So, disposal options, we have lots of them. Physical destruction, we can burn it, rip it up, get rid of it. Degaussing, we can use a strong magnetic field to wipe out the actual bits that are on the magnetic platter, on the hard drive, or wherever they may be. Overriding, we could affect, we write over the data that's there with other data. And/or we can use encryption, and by encrypting, we can safeguard and hide the data, but if somebody gets the key, of course, then they can unlock the data. So, we may encrypt, but then we'll do something known as crypto-shredding. And the idea with encryption is, "Hey, the data is there but the key can still be accessed." Crypto-shredding says, "Hey, we're going to encrypt the data, but guess what? We're then going to take the key or in fact, we take the key and encrypt the key, so that way the key itself, can no longer be accessed." The key itself can no longer be accessed, the data cannot be accessed either. So, if we encrypt the key that encrypts the data, and then effectively get rid of the key that opens up that encrypted key, we shred the key so we can no longer use it. We throw away the encryption key, we're not going to able to get to the data, we can't access it, and as a result. Although the data in theory, is still available, it's there in encrypted form, unless we break the encryption, we're not going to be able to open it up and see it anymore. This is obviously going to be something to consider. So, crypto-shredding this is idea of the process of deliberately destroying the encryption keys that were used to originally encrypt the data. And by removing the key from the equation, we effectively have removed the access or the ability to access the data. And this is important, we want to be thinking about that. That's a great way to think about getting rid of access to data that's already been encrypted because we don't have to decrypt it, we don't have to destroy it. All we have to do is take the key that was encrypting the data and simply manage that destruction process of that one element. The data itself is no longer available, at least not in a realistic form anyway to anybody. So, this is the idea of crypto-shredding, we just want to make sure we're aware of that. And then, security information and event management, we've talked about same systems before. They're made up of two components, Security Information Management and Security Event Management. Combining the two together allows us to have a much broader, much deeper, and much more overarching of holistic view of our systems for analytic purposes, for compliance purposes, for auditing, for traceability, for real-time event analysis, for real-time alerting, and real-time action, and management of our systems to reconfigure if necessary. It does all these stuff. And so, these systems can become very powerful because they pull data in from all these different places. They essentially aggregate it for the ability to run analysis and reporting and deep inspection and business intelligence capabilities against it. And by doing these things, it gives us a much, much better understanding of our systems and the data within them. Data event logging and event attributes that feed these systems have to really be thought about. We have to structure and scale them in such a way that we understand what they are and how they're going to feed our systems and provide capabilities to us. OWASP, which is a solution that we have looked at from different perspectives before. Remember, OWASP is going to be a collection of different projects that are being run by people that are focused on security, owasp.org is the website. We've been out there in prior conversations, take a look at the top 10 web development and web services vulnerability list. It's very important to be aware of these kind of things. And OWASP as an organization, recommends that the following data be integrated into event data aggregation. So in other words, when we look at event data, OWASP recommends that the things that we should be focusing on, really bringing to bare, are things in the when, where, who, and what categories. When did the data or when did the element occur? Where did the data or the elements occur? Who was involved in creating or modifying or accessing the data? What was accessed? Under what conditions was that done? So, when we answer these questions and we have logging that stipulates this information be gathered, and it be managed, should be made available correctly to us, we have a much stronger solution. We have to, in this case, be able to tell a compelling story and create the context of the story, by looking at all this information. So, if you think about this, just going back to the example we used just a couple moments ago in the Windows Explorer, let's come back in here and use this other file that we have here. We take a look at this new Microsoft Word document that is really long, dot pptx. We can see that it was created on a certain day and time, it is a certain kind of file, it has a certain size. These are all valuable pieces of information that we want to know. If we take a look at the properties of it by right-clicking, let's put this over here, so you can see it. We'll see additional information about it, and we'll see if we look at security, you add additional information and details, additional metadata information. We may be able to see revision information, we also can see the computer that it was created on, we may see if there's any previous versions. All of these data is going to become important as part of the events surrounding the creation of this item. And that we want to be able to grab majority of that data and log it, keep track of it, so that way, answering these questions, somebody comes along in a month and says, "Hey, Adam, how was that file created? When was it created? Who created it? We need to know about it because somebody wants to ask some questions." I can go look it up in a log and say, "I've got it right here. Looks like it was created on this day, it was a Tuesday, and it was at 5:00 in the afternoon, and it was on this PC. And it looks like it was created in this directory, and it was given these rights." Okay, it's exactly what we need to know." And so, they were able to modify or access that information, tell people about it, give them what they need. And as a result of that, we have all the details of the story, and we can manage and tell compelling stories as a result. So, make sure we know that OWASP recommends that these kinds of things are becoming part of our data stream, and the management of event logging. The SIEM systems, the capabilities of the SIEM systems are broad ranging as I mentioned, and we have a list of some of the common things they can do here. Data aggregation, pulling all the data together into one place. Correlation, relating things and keeping up with all the different strings in different areas and different details, and then creating associations for us that we may or may not be aware of. Alerting, "Hey, Adam, pay attention. Somebody just created a document in that folder you told us to monitor. You wanted to know when they did that." "Great. Let me go take a look." Dashboards put information up for us in a visual form that we can interact with and consume. Pie charts, bar graphs, histograms, all sorts of different things. Compliance, tell us whether we are, or are not compliant, based on using a baseline or a set of assumptions about what should be done, and then monitoring continuously to see whether it is being done. And then analyzing the gaps that tell us what we need to do. And remediating, taking steps to fix non-compliance issues. Retention, keeping track of data for a certain period of time. What often happens in logging if we're doing it locally is that log files may get overridden or may get deleted, removed, or modified because nobody's keeping track of them on an individual machine. By copying them all off to a central server, and then having policies to manage them, we don't run the risk of that behavior taking place so that we then lose access to that data. And forensic analysis, we can drill into the data that is coming from all the different systems, look at what's in the logs, really understand, get in there and see what's there, and have accurate representation, accurate management, and accurate storytelling, around the things that are going on. These are all very important capabilities, capabilities you would want to make sure you're aware of, if anybody ever asked you about what these kind of systems are capable of doing. As we wrap up our conversations in this area, I want to remind you that going through this material, as we always talk about, is valuable by way of review and reflection. I encourage you to think about doing that before we move over to our next conversation. When you feel you're ready and you feel you've gone through everything, you've made your notes, you feel you've got a good handle on what we need to do, come on back and join me. We'll have our next conversation in this area, and I'll look forward to seeing you very soon.
