From the course: SecOps on Google Distributed Cloud (GDC) for Tier 1 and Tier 2 Analysts by Google
Monitoring security events - Google Cloud Platform Tutorial
From the course: SecOps on Google Distributed Cloud (GDC) for Tier 1 and Tier 2 Analysts by Google
Monitoring security events
- [Instructor] Monitoring and intake represent the initial stages where potential security events are identified, detected, triaged, and classified for further investigation and remediation. Efficient incident response involves continuous monitoring of security systems and logs combined with effective intake procedures for handling potential incidents reported by various sources. Let's start by exploring the purpose of continuous monitoring. During the monitoring phase, Tier 1 analysts monitor security systems and logs for suspicious activity. The goal of this phase is twofold: early detection of security events, the accurate identification of genuine incidents. To achieve these goals, Tier 1 analysts use various tools and techniques, endpoint detection and response, EDR solutions, and security information and event management, SIEM, systems. By combining EDR and SIEM, the analysts can detect anomalies about user behavior and take action accordingly. For example, if you notice a sign-on to the company outside of business hours, a policy can be created that blocks the copying of data outside of business hours. Tier 1 analysts also work to accurately identify genuine incidents. This involves learning to differentiate between real security events and false alarms, false positives. This ability requires robust detection mechanisms and skilled analysts to analyze alerts and identify true threats. By learning to accurately identify genuine incidents, you help to avoid unnecessary resource allocation and wasted time. A detection modality is a general term that refers to the various detection methods employed by Tier 1 analysts during the monitoring phase. These modalities aim to detect potential security events and can be automated, internal, or external. Each method offers distinct advantages and limitations. In the following videos, you'll explore each one.
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.
Contents
-
-
-
Module overview1m 34s
-
Monitoring security events2m 8s
-
Automated detection methods2m 46s
-
Internal detection methods3m 20s
-
External detection methods3m 11s
-
Incident intake3m 42s
-
Alert triage1m 43s
-
(Locked)
The alert triage process2m 26s
-
(Locked)
Alert triage at Cymbal Federal5m 55s
-
(Locked)
Alert triage best practices1m 11s
-
(Locked)
Data collection2m 15s
-
(Locked)
Data categorization1m 34s
-
(Locked)
Impact assessment1m 38s
-
(Locked)
Tier 1 remediation actions1m 23s
-
(Locked)
A phishing attack at Cymbal Federal is fully resolved in Tier 11m 18s
-
(Locked)
A phishing attack at Cymbal Federal is escalated to Tier 24m 22s
-
(Locked)
Support processes4m 4s
-
(Locked)
ServiceNow tickets2m 11s
-
(Locked)
Collaborating with other Tier 1 analysts4m 44s
-
(Locked)
Support processes at Cymbal Federal2m 51s
-
(Locked)
Module review1m 9s
-
-
-