some of these are not completely free, but you won't be breaking the bank, but it'll be good for you to kind of you know, kind of run through you know setting up your own vulnerability scanner right, running it in your setting up in your lab, running it, running a couple, running a scan, kind of reviewing and just seeing what that looks like and understanding those processes. So we'll add that again, that information, um, to this episode. All right, john story time.

John:

All right Story time. Okay, so this is after you were an intern, um, maybe a couple of interns after you, before the SOC days, um, where we were, we had a a request come in for a firewall exception for this application. Just laughing, you already know this application that was used by a professor on campus who's no longer there. So statute of limitations is open. We're good, I'm not going to get anybody in trouble, but they asked for an firewall, an external firewall exception, for their application. Great, did my normal thing I had. It was me and um, and spencer is one of my interns and I think he was there at the time. He definitely helped me after. But, um, we did the scan. Scan came back back green, everything's all good. The vulnerability scanner did its thing, no problems, Ready to allow this thing open to the Internet.

John:

As a good security professional, I was like let me look into this a little bit more, let me dig into this a little bit more. Right, so it was a web app. So you know. There again, you know you may want to check your tool, make sure your tool can evaluate the thing you're evaluating. I did some more digging, did some scanning, did some web app scanning just to see what came back of what pages. What is it hosting as these tickets come in? They don't tell you everything, they're not like oh, here's what we're going to do with it, here's the data that we've got on it and here's this and here's that. Right, you have to dig it out of them or figure it out. So did.

John:

The scan came back and came back with a web page that was some kind of test page. I was like, okay, cool, thank you for that. Let me go look at this test page. Brought the test page up, I started looking into it and, sure enough, it was a page used to do queries, database queries, and it had all these bullet boxes to choose different databases to do queries in. It had a little box so you could type in your query SQL query. And I used to be a not real DBA, but I had to pretend to be one at my old job, so I had the skills to be able to figure out how to do some.

John:

This is Oracle queries. I wasn't good at Oracle, but I could figure it out. And with Google I go Google. Hey, how do I do the select statement for this? Just to see what tables were there, right, you know things like that. So they meant for this. Just to see what tables were there. Right, you know things like that. Um, so I did that pull back some tables and I was like, okay, this, this looks a little scary. There is data in here. Maybe it's just all dummy data. Um started digging into it found that there was no. There was real data, and it was not just real data, it was real sensitive data. It was hr data and student data. Oh no, yeah um.

John:

And so here I am, I'm messaging my boss, and uh, and I'm, he's not, he's out of town. And I'm texting him. I was like, hey, I got a problem here. You know, this is not good. And he's like, what do you mean is? Hey, I found this.

John:

This professor has this database, databases of very sensitive data. He's trying to open it to the internet, fortunately, found this query page. But we're, but we're really concerned about this. And he's like, oh, that's probably all test data. I'm like, listen, I don't think so. So I had to. He didn't believe me, so I'm going through querying it. And I'm like, well, let me just see if I can find my data. So, sure enough, I go and I find my data, like my hr data, and I find my student data. I'm like, uh, no, this is real data. And then he still was giving me a hard time. I was like, okay, so I'm gonna go find your data, right. So I go find his data and I'm like, hey, is your social security number? I didn't say this but, like you know, like I found his, his stuff, right. And then he was like, oh, okay, yeah, this is, this is the problem, right? Yeah, now he's on board. But yeah, I mean just you know, fortunately we found it. We didn't allow it because there wasn't there was there was no vulnerability.

John:

There wasn't a vulnerability. Let that sink in. Yeah, you know you could be thinking, oh well, the tool told me it was green, everything's good. Go open this thing up to the world. And this is a good lesson and I'm lucky. You know that we just, you know, did the due diligence thing. But, um, found this before it was open to the internet and open, and it was like keys to the kingdom everything here you go, here you go. Bad guy finds this. I mean, they would be dancing up and down. This is you know, I don't have to do anything. Look at here ransomware. Is you know? Here you go as a gift. Um, so just a lesson about vulnerability management, how important it is. But also, just like all these tools that we talk about, you have to be vigilant and you also have to verify and and don't and trust your tools, but verify absolutely trust, but Another t-shirt right there.

John:

Yep, so that's great, yep.

Steve:

All right, let's move on to our third Endpoint protection. So what is endpoint protection? So endpoint protection involves securing devices in your organization. That includes laptops, phones, desktops, servers you name it and you're protecting it against malware, viruses or even unauthorized access. Meaning, if a laptop gets stolen or gets lost, whoever picks it up, finds it on the side of the road or at Starbucks, can't just open it up and see everything that you got going on in there.

John:

So, John thoughts, yeah this, you know, went from AV and I don't know if you remember this, but back in the day in the dungeon we had all these. I had all these machines set up and I was testing different antiviruses in this tower and I was like we were getting ready to switch a new antivirus, and so I mean, it was actually really helpful for me to understand how six different antivirus solutions dealt with bad stuff. But that was important, like how does it deal with this virus file and and or this technique or things like that. And, um, that was that was all we had. All we had was antivirus signature based hey, I know this is bad, I've seen this before and flag it Right, fortunately. And it's an arms race, as always.

John:

But we've matured to endpoint detection and response, to give more behavioral like detection of not just hey, I've seen this before Blacklisted Mac or MD5, whatever hash. I don't know if I've not seen this before, but this looks weird, right, this is what's normal, this is abnormal. This is somebody you know. Know, a secretary should never be running in map from their computer, those kind of things. Um, so we've definitely matured, as bad guys have matured um to where we are now and we rely a lot on this tool. So it's very important, but again, as we've already stated a couple times, um, it is not the silver bullet. You can't only rely on this tool. So it's very important, but again, as we've already stated a couple of times, it is not the silver bullet. You can't only rely on this.

Steve:

Absolutely so. Why is it important? And we've already kind of talked a little bit about this, but you know endpoints, meaning you know your laptops, your, your phones, servers. Those are often the weakest link in an organization. Right, you may have the secretary of the president or the secretary of the ceo or the ceo himself on his machine. I mean, they're dealing with emails, they're dealing with excel files, they're dealing with all kinds of stuff, and if those systems are not fully secured and or encrypted, then if something were to happen say, they download malware by mistake or they're visiting suspicious websites and something happens, or they get a suspicious email that says, hey, click here for a free Starbucks gift card and they fall for it.

Steve:

If your machine is not equipped with the right endpoint protection, then we won't be able to stop that, identify it where our people, our security team, can go and investigate further. So it is really, really important that you secure your endpoints and make sure that they are managed, if possible, by your IT staff, and make sure that they're getting patched. We just talked about vulnerability management Make sure that they are getting all the types of security updates from Apple or Windows, whoever you have, and making sure that they are up to date and secure as possible, so that we don't fall victims to just simple, simple ways of attacking. You agree, john?

John:

Yeah, I mean, what we're seeing too is that, again, it used to be that somebody downloads some type of malware, which still happens. Somebody downloads, downloads some type of malware, which still happens, but now it's shifting to software that gives adversaries access. That's not necessarily flagged as malicious software, that is legit software that could be used by your support team, right, um, but is used as a remote access tool for that threat actors to get in and use it and now have access to your system. Um, so those that kind of stuff, right, it's always advancing and trying to to connect those, that information and connect those dots from from all the endpoints. Think about all the in a, in a university, I mean, there's thousands and thousands and thousands of endpoints. And then you've got people all over the world that are working in an organization, in our organization. So your endpoints are all over and you can't trust them and you definitely want to have some early warning signs that something is up with those endpoints and making sure that you have that visibility. Without that visibility, you're in the dark. So if you don't have a tool that gives you some insight and early detection and or, hopefully, prevention, then an adversary is basically imagine them plugged into your network and they're on a system that has full access to just start scoping out and doing reconnaissance against your environment, right? So, super, super critical, important, important um and and from a hey, we're. What are we looking for? Standpoint um, there's, you know, there's the top ones out there. We're. Look, what are we looking for standpoint Um, there's, you know, there's the top ones out there. We're not so focused on like well, you only have to, this is all we use and you have to know how to use this one right, this tool, kind of like the Splunk versus elastic Um.

John:

You, you're not, you're not focused on that so much as understanding um, how it works, how endpoint detection and response works. It doesn't hurt to be good at one or two or at least have familiarity, right? So a good example is like Microsoft Defender. You know, you can. There's training out there, you could go through to get understand how it works, how it operates, how it detects, how it responds and how you can use it and you can get some hands on with it, right. So those things won't hurt.

John:

Even if you go into a shop that has CrowdStrike, you know that's okay because the concepts of how it works. So if you've never. This is coming from a perspective of, hey, I've never been in an environment and had to work with an EDR like an actual work environment. You know, you, you can still get some understanding and try to get some hands on as much as you can. This one's a little bit harder to get.

John:

Specifically, like, say, crowd. All the jobs you've looked at, say, crowdstrike experience. You know we're a CrowdStrike shop. Well, it's going to be tough to get CrowdStrike. I mean, I'm not aware of anything free you can do with CrowdStrike. Right, there might be, but you know those kind of things you've got to work toward getting the understanding of what it does and how it works, and that's what we would evaluate you on. Do you know what this is? Do you know how it generally works? If you've never used our version of it, that's okay. But we, you know you gotta be able to get there and, based off of what you already know, we want to understand how, what your gap is. If you've never, if you have no understanding, now we're like, well, it's going to take a while to get you there. Yep, no, I agree.

Steve:

Yeah, no, I agree A hundred percent. We, um, of course there are tools that John and I you may hear us talk about and you may hear us, you know, mention or say, hey, this is something good for you to learn, but you know, we're not, we're not being paid by those tools, trust me. Um, it's just stuff that we, we, maybe we we are using right now in our current work environment and we have experience with it. So for us it's easy to say, oh, defender, microsoft, defender, learn that and that'll give you a good basis, or tenable ness is tenable qualis, whatever, maybe.

Steve:

But to go back to what you were just saying, john, I completely agree and in interviews that we have had, you know again John's kind of putting people through the gauntlet, through the scenario.

Steve:

But if you can at least walk us through your thought process of what you would do, why you would do it and how you know, you can still kind of paint the picture and show that you actually understand the fundamentals of something.

Steve:

Picture and show that you actually understand the fundamentals of something and not maybe you're not an expert, you know with, with crowd strike, but you've used defender, so, like john was saying, you know kind of how the flow would work when it comes to you know signs of malware, right, signs of suspicious activity on an endpoint, on a laptop, I mean that you know. So, as long as you can kind of show that you understand, that, you show that you understand the tool, you show that you understand kind of how to identify suspicious, weird behavior and then you can tell us what you would do after that to help fix that, that, right, there would answer a lot of the questions that we would have. There would answer a lot of the questions that we would have because, again, when it comes to training, we can, we can send you to training, give you some stuff to to learn on how to use microsoft defender, cross strike or whatever it may be.

John:

So it's, it's more of the thought process and just kind of the big picture really one thing I would add to that that Windows internals and understanding Windows internals, it's not simple. That's why there are these tools to help you connect the dots, and even with those tools it can be complicated, but it is something you can learn and no matter what tool you're?

John:

using. If you understand Windows internals and how DLLs work and syscalls, and listen, I'm not strong on this, but I understand enough to be dangerous. But if you understand how that works, imagine you're in a scenario in a job interview and somebody says, hey, here's an actual alert that's triggered on an endpoint. There again that thought process. What do you think? How would you triage it? What you're thinking here, what do you think has happened? This is a false positive. How would you determine if it's a false positive? Right, the more you understand, especially windows, because windows is the most prevalent right. We all know this. Yeah, um, you can study that, you can learn that. There's books on this, right. It's not simple, it's not easy. There's, but there's YouTube videos on it, right, so it's not simple, it's not easy, but there's tools and resources to learn. And even you don't have to be black belt level unless you want to be, but you can get there and get to a level of understanding of like well, because this is how, under the hood of windows, how it works. This is interesting.

John:

Another thing that I would add to that is putting on a different hat through all of these skills, all of these skills and we didn't say this at the beginning, but being able to think like an attacker and and maybe try to come up with some quote unquote malware that you create that would try to trick EDR. You might not be able to do it the EDRs are good, people are trying to do this all the time. But the exercise is important because you can trial and error, that you can throw that into a lab there's. It's free, you can do it for free. And what will you learn from that? Well, you'll learn, maybe, how an adversary might operate. What if it was a tool that is a legit tool that people use, that you're making a tool that could be used for remote access, but now how could I abuse that to work like an adversary? Those skills and being able to use those skills are invaluable.

Steve:

Right thinking like an attacker and offense informing defense is super important, absolutely and again, like the other two, we will post a couple of some free stuff that you can kind of get your feet wet, get some better understanding of what EDRs are, endpoint protection tools, and just some basic understanding that can kind of help you along the way, and, yeah, just help you understand endpoint protection. So anything else to kind of wrap up our part one of two, um for when? For talking about, you know, just tools for security analysts work.

John:

No, I think this is a good part. One of you know things to think about, tools to work on, skills to develop Um, super important. These are. These are just like we said at the beginning, this is how and what we're looking for and how we might evaluate an analyst from our perspective. Right, People are different, Companies are different, but essentially, um, these are, are. We are saying these are very important and if you want to be an analyst, um, or already are an analyst, and you want to level up and get better at these skills, this is what we're trying to share with you, Just to try to give you some insight from our perspective.

Steve:

Yeah, absolutely. And if you are out there watching this and you know of additional resources, please let us know. Please share, reach out, mention it in the comments so that others could benefit from that as well. We've, we've done our our, our bit of research, but there's, you know, there's so much out there we can't cover all, so we might have missed a couple things. So if you know of better options or if you know of something that worked for you that you would like to share, please let us know, share in the comments and let others kind of take advantage of that as well. So again, we've covered SIM tools. We've covered vulnerability management and endpoint protection in this episode.

Steve:

In the following episode, we will talk about phishing simulations. We will talk about network monitoring and incident response. So hope you enjoyed it. Um, all the links of all the things that we have to share will be in the show notes. Um, so please, you know, use them. Uh, take advantage of that. Choose a tool, commit to it, practice it and just see your skills grow. So, other than that, anything else from you, john. That's it, thank you. Tune into the next episode, the next episode next grow.

John:

So, other than that, anything else from you, john. That's it, thank you. Tune in to the next episode, the next episode, next version.

Steve:

So happy to share more. Yeah, all right, thank you all, till next time.

John:

Thanks for tuning in to this episode. If you're looking for personalized mentorship, click the link below to sign up for a free consultation with us.

Steve:

During this session, we'll talk about your goals, your challenges and how we can better help you. This may include reviewing resumes, career advice, setting up action plans that are tailored for your needs.

John:

Yeah, at Cyber Professional Services, we're here to guide you at every state of your cybersecurity journey.

Steve:

That's right, so keep learning. Stay secure and we'll see you next time, questions or topics you'd like us to cover, or do you want to share your journey? Join us on Discord at Cybersecurity Mentors Podcast and follow us on LinkedIn. We'd love to hear from you. Until next time. I'm John Hoyt and I'm Steve Higuretta. Thank you for listening.