SIEM systems can also help us with compliance, right? They obviously can measure what is going on in our networks, help us to understand the settings, configurations, the concerns we have, and be able to measure those against the standard or accepted baseline. So, we do want to understand the role of compliance here, with regards to the technology as well, enhance network security and improved IT security operations. You know we are thinking about the fact here that today, the boundaries of our network are ever expanding, ever changing, ever moving. They basically exist in the hand of the person that is holding a phone, using a mobile device, interacting with the system remotely. That is where the border, the boundary of our networks exists today. It is not on the desktop behind the firewall, in the organization, in the cube anymore. It has not been for years. The advent of converged technologies, the advent of cloud technologies, has really changed the dynamic, and the way we approach security and consumption of information. So, as the boundaries of the network enterprise expand, the role of the security infrastructure expert, and the role of network infrastructure, and the security steps that we take to safeguard that infrastructure has to expand as well. People expect that they can put the network in their hand, talk on their smartphone, say hey John hold on just a second, I will take a look for that file. Scroll, scroll, scroll. App, app, app. Click, click, click, and boom there is my comprehensive financial spreadsheet for the last two quarters of the business sitting on my phone. I can now, with a swipe of a finger or the click of a button on an app, send that to John in real time. I could not do that seven or eight or ten years ago. I can do that today. Reality is, that changes the entire dynamic, of how we have to approach IT security and operations, and we want you to be thinking about that as SSCPs. All of us, need to think about that, by the way. It is game changing, as they say, right? I mean the brave new world we live in today is radically different than the one that many of us, have been used to for the last several years, and it continues to evolve, continues to change over time and change quickly, right? The idea that we can access corporate confidential and private data in a handheld device, beyond the border, beyond the reach, and beyond the control of the corporate security function, is mind boggling. When you think about what we are doing, and what we can do with that information. A lot of those devices are not going to be controlled. They are not under MDM, Mobile Device Management. Instead, they have been given access to the corporate network, because somebody is provided a log on credential, typically a username and a password to a SkyDrive or some sort of internet based SkyDrive or a shared solution like Dropbox, Onebox, or whatever, and we have been able to go in, we have been able to post data there from work and then bridge that out to the outside world. But that data is not being managed the same way it would be if it was sitting inside corporate servers directly. We have to have policies to manage that. We have to have policies to deal with that. We may be able to hook that phone up, and indeed, we often do, to the corporate email system. Now that is not to say that we could not access email from outside. In prior years, did not do the same thing, we have been able to do that for some time. But the point is, that if we are not using DLP, Data Loss or Leakage Prevention technology, if we are not using IRM, Information Rights Management technology, to scan that e-mail chain, to look at those attachments, to control the flow of data, and when we do send data out to have Stickie attributes stay with the data to ensure the permissions are going to stay on that data, no matter where it goes. Not allowing John to open the file as John can authenticate. That is something that as security practitioners and professionals, we need to be thinking about, we need to architect, we need to design, we need to implement, we need to manage, in order to be able to do those things. So we have to plan as I have often talked about to be successful. Because if we do not, we are not doing that stuff, we do not have IRM, we do not have DLP, if we do not have those things, we have got a problem, right. So we have got to be thinking about this concept of the expanding border, and the never ending horizon of what the possibility is for us to interact with and use information. It is a very sobering thought, right. And so as we wrap up our conversations here, in this area, we think about this expanding border. We have to also think about the kind of data that we can capture today. You know, full packet capture, is this idea of being able to go in and being able to have a device of some kind, sitting at a choke point some sort of egress or ingress point, in or out of the network, and again, using things like data loss prevention, technology, looking at the stream of network traffic, capturing all the packets, seeing all the information, not preventing them from going out necessarily, but recording them, want to see them coming and going, want to inspect what is going on in there, understand everything about what is in there, and make sure we can see what is there, the data stream is encrypted. We may have inline decryption capabilities where we place the encryption decryption tools and keys, into a device that will accelerate the encryption decryption process allowing us to effectively vacuum out all the data, make a record of it, and then send it back on its way by re-encrypting it. We can do that. But we have to plan to use that kind of technology, they are called in line encryptor descriptors, right. And they're usually hardware accelerators, that means they are separate boxes, that do this with dedicated processing power. These are the kind of things we can do with full packet capture. It is very important we understand the technology, understand how it plays into monitoring. And ultimately, as we wrap up our conversations in this area, think about, more broadly the impact that monitoring and the use of monitoring can have with regard to safeguarding data today. It is the SSCP's job to act with due care, and due diligence. Part of that due care and due diligence resides in our conversations here, knowing what is going on in our networks, monitoring for aberrant and abnormal behavior. We classify those as anomalies. Looking at threats, and making sure we identify them as such. Knowing that when we monitor, we have to then record and pay attention to what is there. We have to look at it perhaps in real time, have to look at it perhaps historically after the fact, we may use automated systems to do so. We may gather up essentially, all of this data and analyze it somewhere. We may decide to look at it individually on a single machine, any or all of these things can happen, we may use IDS and IPs, to give us the data. We may get it from local host and from a variety of different places in our networks. All of the event sources, all the data streams, have to be identified that potentially can help us to do our jobs. It is your job, as an SSCP, aspiring though you may be right now, to be able to understand, and do these things, both obviously in preparation for the exam, but also equally importantly, and more so over, the long term in the real world, where it really will matter, where it ultimately counts. You are going to be expected to be called on, to be able to understand, interact with and do, and to use and deploy and manage these technologies. Make sure you are up to the challenge. Review the material. Make sure you understand the concepts, as soon as you feel you have mastered them, as soon as you are comfortable, as soon as you are ready, come on back and join me for the next conversation. Looking forward to seeing you soon.
