Mastering Cybersecurity Foundations: CISSP Domains, Threats, Frameworks, and Practical Tools

Name: How To Manage Security Risks & Threats | Google Cybersecurity Certificate
Uploaded: 2026-02-16T10:01:55.079127+00:00
Channel: Google Career Certificates
Description: Summary and key takeaways on Mastering Cybersecurity Foundations: CISSP Domains, Threats, Frameworks, and Practical Tools, covering Introduction Ashley, a

Google Career Certificates

Feb 16, 2026

•

4 min read

YouTube video ID: 34BtwcL7Mkg

Source: YouTube video by Google Career Certificates — Watch original video

PDF

Introduction

Ashley, a Customer Engineering Enablement Lead at Google, welcomes learners to a comprehensive security course. The program builds on earlier lessons about basic security concepts, the CIA triad, and historic cyber‑attacks, then dives deeper into CISSP domains, threats, risk management, frameworks, controls, audits, tools, and incident‑response playbooks.

CISSP’s Eight Security Domains

First Four Domains - Security and Risk Management – defines goals, risk mitigation, compliance, business continuity, and legal/ethical responsibilities. - Asset Security – protects digital and physical assets, covers data storage, retention, and secure disposal (e.g., hard‑drive shredding). - Security Architecture & Engineering – emphasizes secure design, shared responsibility, and policies that encourage reporting. - Communication & Network Security – secures wired, wireless, and cloud communications; restricts insecure Bluetooth/Wi‑Fi use.

Last Four Domains - Identity & Access Management (IAM) – identification, authentication, authorization, and accountability; principle of least privilege. - Security Assessment & Testing – control testing, data analysis, audits; example: implementing MFA. - Security Operations – incident investigation, forensic evidence collection, mitigation. - Software Development Security – secure coding, SDLC security reviews, penetration testing.

Threats, Risks, and Vulnerabilities

Threats – events that can harm assets (e.g., phishing, social engineering).
Risks – likelihood that a threat will affect confidentiality, integrity, or availability; classified as low, medium, high.
Vulnerabilities – weaknesses such as outdated firewalls, weak passwords, or human error.
Impact Examples – financial loss, identity theft, reputation damage.

Ransomware and the Three Web Layers

Ransomware encrypts data, freezes systems, and demands payment; may involve dark‑web negotiations.
Web Layers – Surface web (public), Deep web (authorized access, e.g., intranets), Dark web (anonymous, often used by criminals).

NIST Risk Management Framework (RMF)

Seven steps guide risk handling: 1. Prepare – monitor risks, identify controls. 2. Categorize – assess impact on confidentiality, integrity, availability. 3. Select – choose and document controls (playbooks, policies). 4. Implement – deploy security/privacy plans. 5. Assess – verify controls work as intended. 6. Authorize – generate reports, align with security goals. 7. Monitor – continuously track system performance and adjust.

Security Frameworks & Controls

Frameworks provide baseline policies (e.g., NIST CSF, NIST SP 800‑53) for risk mitigation and compliance.
Controls reduce specific risks; three common types:
Encryption – converts plaintext to ciphertext for confidentiality.
Authentication – verifies identity (passwords, MFA, biometrics).
Authorization – grants permission to resources.
CIA Triad – Confidentiality, Integrity, Availability; guides all security decisions.

OWASP Design Principles

Minimize attack surface.
Apply least privilege.
Use defense‑in‑depth (multiple layers of controls).
Separate duties.
Keep security simple.
Fix issues correctly (root‑cause analysis, remediation).

Security Audits

Internal audits assess scope, goals, risk, controls, compliance, and communication of results. Elements include: - Defining audit scope and objectives. - Conducting risk assessments. - Performing controls assessments (administrative, technical, physical). - Verifying compliance (e.g., GDPR, PCI‑DSS). - Reporting findings to stakeholders.

Security Tools: Logs, SIEM, Dashboards, and Platforms

Log Types – firewall, network, server logs record connection attempts, device activity, and service events.
SIEM (Security Information & Event Management) aggregates logs, provides real‑time alerts, and stores data centrally.
Dashboards visualize alerts, metrics (e.g., login attempts, geographic anomalies) for rapid decision‑making.
Common SIEM Solutions – Splunk Enterprise (self‑hosted), Splunk Cloud (cloud‑hosted), Google Chronicle (cloud‑native). Hybrid deployments combine both.

Playbooks & Incident Response

A playbook is a step‑by‑step manual for handling incidents. The six phases of an incident‑response playbook are: 1. Preparation – policies, staffing, training. 2. Detection & Analysis – identify and assess events. 3. Containment – limit damage. 4. Eradication & Recovery – remove artifacts, restore systems. 5. Post‑Incident Activity – documentation, lessons learned. 6. Coordination – reporting, compliance, stakeholder communication. Playbooks ensure consistency, speed, and compliance during attacks such as ransomware or malware.

Course Recap

Reviewed CISSP’s eight domains and their practical relevance.
Explored threats, risks, vulnerabilities, ransomware, and web layers.
Learned the NIST RMF’s seven steps.
Studied frameworks, controls, the CIA triad, and OWASP principles.
Understood internal audit components.
Gained familiarity with logs, SIEM tools, dashboards, and major platforms.
Mastered incident‑response playbooks and their six phases.

The knowledge gained equips entry‑level analysts to protect assets, respond to incidents, and contribute to a strong security posture.

A solid grasp of CISSP domains, risk frameworks, security controls, and practical tools like SIEM and playbooks empowers new analysts to safeguard organizational assets and respond swiftly to cyber threats.

Frequently Asked Questions

Who is Google Career Certificates on YouTube?

Google Career Certificates is a YouTube channel that publishes videos on a range of topics. Browse more summaries from this channel below.

Does this page include the full transcript of the video?

Yes, the full transcript for this video is available on this page. Click 'Show transcript' in the sidebar to read it.

Helpful resources related to this video

If you want to practice or explore the concepts discussed in the video, these commonly used tools may help.

Cissp Official (Isc)2 Study Guide Recommended

Comprehensive guide covering all eight CISSP domains, helping you master the concepts discussed in the course

Amazon →

Nist Cybersecurity Framework Pocket Guide

Concise reference for implementing the NIST CSF functions and RMF steps, reinforcing framework knowledge

Amazon →

The Art Of Incident Response Book

Practical strategies for building and using incident‑response playbooks, aligning with the playbook section

Amazon →

Links may be affiliate links. We only include resources that are genuinely relevant to the topic.

Summarize another video

Full Transcript YouTube

ASHLEY: My name is Ashley, and
I am a Customer Engineering
Enablement Lead for Security
Operations Sales at Google.
I'm excited to be your
instructor for this course.
Let's start by quickly reviewing
what we've covered so far.
Earlier, we defined security
and explored some common job
responsibilities for
entry level analysts.
We also discussed core
skills and knowledge
that analysts need to develop.
Then we shared some key
events, like the love letter
and Morris attacks, that
led to the development
and ongoing evolution
of the security field.
We also introduced you
to frameworks, controls,
and the CIA triad, which
are all used to reduce risk.
In this course, we'll
discuss the focus
of Certified Information
Systems Security Professional's,
or CISSP's, eight
security domains.
We'll also cover security
frameworks and controls
in more detail with a focus
on NIST's Risk Management
Framework.
Additionally, we'll
explore security audits,
including common elements
of internal audits.
Then we'll introduce some
basic security tools,
and you'll have a
chance to explore
how to use security
tools to protect
assets and data from threats,
risks, and vulnerabilities.
Securing an organization
and its assets
from threats, risks,
and vulnerabilities
is an important
step in maintaining
business operations.
In my experience as
a security analyst,
I helped respond
to a severe breach
that cost the organization
nearly $250,000.
So I hope you're feeling
motivated to continue
your security journey.
I know I'm excited.
Let's get started.
The world of security,
which we also
refer to as cybersecurity
throughout this program,
is vast.
So making sure that you have
the knowledge, skills, and tools
to successfully navigate
this world is why we're here.
In the following
videos, you'll learn
about the focus of CISSP's
eight security domains.
Then we'll discuss threats,
risks, and vulnerabilities
in more detail.
We'll also introduce you to
the three layers of the web
and share some examples
to help you understand
the different types
of attacks that we'll
discuss throughout the program.
Finally, we'll examine
how to manage risks
by using the National Institute
of Standards and Technologies
Risk Management Framework
known as the NIST RMF.
Because these topics and
related technical skills
are considered core knowledge
in the security field,
continuing to build your
understanding of them
will help you mitigate and
manage the risks and threats
that organizations
face on a daily basis.
In the next video,
we'll further discuss
the focus of the eight
security domains introduced
in the first course.
Welcome back.
You might remember
from course one
that there are eight security
domains or categories
identified by CISSP.
Security teams use them
to organize daily tasks
and identify gaps
in security that
could cause negative
consequences
for an organization and to
establish their security
posture.
Security posture refers to
an organization's ability
to manage its defense of
critical assets and data
and react to change.
In this video, we'll discuss
the focus of the first four
domains, security and risk
management, asset security,
security architecture and
engineering, and communication
and network security.
The first domain is security
and risk management.
There are several areas
of focus for this domain,
defining security goals and
objectives, risk mitigation,
compliance, business continuity,
and legal regulations.
Let's discuss each area
of focus in more detail.
By defining security
goals and objectives,
organizations can reduce risks
to critical assets and data,
like PII or Personally
Identifiable Information.
Risk mitigation means having
the right procedures and rules
in place to quickly reduce
the impact of a risk,
like a breach.
Compliance is the
primary method used
to develop an organization's
internal security
policies, regulatory
requirements,
and independent standards.
Business continuity relates
to an organization's ability
to maintain their everyday
productivity by establishing
risk disaster recovery plans.
And finally, while laws related
to security and risk management
are different worldwide, the
overall goals are similar.
As a security professional,
this means following rules
and expectations
for ethical behavior
to minimize negligence,
abuse, or fraud.
The next domain
is asset security.
The asset security
domain is focused
on securing digital
and physical assets.
It's also related to the
storage, maintenance,
retention, and
destruction of data.
This means that assets,
such as PII or SPII,
should be securely
handled and protected,
whether stored on a computer,
transferred over a network,
like the internet, or
even physically collected.
Organizations also need to
have policies and procedures
that ensure data
is properly stored,
maintained, retained,
and destroyed.
Knowing what data you have
and who has access to it
is necessary for having
a strong security
posture that mitigates risk
to critical assets and data.
Previously, we
provided a few examples
that touched on the
disposal of data.
For example, an
organization might
have as a security
analyst oversee
the destruction of hard drives
to make sure that they're
properly disposed of.
This ensures that private
data stored on those drives
can't be accessed
by threat actors.
The third domain is security
architecture and engineering.
This domain is focused on
optimizing data security
by ensuring effective
tools, systems,
and processes are in place
to protect an organization's
assets and data.
One of the core concepts of
secure design architecture
is shared responsibility.
Shared responsibility
means that all individuals
within an organization
take an active role
in lowering risk and
maintaining both physical
and virtual security.
By having policies that
encourage users to recognize
and report security
concerns, many issues
can be handled quickly
and effectively.
The fourth domain is
communication and network
security, which
is mainly focused
on managing and securing
physical networks and wireless
communications.
Secure networks keep
an organization's data
and communications safe, whether
on site, or in the Cloud,
or when connecting
to services remotely.
For example, employees working
remotely in public spaces
need to be protected
from vulnerabilities
that can occur when they use
insecure Bluetooth connections
or public Wi-Fi hotspots.
By having security team
members remove access
to those types of
communication channels
at the organizational
level, employees
may be discouraged
from practicing
insecure behavior that could
be exploited by threat actors.
Now that we've reviewed
the focus of our first four
domains, let's discuss
the last four domains.
In this video, we'll cover the
last four domains, identity
and access management, security
assessment and testing,
security operations, and
software development security.
The fifth domain is Identity
and Access Management, or IAM,
and it's focused on
access and authorization
to keep data secure by
making sure users follow
established policies to
control and manage assets.
As an entry level analyst,
it's essential to keep
an organization's systems
and data as secure
as possible by
ensuring user access is
limited to what employees need.
Basically, the goal of IAM
is to reduce the overall risk
to systems and data.
For example, if
everyone at a company
is using the same
administrator login,
there is no way to track
who has access to what data.
In the event of a breach,
separating valid user activity
from the threat actor
would be impossible.
There are four main
components to IAM.
Identification is
when a user verifies
who they are by providing
a username, an access
card, or biometric data,
such as a fingerprint.
Authentication is the
verification process
to prove a person's identity,
such as entering a password
or pin.
Authorization takes place
after a user's identity
has been confirmed and relates
to their level of access,
which depends on the
role in the organization.
Accountability refers to
monitoring and recording
user actions, like
login attempts, to prove
systems and data
are used properly.
The sixth security domain
is security assessment
and testing.
This domain focuses on
conducting security control
testing, collecting and
analyzing data, and conducting
security audits to monitor
for risks, threats,
and vulnerabilities.
Security control testing can
help an organization identify
new and better ways to
mitigate threats, risks,
and vulnerabilities.
This involves examining
organizational goals
and objectives and evaluating
if the controls being used
actually achieve those goals.
Collecting and analyzing
security data regularly also
helps prevent threats and
risk to the organization.
Analysts might use security
control testing evaluations
and security assessment reports
to improve existing controls
or implement new controls.
An example of
implementing a new control
could be requiring the use of
multi-factor authentication
to better protect
the organization
from potential
threats and risks.
Next, let's discuss
security operations.
The security
operations domain is
focused on conducting
investigations and implementing
preventative measures.
Investigations begin
once a security incident
has been identified.
This process requires a
heightened sense of urgency
in order to minimize potential
risks to the organization.
If there is an active
attack, mitigating the attack
and preventing it from
escalating further
is essential for ensuring
that private information is
protected from threat actors.
Once the threat has
been neutralized,
the collection of digital
and physical evidence
to conduct a forensic
investigation will begin.
A digital forensic
investigation must
take place to
identify when, how,
and why the breach occurred.
This helps security teams
determine areas for improvement
and preventative measures
that can be taken
to mitigate future attacks.
The eighth and final
security domain
is software
development security.
This domain focuses on using
secure coding practices.
As you may remember,
secure coding practices
are recommended
guidelines that are
used to create secure
applications and services.
The software
development lifecycle
is an efficient process used
by teams to quickly build
software products and features.
In this process, security
is an additional step.
By ensuring that each phase
of the software development
lifecycle undergoes
security reviews,
security can be fully integrated
into the software product.
For example, performing a secure
design review during the design
phase, secure code reviews
during the development
and testing phases,
and penetration testing
during the deployment
and implementation phase
ensures that security is
embedded into the software
product at every step.
This keeps software
secure, and sensitive data
protected, and mitigates
unnecessary risk
to an organization.
Being familiar
with these domains
can help you better
understand how they're
used to improve the overall
security of an organization
and the critical role
security teams play.
Next, we'll discuss
security threats, risks,
and vulnerabilities,
including ransomware,
and introduce you to the
three layers of the web.
As an entry level security
analyst, one of your many roles
will be to handle
an organization's
digital and physical assets.
As a reminder, an
asset is an item
perceived as having
value to an organization.
During their lifespan,
organizations
acquire all types of assets,
including physical office
spaces, computers, customers'
PII, intellectual property,
such as patents or copyrighted
data, and so much more.
Unfortunately,
organizations operate
in an environment that
presents multiple security
threats, risks,
and vulnerabilities
to their assets.
Let's review what threats,
risks, and vulnerabilities
are and discuss some
common examples of each.
A threat is any
circumstance or event that
can negatively impact assets.
One example of a threat is
a social engineering attack.
Social engineering is a
manipulation technique
that exploits human error
to gain private information,
access, or valuables.
Malicious links
in email messages
that look like they're from
legitimate companies or people
is one method of social
engineering known as phishing.
As a reminder,
phishing is a technique
that is used to
acquire sensitive data,
such as usernames, passwords,
or banking information.
Risks are different
from threats.
A risk is anything that can
impact the confidentiality,
integrity, or
availability of an asset.
Think of a risk
as the likelihood
of a threat occurring.
An example of a risk
to an organization
might be the lack
of backup protocols
for making sure its
stored information can
be recovered in the event of an
accident or security incident.
Organizations tend to rate
risks at different levels,
low, medium, and high,
depending on possible threats
and the value of an asset.
A low risk asset
is information that
would not harm the
organization's reputation
or ongoing operations and would
not cause financial damage
if compromised.
This includes
public information,
such as website content or
published research data.
A medium risk asset
might include information
that's not available
to the public
and may cause some damage
to the organization's
finances, reputation,
or ongoing operations.
For example, the early
release of a company's
quarterly earnings could impact
the value of their stock.
A high risk asset is any
information protected
by regulations or laws,
which, if compromised,
would have a severe negative
impact on an organization's
finances, ongoing
operations, or reputation.
This could include leaked
assets with SPII, PII,
or intellectual property.
Now, let's discuss
vulnerabilities.
A vulnerability
is a weakness that
can be exploited by a
threat, and it's worth
noting that both a vulnerability
and threat must be present
for there to be a risk.
Examples of vulnerabilities
include an outdated firewall,
software or application,
weak passwords,
or unprotected
confidential data.
People can also be
considered a vulnerability.
People's actions
can significantly
affect an organization's
internal network,
whether it's a client,
external vendor, or employee.
Maintaining security
must be a united effort.
So entry level analysts
need to educate
and empower people to be
more security conscious.
For example, educating
people on how
to identify a phishing email
is a great starting point.
Using access cards to
grant employee access
to physical spaces, while
restricting outside visitors,
is another good
security measure.
Organizations must continually
improve their efforts
when it comes to identifying
and mitigating vulnerabilities
to minimize threats and risks.
Entry level analysts
can support this goal
by encouraging employees to
report suspicious activity
and actively monitoring
and documenting
employees access
to critical assets.
Now that you're familiar with
some of the threats, risks,
and vulnerabilities analysts
frequently encounter,
coming up, we'll
discuss how they
impact business operations.
In this video, we'll
discuss an expensive type
of malware called ransomware.
Then we'll cover three key
impacts of threats, risks,
and vulnerabilities on
organizational operations.
Ransomware is a
malicious attack,
where threat actors encrypt
an organization's data,
then demand payment
to restore access.
Once ransomware is
deployed by an attacker,
it can freeze network systems,
leave devices unusable,
and encrypt or lock
confidential data,
making devices inaccessible.
The threat actor
then demands a ransom
before providing
a decryption key
to allow organizations to
return to their normal business
operations.
Think of a decryption key
as a password provided
to regain access to your data.
Note that when ransom
negotiations occur or data
is leaked by threat
actors, these events
can occur through the dark web.
While many people
use search engines
to navigate to their
social media accounts
or to shop online, this
is only a small part
of what the web really is.
The web is actually
an interlinked network
of online content that's made
up of three layers, the surface
web, the deep web,
and the dark web.
The surface web is the
layer that most people use.
It contains content that can be
accessed using a web browser.
The deep web generally requires
authorization to access it.
An organization's intranet
is an example of the deep web
since it can only be accessed
by employees or others who
have been granted access.
Lastly, the dark web
can only be accessed
by using special software.
The dark web generally
carries a negative connotation
since it is the
preferred web layer
for criminals because of the
secrecy that it provides.
Now, let's discuss three key
impacts of threats, risks,
and vulnerabilities.
The first impact we'll
discuss is financial impact.
When an organization's
assets are compromised
by an attack, such as
the use of malware,
the financial
consequences can be
significant for a
variety of reasons.
These can include interrupted
production and services,
the cost to correct
the issue, and fines
if assets are compromised
because of non-compliance
with laws and regulations.
The second impact
is identity theft.
Organizations must
decide whether to store
private customer, employee,
and outside vendor data
and for how long.
Storing any type
of sensitive data
presents a risk to
the organization.
Sensitive data can include
personally identifiable
information, or PII, which
can be sold or leaked
through the dark web.
That's because the dark web
provides a sense of secrecy,
and threat actors
may have the ability
to sell data there without
facing legal consequences.
The last impact we'll discuss
is damage to an organization's
reputation.
A solid customer base supports
an organization's mission,
vision, and financial goals,
and exploited vulnerability
can lead customers to seek
new business relationships
with competitors or
create bad press that
causes permanent damage to
an organization's reputation.
The loss of customer
data doesn't only
affect an organization's
reputation and financials.
It may also result in
legal penalties and fines.
Organizations are
strongly encouraged
to take proper security measures
and follow certain protocols
to prevent the significant
impact of threats, risks,
and vulnerabilities.
By using all the tools
in their tool kit,
security teams are better
prepared to handle an event,
such as a ransomware attack.
Coming up, we'll cover the NIST
Risk Management Framework's
seven steps for managing risk.
As you might remember from
earlier in the program,
the National Institute of
Standards and Technology,
NIST, provides many
frameworks that
are used by security
professionals
to manage risks, threats,
and vulnerabilities.
In this video, we're going to
focus on NIST's Risk Management
Framework or RMF.
As an entry level
analyst, you may not
engage in all of
these steps, but it's
important to be familiar
with this framework.
Having a solid
foundational understanding
of how to mitigate
and manage risks
can set yourself apart
from other candidates
as you begin your job search
in the field of security.
There are seven
steps in the RMF,
prepare, categorize, select,
implement, assess, authorize,
and monitor.
Let's start with
step one, prepare.
Prepare refers to
activities that
are necessary to manage
security and privacy
risks before a breach occurs.
As an entry level
analyst, you'll
likely use this step
to monitor for risks
and identify controls that can
be used to reduce those risks.
Step two is categorize, which is
used to develop risk management
processes and tasks.
Security professionals then
use those processes and develop
tasks by thinking about how
the confidentiality, integrity,
and availability of
systems and information
can be impacted by risk.
As an entry level
analyst, you'll
need to be able
to understand how
to follow the
processes established
by your organization to reduce
risks to critical assets,
such as private
customer information.
Step three is select.
Select means to choose,
customize, and capture
documentation of the controls
that protect an organization.
An example of the
select step would
be keeping a playbook
up to date or helping
to manage other
documentation that allows you
and your team to address
issues more efficiently.
Step four is to implement
security and privacy
plans for the organization.
Having good plans in place
is essential for minimizing
the impact of ongoing
security risks.
For example, if you notice a
pattern of employees constantly
needing password resets,
implementing a change
to password requirements
may help solve this issue.
Step five is assess.
Assess means to determine
if established controls are
implemented correctly.
An organization always wants
to operate as efficiently
as possible, so it's
essential to take the time
to analyze whether
the implemented
protocols, procedures, and
controls that are in place
are meeting
organizational needs.
During the step, analysts
identify potential weaknesses
and determine whether
the organization's tools,
procedures, controls,
and protocols
should be changed to better
manage potential risks.
Step six is authorize.
Authorize means being
accountable for the security
and privacy risks that may
exist in an organization.
As an analyst, the
authorization step
could involve generating
reports, developing
plans of action,
and establishing
project milestones that are
aligned to your organization's
security goals.
Step seven is monitor.
Monitor means to be aware of
how systems are operating.
Assessing and maintaining
technical operations
are tasks that analysts
complete daily.
Part of maintaining a low level
of risk for an organization
is knowing how the
current systems
support the organization's
security goals.
If the systems in place
don't meet those goals,
changes may be needed.
Although it may not be your job
to establish these procedures,
you will need to make sure
they're working as intended,
so that risks to
the organization
itself and the people
it serves are minimized.
You've now completed the
first section of this course.
Let's review what
we've discussed so far.
We started out by exploring the
focus of CISSP's eight security
domains.
Then we discussed threats,
risks, and vulnerabilities,
and how they can
impact organizations.
This included a
close examination
of ransomware and
an introduction
to the three layers of the web.
Finally, we focused on
seven steps of the NIST Risk
Management Framework,
also, called the RMF.
You did a fantastic job adding
new knowledge to your security
analyst toolkit.
In upcoming videos,
we'll go into more detail
about some common tools used by
entry level security analysts.
Then you'll have an opportunity
to analyze data generated
by those tools to
identify risks, threats,
or vulnerabilities.
You'll also have a
chance to use a playbook
to respond to incidents.
That's all for now.
Keep up the great work.
Welcome back.
As a security analyst,
your job isn't just
keeping organizations safe.
Your role is much
more important.
You're also helping
to keep people safe.
Breaches that affect customers,
vendors, and employees data
can cause significant damage
to people's financial stability
and their reputations.
As an analyst, your
day to day work
will help keep people
and organizations safe.
In this section of
the course, we'll
discuss security frameworks,
controls, and design principles
in more detail, and how they can
be applied to security audits
to help protect
organizations and people.
Keeping customer
information confidential
is a crucial part of my
daily work at Google,
and the NIST
cybersecurity framework
plays a large part in this.
The framework ensures the
protection and compliance
of customer tools and
personal work devices
through the use of
security controls.
Welcome to the world of security
frameworks and controls.
Let's get started.
In an organization,
plans are put in place
to protect against a
variety of threats, risks,
and vulnerabilities.
However, the requirements
used to protect organizations
and people often overlap.
Because of this, organizations
use security frameworks
as a starting point to create
their own security policies
and processes.
Let's start by quickly
reviewing what frameworks are.
Security frameworks
are guidelines
used for building plans to
help mitigate risk and threats
to data and privacy, such as
social engineering attacks
and ransomware.
Security involves more than
just the virtual space.
It also includes
the physical, which
is why many organizations
have plans to maintain safety
in the work environment.
For example, access
to a building
may require using a
key card or badge.
Other security
frameworks provide
guidance for how to
prevent, detect, and respond
to security breaches.
This is particularly
important when
trying to protect
an organization
from social engineering
attacks, like phishing,
that target their employees.
Remember, people are the
biggest threat to security.
So frameworks can
be used to create
plans that increase
employee awareness
and educate them
about how they can
protect the organization, their
coworkers, and themselves.
Educating employees about
existing security challenges
is essential for minimizing
the possibility of a breach.
Providing employee
training about how
to recognize red flags
or potential threats
is essential along with
having plans in place
to quickly report and
address security issues.
As an analyst, it
will be important
for you to understand
and implement
the plans your
organization has in place
to keep the organization, its
employees, and the people it
serves safe from social
engineering attacks, breaches,
and other harmful
security incidents.
Coming up, we'll
review and discuss
security controls, which are
used alongside frameworks
to achieve an organization's
security goals.
While frameworks are used
to create plans to address
security risks, threats,
and vulnerabilities,
controls are used to
reduce specific risks.
If proper controls
are not in place,
an organization could face
significant financial impacts
and damage to the reputation
because of exposure to risks,
including trespassing, creating
fake employee accounts,
or providing free benefits.
Let's review the
definition of controls.
Security controls are
safeguards designed
to reduce specific
security risks.
In this video, we'll
discuss three common types
of controls, encryption,
authentication,
and authorization.
Encryption is the process
of converting data
from a readable format
to an encoded format.
Typically, encryption involves
converting data from plaintext
to ciphertext.
Ciphertext is the
raw, encoded message
that's unreadable to
humans and computers.
Ciphertext data cannot be
read, until it's been decrypted
into its original
plaintext form.
Encryption is used to
ensure confidentiality
of sensitive data, such as
customer's account information
or Social Security numbers.
Another control that can be
used to protect sensitive data
is authentication.
Authentication is the
process of verifying
who someone or something is.
A real world example
of authentication
is logging into a website with
your username and password.
This basic form
of authentication
proves that you know the
username and password
and should be allowed
to access the website.
More advanced methods
of authentication,
such as Multi-Factor
Authentication, or MFA,
challenge the user
to demonstrate
that they are who they claim to
be by requiring both a password
and an additional form of
authentication, like a security
code or biometrics, such
as a fingerprint, voice,
or face scan.
Biometrics are unique,
physical characteristics
that can be used to verify
a person's identity.
Examples of biometrics are
a fingerprint, an eye scan,
or a palm scan.
One example of a
social engineering
attack that can exploit
biometrics is vishing.
Vishing is the exploitation of
electronic voice communication
to obtain sensitive information
or to impersonate a known
source.
For example, vishing
could be used
to impersonate a person's
voice to steal their identity
and then commit a crime.
Another very important security
control is authorization.
Authorization refers
to the concept
of granting access to specific
resources within a system.
Essentially,
authorization is used
to verify that a
person has permission
to access a resource.
As an example, if you're working
as an entry level security
analyst for the
federal government,
you could have
permission to access data
through the deep web or
other internal data that
is only accessible if
you're a federal employee.
The security
controls we discussed
today are only one
element of a core security
model known as the CIA triad.
Coming up, we'll talk
more about this model
and how security teams use it
to protect their organizations.
Great to see you again.
While working as an entry
level security analyst,
your main responsibility
is to help
protect your organization's
sensitive assets and data
from threat actors.
The CIA triad is a
core security model
that will help you do that.
In this video, we'll
explore the CIA triad
and discuss the importance
of each component
for keeping an organization
safe from threats, risks,
and vulnerabilities.
Let's get started.
The CIA triad is a model that
helps inform how organizations
consider risk when setting up
systems and security policies.
As a reminder, the three
letters in the CIA triad
stand for Confidentiality,
Integrity, and Availability.
As an entry level
analyst, you'll
find yourself constantly
referring to these three core
principles as you work to
protect your organization
and the people it serves.
Confidentiality means that
only authorized users can
access specific assets or data.
Sensitive data should
be available on a need
to know basis, so that
only the people who
are authorized to handle certain
assets or data have access.
Integrity means that the
data is correct, authentic,
and reliable.
Determining the integrity
of data and analyzing how
it's used will help you as a
security professional decide
whether the data can
or cannot be trusted.
Availability means that the
data is accessible to those who
are authorized to access it.
Inaccessible data isn't
useful and can prevent people
from being able
to do their jobs.
As a security
professional, ensuring
that systems, networks, and
applications are functioning
properly to allow for
timely and reliable access
may be a part of your everyday
work responsibilities.
Now that we've defined the
CIA triad and its components,
let's explore how you might
use the CIA triad to protect
an organization.
If you work for an
organization that
has large amounts of
private data, like a bank,
the principle of
confidentiality is essential,
because a bank must keep
people's personal and financial
information safe.
The principle of integrity
is also a priority.
For example, if a person's
spending habits or purchasing
locations change
dramatically, the bank
will likely disable
access to the account,
until they can verify that
the account owner, not
a threat actor, is actually
the one making purchases.
The availability principle
is also critical.
Banks put a lot of
effort into making sure
that people can access their
account information easily
on the web, and to make sure
that information is protected
from threat actors, banks
use a validation process
to help minimize damage if
they suspect that customer
accounts have been compromised.
As an analyst,
you'll regularly use
each component of the triad to
help protect your organization
and the people it serves, and
having the CIA triad constantly
in mind will help you keep
sensitive data and assets safe
from a variety of threats,
risks, and vulnerabilities,
including the social engineering
attacks, malware, and data
theft we discussed earlier.
Coming up, we'll explore
specific frameworks
and principles
that will also help
you protect your organization
from threats, risks,
and vulnerabilities.
See you soon.
Welcome back.
Before we get started,
let's quickly review
the purpose of frameworks.
Organizations use frameworks
as a starting point
to develop plans that
mitigate risks, threats,
and vulnerabilities to
sensitive data and assets.
And fortunately, there are
organizations worldwide
that create frameworks
security professionals can
use to develop those plans.
In this video, we'll discuss
two of the National Institute
of Standards and Technology,
or NIST's, frameworks
that can support
ongoing security
efforts for all types
of organizations,
including for profit and
nonprofit businesses,
as well as government agencies.
And while NIST is a
US based organization,
the guidance it provides
can help analysts
all over the world
understand how
to implement essential
cybersecurity practices.
One NIST framework that we'll
discuss throughout the program
is the NIST Cybersecurity
Framework or CSF.
The CSF is a voluntary
framework that
consists of standards,
guidelines, and best practices
to manage cybersecurity risk.
This framework is
widely respected
and essential for
maintaining security,
regardless of the
organization you work for.
The CSF consists of five
important core functions,
identify, protect, detect,
respond, and recover,
which we'll discuss in
detail in a future video.
For now, we'll focus on how
the CSF benefits organizations
and how it can be used to
protect against threats, risks,
and vulnerabilities by
providing a workplace example.
Imagine that one morning,
you receive a high risk
notification that a workstation
has been compromised.
You identify the
workstation and discover
that there's an unknown
device plugged into it.
You block the unknown
device remotely
to stop any potential threat
and protect the organization.
Then you remove the
infected workstation
to prevent the
spread of the damage,
and use tools to detect
any additional threat actor
behavior, and identify
the unknown device.
You respond by
investigating the incident
to determine who used
the unknown device, how
the threat occurred,
what was affected,
and where the attack originated.
In this case, you
discover that an employee
was charging their infected
phone using a USB port
on their work laptop.
Finally, you do your best to
recover any files or data that
were affected and correct
any damage the threat caused
to the workstation itself.
As demonstrated by
the previous example,
the core functions
of the NIST CSF
provides specific
guidance and direction
for security professionals.
This framework is
used to develop
plans to handle an incident
appropriately and quickly
to lower risk, protect an
organization against a threat,
and mitigate any
potential vulnerabilities.
The NIST CSF also expands into
the protection of the United
States federal government
with NIST Special Publication
or S.P. 800-53.
It provides a unified
framework for protecting
the security of
information systems
within the federal
government, including
the systems provided
by private companies
for federal government use.
The security controls
provided by this framework
are used to maintain the CIA
triad for those systems used
by the government.
Isn't it amazing how all of
these frameworks and controls
work together?
We've discussed some really
important security topics
in this video that will
be very useful for you
as you continue your
security journey,
because they're core elements
of the security profession.
The NIST CSF is a
useful framework
that most security
professionals are familiar with
and having an understanding
of the NIST S.P. 800-53
is crucial if you have
an interest in working
for the US federal government.
Coming up, we'll continue
to explore the five NIST CSF
functions and how
organizations use them
to protect assets and data.
Hello, again.
I'm excited you're here.
We have so much to discuss.
Previously, we covered the uses
and benefits of the NIST CSF.
In this video, we'll
focus specifically
on the five core functions
of the NIST CSF framework.
Let's get started.
NIST CSF focuses on
five core functions,
identify, protect, detect,
respond, and recover.
These core functions
help organizations
manage cybersecurity risks,
implement risk management
strategies, and learn
from previous mistakes.
Basically, when it comes
to security operations,
NIST CSF functions are key for
making sure an organization is
protected against
potential threats, risks,
and vulnerabilities.
So let's take a
little time to explore
how each function can be used
to improve an organization's
security.
The first core
function is identify,
which is related
to the management
of cybersecurity risk and its
effect on an organization's
people and assets.
For example, as a
security analyst,
you may be asked to monitor
the systems and devices
in your organization's
internal network
to identify potential
security issues,
like compromised
devices on the network.
The second core
function is protect,
which is the strategy used
to protect an organization
through the implementation of
policies, procedures, training,
and tools that help mitigate
cybersecurity threats.
For example, as a security
analyst, you and your team
might encounter new and
unfamiliar threats and attacks.
For this reason,
studying historical data
and making improvements
to policies and procedures
is essential.
The third core
function is detect,
which means identifying
potential security incidents
and improving monitoring
capabilities to increase
the speed and efficiency
of detections.
For example, as an
analyst, you might
be asked to review a
new security tool set up
to make sure it's flagging
low, medium, or high risk
and then alerting
the security team
about any potential
threats or incidents.
The fourth function
is respond, which
means making sure that the
proper procedures are used
to contain, neutralize, and
analyze security incidents
and implement improvements
to the security process.
As an analyst, you could
be working with a team
to collect and organize
data to document an incident
and suggest improvements
to processes to prevent
the incident from
happening again.
The fifth core
function is recover,
which is the process of
returning affected systems back
to normal operation.
For example, as an entry
level security analyst,
you might work with
your security team
to restore systems,
data, and assets,
such as financial or legal
files, that have been affected
by an incident, like a breach.
We've covered a lot of
information in this video.
Hopefully, it helped
you understand
the value of learning about
NIST CSF and its five core
functions.
From proactive to
reactive measures,
all five functions are
essential for making sure
that an organization
has effective security
strategies in place.
Security incidents
are going to happen,
but an organization
must have the ability
to quickly recover from any
damage caused by an incident
to minimize their level of risk.
Coming up, we'll discuss
security principles
that work hand in hand with
NIST frameworks and the CIA
triad to help protect
critical data and assets.
It's important to understand
how to protect an organization's
data and assets,
because that will
be part of your role
as a security analyst.
Fortunately, there are
principles and guidelines
that can be used along
with NIST frameworks
and the CIA triad to help
security teams minimize
threats and risks.
In this video, we'll explore
some Open Web Application
Security Project, or
OWASP, security principles
that are useful to know
as an entry level analyst.
The first OWASP principle is
to minimize the attack surface
area.
An attack surface refers to all
the potential vulnerabilities
that a threat actor
could exploit,
like attack vectors, which
are pathways attackers use
to penetrate security defenses.
Examples of common
attack vectors
are phishing emails
and weak passwords.
To minimize the attack
surface and avoid incidents
from these types of
vectors, security teams
might disable software
features, restrict
who can access certain assets,
or establish more complex
password requirements.
The principle of least
privilege means making sure
that users have the least amount
of access required to perform
their everyday tasks.
The main reason
for limiting access
to organizational
information and resources
is to reduce the
amount of damage
a security breach could cause.
For example, as an
entry level analyst,
you may have access to log
data, but may not have access
to change user permissions.
Therefore, if a threat actor
compromises your credentials,
they'll only be able
to gain limited access
to digital or
physical assets, which
may not be enough for them to
deploy their intended attack.
The next principle we'll
discuss is defense in depth.
Defense in depth means
that an organization
should have multiple security
controls that address risks
and threats in different ways.
One example of a
security control
is Multi-Factor
Authentication, or MFA,
which requires users to take an
additional step beyond simply
entering their username
and password to gain access
to an application.
Other controls include
firewalls, intrusion detection
systems, and permission
settings that
can be used to create
multiple points of defense
a threat actor must get through
to breach an organization.
Another principle is
separation of duties,
which can be used to
prevent individuals
from carrying out fraudulent
or illegal activities.
This principle means
that no one should
be given so many privileges
that they can misuse the system.
For example, the person in a
company who signs the paychecks
shouldn't also be the
person who prepares them.
Only two more principles to go.
You're doing great.
Keep security simple
is the next principle.
As the name suggests, when
implementing security controls,
unnecessarily
complicated solutions
should be avoided, because
they can become unmanageable.
The more complex the
security controls are,
the harder it is for people
to work collaboratively.
The last principle is to fix
security issues correctly.
Technology is a great tool, but
can also present challenges.
When a security incident
occurs, security professionals
are expected to identify
the root cause quickly.
From there, it's important
to correct any identified
vulnerabilities and
conduct tests to ensure
that repairs are successful.
An example of an issue
is a weak password
to access an organization's
Wi-Fi, because it
could lead to a breach.
To fix this type
of security issue,
stricter password policies
could be put in place.
I know we've covered a lot, but
understanding these principles
increases your overall
security knowledge
and can help you stand out
as a security professional.
Now that we've covered
different frameworks, controls,
security principles, and
compliance regulations,
the question is, how do
they all work together?
The answer to that question is
by conducting security audits.
A security audit is a review
of an organization's security
controls, policies,
and procedures
against a set of expectations.
There are two main types
of security audits,
external and internal.
We'll focus on internal
security audits,
because those are
the types of audits
that entry level analysts might
be asked to contribute to.
An internal security
audit is typically
conducted by a
team of people that
might include an organization's
compliance officer, security
manager, and other
security team members.
Internal security
audits are used
to help improve an
organization's security posture
and help organizations avoid
fines from governing agencies
due to a lack of compliance.
Internal security audits
help security teams
identify organizational
risk, assess controls,
and correct compliance issues.
Now that we've discussed the
purposes of internal audits,
let's cover some common
elements of internal audits.
These include establishing the
scope and goals of the audit,
conducting a risk assessment
of the organization's assets,
completing a
controls assessment,
assessing compliance,
and communicating results
to stakeholders.
In this video, we'll cover
the first two elements,
which are a part of the audit
planning process, establishing
the scope and goals, then
completing a risk assessment.
Scope refers to the
specific criteria
of an internal security audit.
Scope requires organizations
to identify people, assets,
policies, procedures,
and technologies
that might impact an
organization's security
posture.
Goals are an outline of
the organization's security
objectives or what they want
to achieve in order to improve
their security posture.
Although more senior
level security team
members and other
stakeholders usually
establish the scope
and goals of the audit,
entry level analysts might be
asked to review and understand
the scope and goals
in order to complete
other elements of the audit.
As an example, the
scope of this audit
involves assessing
user permissions,
identifying existing controls,
policies, and procedures,
and accounting
for the technology
currently in use by
the organization.
The goals outlined include
implementing core functions
of frameworks,
like the NIST CSF,
establishing policies
and procedures
to ensure compliance, and
strengthening system controls.
The next element is
conducting a risk assessment,
which is focused on identifying
potential threats, risks,
and vulnerabilities.
This helps organizations
consider what security measures
should be implemented
and monitored
to ensure the safety of assets.
Similar to establishing
the scope and goals,
a risk assessment is oftentimes
completed by managers
or other stakeholders.
However, you might be asked
to analyze details provided
in the risk assessment to
consider what types of controls
and compliance
regulations need to be
in place to help improve
the organization's security
posture.
For example, this
risk assessment
highlights that there are
inadequate controls, processes,
and procedures in place to
protect the organization's
assets.
Specifically, there is a
lack of proper management
of physical and digital assets,
including employee equipment.
The equipment used to store
data is not properly secured,
and access to private
information stored
in the organization's
internal network
likely needs more robust
controls in place.
Now that we've discussed
the initial planning
elements of an internal
security audit, coming up,
we'll focus on the
last three elements.
Previously, we discussed the
initial planning elements
of an internal security audit.
In this video, we'll
cover the final elements
that an entry level analyst
might be asked to complete.
As a reminder, the
planning elements
of internal security
audits include
establishing the
scope and goals,
then conducting a
risk assessment.
The remaining elements
are completing a controls
assessment,
assessing compliance,
and communicating results.
Before completing these
last three elements,
you'll need to review the scope
and goals, as well as the risk
assessment, and ask
yourself some questions.
For example, what is the
audit meant to achieve?
Which assets are most at risk?
Are current controls sufficient
to protect those assets?
If not, what controls and
compliance regulations
need to be implemented?
Considering questions like
these can support your ability
to complete the next element,
a controls assessment.
A controls assessment
involves closely reviewing
an organization's
existing assets,
then evaluating potential
risks to those assets
to ensure internal controls
and processes are effective.
To do this, entry
level analysts might
be tasked with
classifying controls
into the following categories,
administrative controls,
technical controls,
and physical controls.
Administrative controls are
related to the human component
of cybersecurity.
They include policies
and procedures
that define how an
organization manages
data, such as the implementation
of password policies.
Technical controls are hardware
and software solutions used
to protect assets, such as
the use of Intrusion Detection
Systems, or ISS',
and encryption.
Physical controls refer
to measures put in place
to prevent physical
access to protected
assets, such as surveillance
cameras and locks.
The next element is
determining whether or not
the organization is adhering
to necessary compliance
regulations.
As a reminder,
compliance regulations
are laws that organizations
must follow to ensure
private data remains secure.
In this example,
the organization
conducts business in
the European Union
and accepts credit
card payments,
so they need to adhere to the
GDPR and Payment Card Industry
Data Security
Standard or PCI DSS.
The final common element of
an internal security audit
is communication.
Once the internal security
audit is complete,
results and
recommendations need to be
communicated to stakeholders.
In general, this
type of communication
summarizes the scope
and goals of the audit.
Then it lists existing risks and
notes how quickly those risks
need to be addressed.
Additionally, it identifies
compliance regulations
the organization
needs to adhere to
and provides recommendations
for improving the organization's
security posture.
Internal audits are a
great way to identify gaps
within an organization.
When I worked at a
previous company,
my team and I conducted
an internal password audit
and found that many of
the passwords were weak.
Once we identified this
issue, the compliance team
took the lead and began
enforcing stricter password
policies.
Audits are an
opportunity to determine
what security measures an
organization has in place
and what areas
need to be improved
to achieve the organization's
desired security posture.
Security audits are
quite involved, yet
of extreme value
to organizations.
Later in the course,
you'll have an opportunity
to complete elements of
an internal security audit
for a fictional company,
which you can include
in your professional portfolio.
Great job.
Now, you've had an
opportunity to learn more
about security concepts that
can help an organization protect
data and assets.
We've covered quite a
bit, but it will all
be valuable knowledge for you as
you continue along your journey
into the security profession.
We started by defining what
security frameworks are
and how they help organizations
protect critical information.
We also explored security
controls and the important role
they play in protecting
against risks, threats,
and vulnerabilities.
This included a discussion
of the CIA triad, which
is a core security model, and
two NIST frameworks, the CSF
and S.P. 800-53.
Then we covered some of OWASP's
secure design principles.
We ended by introducing
security audits
with a focus on the elements
of an internal audit
that you may be asked to
complete or contribute to.
Security professionals
use the concepts
we discussed to help protect
organizations assets, data,
systems, and people.
As you continue
along your journey
into the security profession,
a lot of these concepts
will come up repeatedly.
What we're doing
now is giving you
a foundational understanding of
security practices and topics
that will help
you along the way.
In the next section
of the course,
we'll discuss specific
security tools you
may one day use as an analyst.
We'll cover how they're used
to improve an organization's
security posture
and how they can
help you achieve
your goal of keeping
organizations and people safe.
I'm excited to continue
this journey with you.
See you soon.
Welcome back.
Previously, we discussed
security frameworks,
controls, and design principles,
and how security professionals
apply these to security audits.
In this section, we'll continue
to explore security tools
and how they can help you keep
organizations and the people
they serve safe.
Security professionals
often use a variety of tools
to address specific
security challenges,
such as collecting
security data,
detecting and analyzing
threats, or automating tasks.
Security tools help
organizations achieve a more
comprehensive security posture.
We'll begin by covering
different types of logs,
what they track, and
how they're used.
Then we'll explore Security
Information and Event
Management, otherwise,
known as SIEM, dashboards.
Finally, we'll discuss
some common SIEM tools
used in the security industry.
Let's get started.
As a security analyst, one
of your responsibilities
might include analyzing log data
to mitigate and manage threats,
risks, and vulnerabilities.
As a reminder, a log
is a record of events
that occur within an
organization's systems
and networks.
Security analysts
access a variety of
logs from different sources.
Three common log sources include
firewall logs, network logs,
and server logs.
Let's explore each of these
log sources in more detail.
A firewall log is a record
of attempted or established
connections for incoming
traffic from the internet.
It also includes outbound
requests to the internet
from within the network.
A network log is a record of
all computers and devices that
enter and leave the network.
It also records connections
between devices and services
on the network.
Finally, a server
log is a record
of events related to services,
such as websites, emails,
or file shares.
It includes actions,
such as log in, password,
and username requests.
By monitoring logs,
like the one shown here,
security teams can
identify vulnerabilities
and potential data breaches.
Understanding logs is
important, because SIEM tools
rely on logs to monitor systems
and detect security threats.
A Security Information and
Event Management, or SIEM tool,
is an application that
collects and analyzes
log data to monitor critical
activities in an organization.
It provides real time
visibility, event monitoring
and analysis, and
automated alerts.
It also stores all log data
in a centralized location.
Because SIEM tools
index and minimize
the number of logs a security
professional must manually
review and analyze,
they increase efficiency
and save time.
But SIEM tools must be
configured and customized
to meet each organization's
unique security needs.
As new threats and
vulnerabilities emerge,
organizations must continually
customize their SIEM tools
to ensure that threats are
detected and quickly addressed.
Later in the
certificate program,
you'll have a chance to practice
using different SIEM tools
to identify potential
security incidents.
Coming up, we'll
explore SIEM dashboards
and how cybersecurity
professionals use
them to monitor for threats,
risks, and vulnerabilities.
We've explored how SIEM tools
are used to collect and analyze
log data.
However, this is just one of
the many ways SIEM tools are
used in cybersecurity.
SIEM tools can also be
used to create dashboards.
You might have encountered
dashboards in an app
on your phone or other device.
They present information
about your account or location
in a format that's
easy to understand.
For example, weather apps
display data, like temperature,
precipitation, wind
speed, and the forecast
using charts, graphs, and
other visual elements.
This format makes it
easy to quickly identify
weather patterns and trends,
so you can stay prepared
and plan your day accordingly.
Just like weather
apps help people
make quick and informed
decisions based on data,
SIEM dashboards help security
analysts quickly and easily
access their organization's
security information
as charts, graphs, or tables.
For example, a security
analyst receives
an alert about a
suspicious login attempt.
The analyst accesses
their SIEM dashboard
to gather information
about this alert.
Using the dashboard,
the analyst discovers
that there have been 500 login
attempts for Yamara's account
in the span of five minutes.
They also discover
that the login attempts
happen from geographic
locations outside
of Yamara's usual location and
outside of her usual working
hours.
By using a dashboard,
the security analyst
was able to quickly review
visual representations
of the timeline of
the login attempts,
the location, and the exact
time of the activity, then
determined that the
activity was suspicious.
In addition to providing
a comprehensive summary
of security related
data, SIEM dashboards
also provide stakeholders
with different metrics.
Metrics are key
technical attributes,
such as response time,
availability, and failure rate,
which are used to assess the
performance of a software
application.
SIEM dashboards
can be customized
to display specific
metrics or other data that
are relevant to different
members in an organization.
For example, a
security analyst may
create a dashboard
that displays metrics
for monitoring everyday
business operations,
like the volume of incoming
and outgoing network traffic.
We've examined how
security analysts use
SIEM dashboards to help
organizations maintain
their security posture.
Well done.
Coming up, we'll discuss
some common SIEM tools used
in the cybersecurity industry.
Meet you there.
Hello, again.
Previously, we
discussed how SIEM tools
help security analysts
monitor systems and detect
security threats.
In this video, we'll cover some
industry leading SIEM tools
that you'll likely encounter
as a security analyst.
First, let's discuss the
different types of SIEM tools
that organizations
can choose from based
on their unique security needs.
Self-hosted SIEM tools
require organizations
to install, operate,
and maintain
the tool using their own
physical infrastructure,
such as server capacity.
These applications are
then managed and maintained
by the organization's IT
department rather than
a third party vendor.
Self-hosted SIEM tools are
ideal when an organization
is required to maintain physical
control over confidential data.
Alternatively,
Cloud-hosted SIEM tools
are maintained and managed
by the SIEM providers,
making them accessible
through the internet.
Cloud-hosted SIEM tools
are ideal for organizations
that don't want to invest
in creating and maintaining
their own infrastructure,
or an organization
can choose to use
a combination of
both self-hosted and
Cloud-hosted SIEM tools
known as a hybrid solution.
Organizations might choose
a hybrid SIEM solution
to leverage the benefits
of the Cloud, while also
maintaining physical control
over confidential data.
Splunk Enterprise, Splunk
Cloud, and Chronicle
are common SIEM tools
that many organizations
use to help protect
their data and systems.
Let's begin by
discussing Splunk.
Splunk is a data
analysis platform,
and Splunk Enterprise
provides SIEM solutions.
Splunk Enterprise is
a self-hosted tool
used to retain, analyze, and
search an organization's log
data to provide
security information
and alerts in real time.
Splunk Cloud is a
Cloud-hosted tool
used to collect search
and monitor log data.
Splunk Cloud is helpful
for organizations
running hybrid or Cloud
only environments,
where some or all of the
organization's services
are in the Cloud.
Finally, there's
Google's Chronicle.
Chronicle is a Cloud native tool
designed to retain, analyze,
and search data.
Chronicle provides log
monitoring, data analysis,
and data collection.
Like Cloud-hosted tools,
Cloud native tools
are also fully maintained
and managed by the vendor.
But Cloud native
tools are specifically
designed to take full
advantage of Cloud computing
capabilities, such as
availability, flexibility,
and scalability.
Because threat
actors are frequently
improving their strategies to
compromise the confidentiality,
integrity, and availability
of their targets,
it's important for
organizations to use
a variety of security tools to
help defend against attacks.
The SIEM tools we just discussed
are only a few examples
of the tools available
for security teams
to use to help defend
their organizations,
and later in the
certificate program,
you'll have the
exciting opportunity
to practice using Splunk
Cloud and Chronicle.
Let's quickly review
what we covered
in this section of the course.
We started by discussing
the importance of logs
and cybersecurity, and we
explored different log types,
like firewall, network,
and server logs.
Next, we explored
SIEM dashboards
and how they use visual
representations to provide
security teams with
quick and clear insights
into the security posture
of an organization.
Finally, we introduced
common SIEM tools
used in the
cybersecurity industry,
including Splunk and Chronicle.
We'll be exploring even
more security tools later
in the program, and
you'll have opportunities
to practice using them.
Coming up, we'll
discuss playbooks
and how they help security
professionals respond
appropriately to
identify threats,
risks, and vulnerabilities.
Meet you there.
Hello, and welcome back.
You've reached the final
section of this course.
Previously, we discussed
Security Information
and Event Management,
or SIEM tools,
and how that can be used
to help organizations
improve their security posture.
Let's continue our
security journey
by exploring another tool
security professionals use,
playbooks.
In this section, we'll
explore how playbooks
help security teams
respond to threats, risks,
or vulnerabilities
identified by SIEM tools.
Then we'll discuss the six
phases of incident response.
Let's get started.
Previously, we
discussed how SIEM tools
are used to help protect
an organization's
critical assets and data.
In this video, we'll introduce
another important tool
for maintaining an
organization's security known
as a playbook.
A playbook is a manual
that provides details
about any operational action.
Playbooks also
clarify what tools
should be used in response
to a security incident.
In the security field,
playbooks are essential.
Urgency, efficiency,
and accuracy
are necessary to quickly
identify and mitigate
a security threat to
reduce potential risk.
Playbooks ensure that people
follow a consistent list
of actions in a
prescribed way, regardless
of who is working on the case.
Different types of
playbooks are used.
These include playbooks for
incident response, security
alerts, team specific, and
product specific purposes.
Here, we'll focus
on a playbook that's
commonly used in cybersecurity
called an incident response
playbook.
Incident response is an
organization's quick attempt
to identify an attack,
contain the damage,
and correct the effects
of a security breach.
An incident response
playbook is a guide
with six phases used to
help mitigate and manage
security incidents
from beginning to end.
Let's discuss each phase.
The first phase is preparation.
Organizations must prepare to
mitigate the likelihood, risk,
and impact of a
security incident
by documenting procedures,
establishing staffing plans,
and educating users.
Preparation sets the foundation
for successful incident
response.
For example, organizations can
create incident response plans
and procedures that outline
the roles and responsibilities
of each security team member.
The second phase is
detection and analysis.
The objective of this phase is
to detect and analyze events
using defined processes
and technology.
Using appropriate tools and
strategies during this phase
helps security
analysts determine
whether a breach has
occurred and analyze
its possible magnitude.
The third phase is containment.
The goal of containment is
to prevent further damage
and reduce the immediate
impact of a security incident.
During this phase,
security professionals
take actions to contain an
incident and minimize damage.
Containment is a high
priority for organizations,
because it helps prevent
ongoing risks to critical assets
and data.
The fourth phase in an
incident response playbook
is eradication and recovery.
This phase involves the
complete removal of an incidence
artifacts, so that
an organization can
return to normal operations.
During this phase,
security professionals
eliminate artifacts
of the incident
by removing malicious code and
mitigating vulnerabilities.
Once they've exercised
due diligence,
they can begin to restore
the affected environment
to a secure state.
This is also known
as IT restoration.
The fifth phase is
post incident activity.
This phase includes
documenting the incident,
informing organizational
leadership,
and applying lessons
learned to ensure
that an organization is
better prepared to handle
future incidents.
Depending on the
severity of the incident,
organizations can conduct a
full scale incident analysis
to determine the root
cause of the incident
and implement various updates
or improvements to enhance
its overall security posture.
The sixth and final phase in
an incident response playbook
is coordination.
Coordination involves
reporting incidents and sharing
information throughout the
incident response process
based on the organization's
established standards.
Coordination is important
for many reasons.
It ensures that organizations
meet compliance requirements,
and it allows for coordinated
response and resolution.
There are many ways
security professionals
may be alerted to an incident.
You recently learned
about SIEM tools
and how they collect
and analyze data.
They use this data to
detect threats and generate
alerts, which can
inform the security
team of a potential incident.
Then, when a security
analyst receives a similar,
they can use the
appropriate playbook
to guide the response process.
SIEM tools and
playbooks work together
to provide a structured
and efficient way
of responding to potential
security incidents.
Throughout the program,
you'll have opportunities
to continue to build
your understanding
of these important concepts.
Welcome back.
In this video, we're going
to revisit SIEM tools
and how they're used
alongside playbooks
to reduce
organizational threats,
risks, and vulnerabilities.
An incident response
playbook is a guide
that helps security
professionals mitigate issues
with a heightened
sense of urgency,
while maintaining accuracy.
Playbooks create structure,
ensure compliance,
and outline processes
for communication
and documentation.
Organizations may use different
types of incident response
playbooks, depending
on the situation.
For example, an organization
may have specific playbooks
for addressing different types
of attacks, such as ransomware,
malware, distributed denial
of service, and more.
To start, let's discuss how
a security analyst might
use a playbook to
address a similar,
like a potential malware attack.
In this situation, a playbook
is invaluable for guiding
an analyst through
the necessary actions
to properly address the alert.
The first action in the
playbook is to assess the alert.
This means determining
if the alert is actually
valid by identifying why
the alert was generated
by the SIEM.
This can be done by analyzing
log data and related metrics.
Next, the playbook outlines
the actions and tools
to use to contain the malware
and reduce further damage.
For example, this playbook
instructs the analysts
to isolate or disconnect
the infected network system
to prevent the
malware from spreading
into other parts of the network.
After containing the incident,
step three of the playbook
describes ways to eliminate
all traces of the incident
and restore the affected systems
back to normal operations.
For example, the playbook
might instruct the analyst
to restore the impacted
operating system,
then restore the affected data
using a clean backup created
before the malware outbreak.
Finally, once the incident
has been resolved,
step four of the playbook
instructs the analyst
to perform various post incident
activities and coordination
efforts with the security team.
Some actions include
creating a final report
to communicate the security
incident to stakeholders
or reporting the incident to
the appropriate authorities,
like the US Federal
Bureau of Investigations
or other agencies that
investigate cyber crimes.
This is just one example of
how you might follow the steps
in a playbook since
organizations develop
their own internal procedures
for addressing security
incidents.
What's most important
to understand
is that playbooks provide a
consistent process for security
professionals to follow.
Note that playbooks
are living documents,
meaning the security team will
make frequent changes, updates,
and improvements to address new
threats and vulnerabilities.
In addition, organizations learn
from past security incidents
to improve their
security posture,
refine policies and procedures,
and reduce the likelihood
and impact of future incidents.
Then they update their
playbooks accordingly.
As an entry level
security analyst,
you may be required to
use playbooks frequently,
especially when
monitoring networks
and responding to incidents.
Having an understanding of
why playbooks are important
and how they can help you
achieve your working objectives
will help ensure your
success within this field.
Let's review what we
covered in this section.
We began by discussing
the purpose of playbooks.
Then we examined the six
phases of an incident response
playbook, including an example
of how a playbook might
be used to address an incident.
Playbooks are just one of
the essential tools you'll
use as a security analyst.
They provide a structured,
consistent approach
to handling security incidents
and can help you respond
to security incidents quickly.
Knowing how and when
to use a playbook
will allow you to make
informed decisions about how
to respond to a security
incident when it occurs
and help to minimize
the impact and damage it
may cause your organization
and the people it serves.
Following the steps
of the playbook
and communicating
appropriately with your team
will ensure your effectiveness
as a security professional.
Congratulations on
completing this course.
Let's recap what
we've covered so far.
First, we reviewed CISSP's
eight security domains
and focused on threats,
risks, and vulnerabilities
to business operations.
Then we explored security
frameworks and controls
and how they're a starting
point for creating
policies and processes
for security management.
This included a discussion of
the CIA triad, NIST frameworks,
and security design
principles, and how
they benefit the security
community as a whole.
This was followed
by a discussion
about how frameworks,
controls, and principles are
related to security audits.
We also explored basic security
tools, such as SIEM dashboards,
and how they are used to
protect business operations.
And finally, we covered how
to protect assets and data
by using playbooks.
As a security analyst, you may
be working on multiple tasks
at once.
Understanding the tools
you have at your disposal
and how to use them will elevate
your knowledge in the field,
while helping you successfully
accomplish your everyday tasks.
Coming up next in the
program, my colleague Chris
will provide more details about
topics covered in this course
and introduce you to some
new core security concepts.
I've enjoyed sharing
this journey with you.
[MUSIC PLAYING]