1 00:00:00,480 --> 00:00:02,740 Endpoint analysis. 2 00:00:02,740 --> 00:00:04,630 Now, endpoint analysis is used 3 00:00:04,630 --> 00:00:06,740 when we're conducting monitoring, logging, 4 00:00:06,740 --> 00:00:08,990 and analysis of our endpoints. 5 00:00:08,990 --> 00:00:11,370 An endpoint is simply any device that we may use 6 00:00:11,370 --> 00:00:13,020 to connect to our network. 7 00:00:13,020 --> 00:00:16,110 Now, for example, your desktop or your laptop at the office, 8 00:00:16,110 --> 00:00:17,560 that's considered an endpoint, 9 00:00:17,560 --> 00:00:20,070 so is your smartphone or your tablet. 10 00:00:20,070 --> 00:00:23,060 As a cybersecurity analyst, you must be able to use tools 11 00:00:23,060 --> 00:00:25,110 to identify behavioral anomalies 12 00:00:25,110 --> 00:00:28,120 and then identify the techniques used by malware 13 00:00:28,120 --> 00:00:29,550 to achieve privilege escalation 14 00:00:29,550 --> 00:00:31,720 and persistence on your host. 15 00:00:31,720 --> 00:00:32,960 Now, there are lots of different 16 00:00:32,960 --> 00:00:34,640 endpoint protection tools out there. 17 00:00:34,640 --> 00:00:37,020 And in this lesson, we're going to cover five different 18 00:00:37,020 --> 00:00:41,000 endpoint security capabilities that we can use for analysis. 19 00:00:41,000 --> 00:00:44,310 These are antivirus, host intrusion detection systems 20 00:00:44,310 --> 00:00:46,570 and host intrusion prevention systems, 21 00:00:46,570 --> 00:00:48,610 endpoint protection platforms, 22 00:00:48,610 --> 00:00:51,040 endpoint detection response platforms, 23 00:00:51,040 --> 00:00:53,920 and user and entity behavioral analytics. 24 00:00:53,920 --> 00:00:56,180 Let's talk about each of these in this lesson. 25 00:00:56,180 --> 00:00:58,650 First, antivirus. 26 00:00:58,650 --> 00:01:00,950 Antivirus is a software that's capable of detecting 27 00:01:00,950 --> 00:01:02,570 and removing virus infections. 28 00:01:02,570 --> 00:01:04,850 And in most cases, other types of malware, 29 00:01:04,850 --> 00:01:09,040 such as worms, Trojans, rootkits, adware, spyware, 30 00:01:09,040 --> 00:01:11,200 password crackers, network mappers, 31 00:01:11,200 --> 00:01:13,350 denial of service tools, and others. 32 00:01:13,350 --> 00:01:17,180 Often, you'll hear this called antivirus or anti-malware. 33 00:01:17,180 --> 00:01:19,330 At this point in your career, you should be pretty familiar 34 00:01:19,330 --> 00:01:21,950 with what antivirus and anti-malware is. 35 00:01:21,950 --> 00:01:23,340 The next one we're going to talk about 36 00:01:23,340 --> 00:01:27,924 is host-based IDS and IPS, which is HIDS or HIPS. 37 00:01:27,924 --> 00:01:31,380 This is a type of IDS or IPS that monitors a computer system 38 00:01:31,380 --> 00:01:33,780 for unexpected behavior and drastic changes 39 00:01:33,780 --> 00:01:36,410 to the system state on a given endpoint. 40 00:01:36,410 --> 00:01:39,020 Now, most of these are going to use signature-based detection 41 00:01:39,020 --> 00:01:41,650 using log or file monitoring systems to figure out 42 00:01:41,650 --> 00:01:43,990 if something bad is trying to happen to your endpoint. 43 00:01:43,990 --> 00:01:46,390 They may use file system integrity monitoring too 44 00:01:46,390 --> 00:01:48,510 to see if your operating system files have been changed, 45 00:01:48,510 --> 00:01:49,740 or drivers have been changed, 46 00:01:49,740 --> 00:01:51,750 or an application has been changed. 47 00:01:51,750 --> 00:01:52,980 All of these things are things 48 00:01:52,980 --> 00:01:54,990 that a host-based intrusion detection system 49 00:01:54,990 --> 00:01:57,460 or intrusion prevention system can help you with 50 00:01:57,460 --> 00:01:59,530 that a network-based intrusion detection 51 00:01:59,530 --> 00:02:02,390 or intrusion prevention system really can't see. 52 00:02:02,390 --> 00:02:03,470 Now, the next one we have 53 00:02:03,470 --> 00:02:06,670 is an endpoint protection platform or EPP. 54 00:02:06,670 --> 00:02:08,880 This is a software agent and monitoring system 55 00:02:08,880 --> 00:02:11,150 that performs multiple security tasks. 56 00:02:11,150 --> 00:02:12,593 They can do things like antivirus. 57 00:02:12,593 --> 00:02:15,790 They can do host intrusion detection or prevention systems. 58 00:02:15,790 --> 00:02:17,120 It can have a firewall. 59 00:02:17,120 --> 00:02:19,700 It can have data loss prevention, or DLP, 60 00:02:19,700 --> 00:02:21,020 and it can have file encryption, 61 00:02:21,020 --> 00:02:22,860 all of this in a single product. 62 00:02:22,860 --> 00:02:25,960 Essentially, it's your Swiss army knife of security tools. 63 00:02:25,960 --> 00:02:27,880 We call this an EPP. 64 00:02:27,880 --> 00:02:31,240 Now, there are a lot of EPPs on the market and every year, 65 00:02:31,240 --> 00:02:32,840 there's a thing called the Magic Quadrant 66 00:02:32,840 --> 00:02:34,480 that's put out by Gartner. 67 00:02:34,480 --> 00:02:36,660 Gartner goes and rates all the different systems 68 00:02:36,660 --> 00:02:39,090 to see who's the best, which ones are the leaders, 69 00:02:39,090 --> 00:02:41,630 who are the challengers, who of them are niche players, 70 00:02:41,630 --> 00:02:42,890 and who of them are visionaries. 71 00:02:42,890 --> 00:02:44,870 And you can see that here on the screen. 72 00:02:44,870 --> 00:02:46,500 As you can see, the top three 73 00:02:46,500 --> 00:02:49,570 is Microsoft, CrowdStrike, and Symantec, 74 00:02:49,570 --> 00:02:50,990 and all three of them have great 75 00:02:50,990 --> 00:02:53,730 endpoint protection platforms that you can choose from. 76 00:02:53,730 --> 00:02:55,800 The next one we're going to talk about is EDR, 77 00:02:55,800 --> 00:02:58,080 which is endpoint detection and response. 78 00:02:58,080 --> 00:03:02,130 Now, where EPP is mostly based on signature detection, 79 00:03:02,130 --> 00:03:06,250 EDR is focused more on behavioral and anomaly analysis. 80 00:03:06,250 --> 00:03:09,050 It starts logging the endpoint's observables and indicators 81 00:03:09,050 --> 00:03:10,510 and combines that with analysis 82 00:03:10,510 --> 00:03:12,550 and tries to figure out what's wrong. 83 00:03:12,550 --> 00:03:13,830 So, this is a software agent 84 00:03:13,830 --> 00:03:16,070 that's going to collect system data and logs for analysis 85 00:03:16,070 --> 00:03:17,210 by monitoring the system 86 00:03:17,210 --> 00:03:19,350 to provide early detection of threats. 87 00:03:19,350 --> 00:03:20,300 Now, because of that, 88 00:03:20,300 --> 00:03:23,910 the aim of EDR is not to prevent an initial execution, 89 00:03:23,910 --> 00:03:26,720 but instead, to provide runtime and historical visibility 90 00:03:26,720 --> 00:03:29,810 into a compromise, and once you've been detected, 91 00:03:29,810 --> 00:03:31,520 it can start responding to that 92 00:03:31,520 --> 00:03:33,350 and it helps you as an incident responder 93 00:03:33,350 --> 00:03:36,380 to gather more information and facilitate your remediation 94 00:03:36,380 --> 00:03:38,420 to get it back to its original state. 95 00:03:38,420 --> 00:03:41,400 The final one we want to talk about here is UEBA, 96 00:03:41,400 --> 00:03:44,230 which is user and entity behavior analytics. 97 00:03:44,230 --> 00:03:46,910 This is a system that can provide automated identification 98 00:03:46,910 --> 00:03:50,920 of suspicious activity by user accounts and computer hosts. 99 00:03:50,920 --> 00:03:54,170 Now, this solution is less about endpoint data collection 100 00:03:54,170 --> 00:03:55,980 and more about the actual process 101 00:03:55,980 --> 00:03:58,020 of analyzing the data you're getting. 102 00:03:58,020 --> 00:04:00,650 The idea here is to have a baseline of good knowledge, 103 00:04:00,650 --> 00:04:01,920 and then we're going to compare anything 104 00:04:01,920 --> 00:04:03,710 that goes outside that baseline 105 00:04:03,710 --> 00:04:05,550 and start thinking that might be suspicious 106 00:04:05,550 --> 00:04:06,990 and look into it further. 107 00:04:06,990 --> 00:04:09,940 Now, a lot of UEBA is focused on the analytics 108 00:04:09,940 --> 00:04:10,773 and because of that, 109 00:04:10,773 --> 00:04:12,910 there's a lot of data that has to be processed. 110 00:04:12,910 --> 00:04:15,280 So, UEBA solutions are heavily dependent 111 00:04:15,280 --> 00:04:16,740 on advanced computing techniques, 112 00:04:16,740 --> 00:04:19,800 things like artificial intelligence and machine learning. 113 00:04:19,800 --> 00:04:21,540 There's a lot of these different players out there 114 00:04:21,540 --> 00:04:24,000 in the marketplace that are doing UEBA. 115 00:04:24,000 --> 00:04:25,540 Two of the big ones out there right now 116 00:04:25,540 --> 00:04:27,510 is Microsoft and Splunk. 117 00:04:27,510 --> 00:04:30,530 Microsoft has the Microsoft Advanced Threat Analytics. 118 00:04:30,530 --> 00:04:32,420 And you could see this diagram here on the screen. 119 00:04:32,420 --> 00:04:34,860 Essentially, we have some unknown threat that comes in. 120 00:04:34,860 --> 00:04:36,820 It goes into some sort of a sandbox environment 121 00:04:36,820 --> 00:04:38,690 for detonation. Based on that, 122 00:04:38,690 --> 00:04:41,790 it does a heuristic behavioral model of what it saw. 123 00:04:41,790 --> 00:04:43,580 It passes that into machine learning, 124 00:04:43,580 --> 00:04:45,350 and based on the machine learning models, 125 00:04:45,350 --> 00:04:47,600 it will decide whether or not this is really a threat 126 00:04:47,600 --> 00:04:48,800 or if it's not a threat. 127 00:04:48,800 --> 00:04:51,330 And based on that, it'll let that message go through. 128 00:04:51,330 --> 00:04:53,410 Now, on the other hand, Splunk is another one out there 129 00:04:53,410 --> 00:04:56,310 and it's called the Splunk User Behavior Analytics. 130 00:04:56,310 --> 00:04:58,540 This tool will allow you to get all that data 131 00:04:58,540 --> 00:05:01,440 into a nice dashboard, so your analysts can go through it 132 00:05:01,440 --> 00:05:04,230 and they can see what are threats, what are anomalies, 133 00:05:04,230 --> 00:05:06,400 how many users you have, how many devices you have, 134 00:05:06,400 --> 00:05:07,860 and all the different statistics. 135 00:05:07,860 --> 00:05:09,910 And you can drill down into each area of that 136 00:05:09,910 --> 00:05:11,240 and look at all the analytics 137 00:05:11,240 --> 00:05:13,290 and make your decisions based on that. 138 00:05:13,290 --> 00:05:14,340 Now, I know we just covered 139 00:05:14,340 --> 00:05:15,850 these five different technologies 140 00:05:15,850 --> 00:05:17,720 and we try to keep it very clear cut and say, 141 00:05:17,720 --> 00:05:20,050 this one does this and that one does that, 142 00:05:20,050 --> 00:05:22,130 but as everything in security, 143 00:05:22,130 --> 00:05:24,280 things evolve and things merge together. 144 00:05:24,280 --> 00:05:26,490 And so now, many companies are starting to market 145 00:05:26,490 --> 00:05:28,750 advanced threat protection, ATP, 146 00:05:28,750 --> 00:05:31,221 advanced endpoint protection, AEP, 147 00:05:31,221 --> 00:05:33,880 and NextGen AV, which is NGAV, 148 00:05:33,880 --> 00:05:35,940 and all of this just becomes essentially a hybrid 149 00:05:35,940 --> 00:05:38,200 of the different technologies we talked about before, 150 00:05:38,200 --> 00:05:40,150 like the endpoint protection platform, 151 00:05:40,150 --> 00:05:41,780 the endpoint detection response, 152 00:05:41,780 --> 00:05:44,103 or the user and entity behavior analytics.