Automation is essential in network defense to ensure that human eyes only focus on the things that really matter. This course teaches how to defend enterprise infrastructure at scale using a combination of tools and platforms such as IDS/IPS, firewalls, and SIEMs. Configuring and tuning these systems properly maximize their effectiveness at catching and stopping threats while reducing alert fatigue for analysts and responders. Students learn to identify gaps in coverage, write basic and complex signatures, manage rule sets for optimization, use chain rules to detect multistage events, and implement decoding and fingerprinting capabilities to overcome evasion techniques.
- Explain the benefits and limitations of different security technologies (IDS/IPS, firewalls, VPNs, web proxies, etc.)
- Identify optimal platform deployment and gaps in coverage
- Write basic and complex IDS signatures to identify malicious traffic flows, and tune them to reduce false positives
- Use reassembly and pre-processing engines to automatically reconstruct streams of network data prior to analysis
- Apply decoding and other tools to overcome attacker evasion techniques
- Implement automated fingerprinting of encrypted traffic flows to detect anomalous or malicious flows