We're aware of that. Your attackers are motivated by a lot of things, hard to say, maybe important to know and there's always an advantage there, but the reality is we're probably not going to get in the mind of the attacker very easily and very often while maybe valuable to try to do that. I'd rather spend time figuring out how to stop the attack and figuring out what's motivating it because what motivates people may tell me why they're doing something but it may not tell me where they're going to strike next and what they're going to do, not always, sometimes though, as a result. So, it may be difficult to understand the motivation but things like notoriety, ego, greed, political agendas, revenge, curiosity, these are all potential motivation factors, right? And there may be more on the list. But the point is, while some of them may be apparent, we may be able to clearly identify, you have Bill, you have Bill got fired, Bill was pretty upset, so chance are good that Bill is going to potentially go off and try to attack us. Let's keep an eye on Bill. That's useful information, we may want to know that. But there aren't many bills in our network, right? Most of the attacks come from outside more often than not because people get fired everyday, people change jobs everyday but not all of them, in fact not most of them, in fact almost none of them are going to become so upset, so angry, so disgruntled that they feel it's appropriate and actually the right thing to do, even in a moment of passion, to go out and attack that network, it's very unlikely that will happen. So if all we do is look for the bills of the world because the bills of the world, the people that are disgruntled are going to attack us that are former employees, we may find one or two of those in the entire lifetime of our tenure in the network, we may find none. But in the meantime all the attackers from outside that are motivated by all this other stuff had been hacking away in our network for years and we haven't paid attention to that. It's very imbalanced equation. So, we want to make sure we're aware of motivation, but chances are good, it's really not worth a lot of time on our part to spend figuring it out. I'd much rather figure out how to be better at monitoring and safeguarding, that I am a trying to get inside the mind of somebody. Intrusions, right? Intrusions are acts by people, organizations, or systems that ultimately violate the sanctity and the security of our networks. Whatever that may be, however, it happens for whatever reason. They can be overt, they may be covert. Overt attacks, overt intrusions happen in the open. There's telltale signs in them. Hey, we come home, the door is broken and laying on the floor, right? The place is all turned upside down, that's a pretty overt act, right? We know somebody was there. Covert act, we come home, the door is closed, everything is in the place that it was, nothing is seemingly out of place at all, somebody may have been there, we just don't know, they're pretty good at hiding their tracks. We want to make sure we know the difference between the two approaches, right? Events, as we know, are going to be single occurrences that may or may not indicate an intrusion. Not every event equals a bad outcome. Not every event is an attacker trying to come in and kick in the door. Not every event is a risk-laden concern to us or a vulnerability that's rearing its ugly head. All intrusions are going to be made up of events but not all events are intrusions, as we said. Some events are just that, nothing more than just a blip on the radar. Turned on the machine, that's an event. Doesn't mean I'm going to hack with it, just means I turned it on. Turned on the machine is one event, loaded up my hacking software is another event, targeted hacking software and target machine A, that's a third event. All those events together equal an intrusion but the first event is not an intrusion or sign of one, just means I powered up my machine, nothing more. So some events are innocuous, they're very innocent, they're nothing more than that. But chained together they may indicate a pattern of behavior, would you want to understand that as well? We can do real-time monitoring, we can do non-real-time monitoring. Real-time monitoring, we're going to see the data stream as it emerges, we're going to be able to tell things about it in real-time. Non-real-time monitoring is monitoring that goes typically into a file, we may look at it historically over time and do analysis on it but after the fact. Again, just want to make sure we understand the difference between the two approaches. File integrity checkers are going to be used to be able to look at individual files or groups of them, monitoring for integrity, monitoring for unauthorized or unnecessary changes to the data. And as a result to that, a tax that can modify integrity or somehow attached to and change integrity can be found out using file integrity checkers. There's some examples of ones that are here, Verisys, Cimtrak, AIDE, these are examples of common file integrity checkers that may exist, you may be familiar with them you may not, trip wires and other one that's very popular free that's out there. You can use all sorts of systems to do file Integrity checking. But the idea is you're going to make sure we keep track of the information, and if it's modified, in fact we would generate an alert that tells you that something is wrong. When we think about continuous compliance and/or continuous monitoring, we're thinking about paying attention to something all the time. A lot of things happen in our networks, a lot of things are just happening constantly around us, so we're not really paying attention to a lot of them, right? While I'm talking to you right now, there's probably things happening behind you in the background, right? You may be listening to me, you have your earphones in, maybe intently focused on the screen, looking at what I'm doing, making notes, but there may be people talking behind you, there may be things going on that you may or may not be aware of, right? And that happens all the time everywhere we are, happens in our networks, happens everywhere. So by paying attention to everything, we're going to have a complete picture of what's going on but it can be very overwhelming, right? Because so many things are happening, may be very difficult for us to focus on any one thing in particular and really gain advantage or understanding of what that implies. So, when we do continuous or compliance monitoring, what we're doing is gathering all this information but we're simply doing it with automated systems because there's just too much for us to pay attention to individually, even collectively as a group of individuals in real time. And then we're going back in through reporting, through business intelligence, through manipulation of data and analysis. We're looking for trending. We're looking for information and examining flow to figure out if there's a pattern there that may be of interest to us, and then we're going to alarm or learn about that pattern if an automated monitor captures that, because that's going to help us to be able to understand what's going on broadly within our networks and really see with the eyes of thousands by having automated monitoring keeping track of stuff for us. And so this is going to be a real-time look at what's coming into our networks, it's very, very important to be able to do that. Let's think about monitoring systems, we've been talking about them for a while. Let's go through and review a couple of questions to help us wrap up this part of our conversation. We have two questions on the screen, going to ask you to take a moment to consider them. soon as you're done, if you think you know what the answers are, come back and let's make sure we got that information correct before we continue on. Let's go ahead and let's take a look at what those answers are, shall we? Question number 1, what is the difference between real-time monitoring and non-real-time monitoring? Well, we've just talked about this recently. Real-time monitoring provides a means for relatively immediately identifying trends and information you may want to take a look at, even stopping certain activities from occurring. Non-real-time monitoring provides a means to save that information somewhere, archive it, look at it historically over time and check it out at some point in the future when it's convenient for us, when we want to take a look at it, or reactively after the fact to go back and to understand something that did happen and delve into it to figure out why. We can always do it for or use it from that perspective as well. Question number 2, what is the difference between IDSs and IPSs, intrusion detection and intrusion prevention systems? IDSs are passive systems that will monitor and alert but are not able to take any retaliatory or some sort of additional action in any way. Whereas an IPS is primarily focused on monitoring with the ability to react to information it sees in real time, it can retaliate, it can reconfigure, it can modify traffic flows, could do all sorts of stuff. want to make sure we're aware of that and we understand that as well.
