CISSP Cyber Training Podcast - CISSP Training Program

CCT 322: Firewalls To AI - Building A Smarter Defense (CISSP Domain 7)

Shon Gerber, vCISO, CISSP, Cybersecurity Consultant and Entrepreneur Season 3 Episode 322

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 36:02

Send us Fan Mail

Check us out at:  https://www.cisspcybertraining.com/

Get access to 360 FREE CISSP Questions:  https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout

Get access to my FREE CISSP Self-Study Essentials Videos:  https://www.cisspcybertraining.com/offers/KzBKKouv


The weakest link is often sitting on the edge, blinking away with expired firmware and no vendor support. We kick off with a blunt reality check on outdated firewalls, load balancers, and IoT gateways, and why waiting two years to retire them is a gift to attackers. From there, we guide you through Domain 7.7 with a practical blueprint for operating and maintaining detective and preventive measures that actually hold up under pressure.

We unpack firewall fundamentals with clear, real‑world tradeoffs: when a simple packet filter is enough, when stateful inspection and deep packet inspection earn their keep, and how a WAF stops the web attacks your L3/L4 controls will miss. You’ll hear how RTBH can deflect denial‑of‑service floods upstream, and why segmentation is your best friend for reducing blast radius—whether you use internal segmentation firewalls for R&D, Purdue‑style tiers for industrial networks, or controlled air gaps for the most sensitive systems. In the cloud, we separate security groups from true firewalls and show how to stitch policies across hybrid environments without creating blind spots.

Detection makes prevention smarter, so we break down IDS versus IPS in plain language. Baseline first, then block with intent to avoid outages. We compare host‑based and network‑based sensors, explain where to place them, and share tactics for cutting alert noise. You’ll also get straight talk on allowlists and blacklists, the right way to maintain them, and why stale entries cause the ugliest outages. We explore sandboxing for safe detonation and learning, and give an unvarnished take on honeypots and honeynets—where they help, where they waste time, and what legal lines to respect.

Not every team can build a 24x7 SOC, so we outline how MSSPs can extend your coverage with clear SLAs and ownership. Endpoint anti‑malware remains non‑negotiable, but tool sprawl is a trap—choose a strong EDR and manage it well. Finally, we dive into AI and machine learning: how they supercharge detection, triage, and response—and how adversaries use them too. The throughline is simple: shrink attack surface, raise signal quality, and respond faster than threats can pivot. If this helps you secure one more edge box or tune one more control, share it with a teammate, subscribe for more practical walkthroughs, and drop a review so we can keep raising the bar together.

Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox!  Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.

Join now and start your journey toward CISSP mastery today!

Urgent Warning On Old Edge Devices

SPEAKER_01

Good morning everybody. It's John Gerber with CISSP Cyber Training and hope you all are having a beautifully blessed day today. Today's Monday, and we are going to be talking about domain seven of 7.7, operate and maintain defective and preventive, detective and preventive measures. So just so you know, I'm extremely excited giving you the podcast today because this is the second iteration of it. Yes, I recorded it once without it being recorded. So you're gonna get a really good response today. It's gonna be awesome. But before we get started, I had a couple quick articles I wanted to bring to your light, or just one that is related to organizations urged to replace discontinued edge devices. Now this comes out of Security Week, and Security Week brought this up. This specifically is related to edge devices that are no longer supported need to be gone. They need to be get rid of. And this is coming from the US as well as Great Britain. Now it doesn't need to come from the US or Great Britain, it just needs to happen. You should, if you have edge devices that are on the internet that are old and crusty, they need to go away. Now the edge devices will include firewalls, load balancers, network security appliances, IoT, you name it. All those wonderful things are all part of the edge, and you need to get rid of them. And they're saying that there's a lot of them out there in that are end of life and are being need to be retired. Now, CISA issued a binding operational directive on Thursday stating that this federal agencies need to act immediately to address this problem. Well, they wouldn't be doing that unless they had a problem. So end-of-life systems or end of support systems, which we've talked about a lot on CISSP cyber training, need to be discontinued and gone. They really do. So if you are listening to this, I'm kind of bringing this up because you're going, well, this is old hat. You're right, but it is old hat. But the interesting part of it is, is the fact that there's still a problem out there. And they wouldn't be releasing stuff like this operational directive 2602 if it wasn't a problem. So you, if you're a security person, you need to be aware of this and you need to go out as quickly as you possibly can and get rid of these systems. Do not keep them on your network. They're not a toy to play with at a later point in time. CISA also ordered federal agencies to decommission all identified end of service edge devices within the next 18 months to 24 months. I mean, 18 months, two years. I I'm sorry, but that is absolutely ridiculous. I'm just being honest. That's

Domain 7.7 Overview

SPEAKER_01

very blunt. If this thing is that old, it there, I mean, I understand why they're putting that out there so that people can get to it, but you're giving a timeline that no, it needs to be done within the next six months, they need to be gone. Period. Dot. End of story. Which means to tell me that they have a lot of these systems out there and they can't make it happen that quick. So, interesting part, if you have edge devices in your network, especially if you're a defender entity, you better get rid of them because the Chinese, the Russians, they own them, right? They got it, they own them, and you are no longer in control. So again, this is out of security week organizations urge to replace discontinued edge devices. Okay, so let's get into what we're gonna talk about today. So the domain seven, for the second time around, is domain 7.7, operate and maintain detective and preventive measures. So we're gonna be getting into things called firewalls. What is a firewall? This is an essential tool within any network for managing, controlling, or filtering network traffic. And it is being deployed between areas of higher or lower areas of trust. So it's basically two networks. You have one that's higher, one that's lower, and the firewalls are sitting in the middle and they're separating that traffic. These are really important, and these commercial firewalls

Firewall Basics And Implicit Deny

SPEAKER_01

are commonly called hardware appliance or network firewalls. Now, this is in the past you had hardware stuff. You now also have virtual stuff. And it's gone from the old days of having these big old systems that you put in data centers to now a more virtualized environment where they don't exist, they're just in a virtual form. And because many people have migrated from the hardware data centers to these virtual environments. These commercial firewalls, though, they they're still out there and people still use them. So you have to decide which is best for your organization. Do you have a lot of your stuff in the cloud and then you have little uh data centers or maybe computer closets at your locations? You still will need some of those depending upon how you have it set up within your company. These filters are based on the defined set of rules that you have set up specifically for your organization. And a typical firewalls are set up by deny by default, which means that when they're coming in, they're automatically set up to be denied. That's when they're set up, and then you go in and start tweaking them based on what you want to do. They have implicit deny, which ensures only traffic meeting certain criteria is allowed to travel through. So that's where it's set up for deny. You can't get in unless you specifically start poking holes in it to allow the traffic in and out. Now, a bastion host, this is designed to take attacks from the internet, and they this is basically such as a firewall. They will call it's another term for a firewall in many cases. People will say this is a bastion host. It is the front line of everything attacking the Dickens out of it from the internet. Now, this comes, this term bastion host comes from medieval times where there was a guard house at the entrance of a gate. And the guardhouse, well, because it's out front by the gate, it typically took the majority of the attacks coming from outside of the gates. So therefore, it was the bastion host. And so it was very set up to be strong, uh, be able to be resistant to attacks, similar to what your firewall should be set up to do. Common filters used in blocking. So you're blocking inbound packets claimed to have an internal source. So something coming in, it says, I've got an internal source within the network. That doesn't make sense, so therefore it's a go thing to block. Blocking outbound packets having an external source. So anything leaving your organization, depending upon the external source, can get blocked there as well. Blocking packets with source and destination address listed on the block list or blacklist. That's another thing you will talk about here in a little bit. That would be a way that would get blocked as well. So those are the different types of activities. And then blocking packets, attempting to traverse the LAN to an external location. So something inside your network is trying to get itself out to an external place. That would be blocked as well. Because again, the ultimate goal is you're trying to make sure that there's nobody within your network that is trying to get an escape and get outside of your network. Remote triggering black hole, RTBH. This is where you have edge filtering concept to manage unwanted traffic. So if something happens and edge filtering occurs, then if there's unwanted traffic, it goes to the black hole, into the black hole. Once it goes to the black hole, it's gone forever. That is the ultimate goal. And so this is the targeting the destination of the traffic before it actually enters your network. So it's coming

RTBH And DoS Mitigation

SPEAKER_01

in from the outside, it sees it's coming in and it goes, aha, bad place, black hole. And that's where it sends it. Denial of service attacks can be mitigated with this capability as well. So any of like massive rush of traffic coming in, it shun it to the black hole. That being said, having it do it specifically at your edge is probably not the best idea. It would be better to have it done in a place that's outside of the network, a ways away from your organization, because it still is causing all kinds of traffic issues with your device, depending upon if it's a hardware or virtualized environment. So again, think about the aspects around denial of service. Now there's various firewall types. You have static packet filtering firewalls. These filter traffic based on the message header, specifically in the firewall. They usually consist of source and destination IP, your port. Also, these are focused around layer three and four. They consider stateless, which basically means they evaluate every packet coming and going from your network. They're not really paying much attention to it. They're just more of a blunt instrument. They're not specifically something that's going to be very finesse. Application level firewalls, these are based on single internet service protocol or application, and they operate at the application level, layer seven, right? Up the OSI layer, the OSI burrito, uh, the seven layer burrito, they operate at the application layer, layer seven. An example of this would be a web application firewall. Now, if you have a web application firewall within your network or outside of your network, great, good job. Web application firewalls are a great tool for your organization. You need to consider using them depending upon your overall web presence. Again, come back to the fact is do you have a web presence? Do you need something? Do you need the tools specifically for that? You don't always need them, depending upon what you have for your how you traverse and send data to and from your company. Circuit level firewalls. These establish communication sessions between trusted partners. So you have two circuits and you have two partners and they communicate between the two, that would be a circuit level firewall. They're not necessarily going to the internet, or if they are, it's going through the internet and there's tunneling that's set up between the two, that would be a circuit level potential firewall. Focus on establishing a circuit or a session, and they don't focus on the content as it's considered stateless. It considers there's two trusted parties. So what does it mean? Hey, all that traffic can come and go as it pleases. It doesn't need to be inspected. Now you have staple inspection firewalls. These will examine the source, destination, application, port, you name it. They look at it all. They pull out the stethoscope. Oh, that's not really right. It's not a stethoscope. Listening, they pull out the, yeah, an examinating glass.

Comparing Firewall Types

SPEAKER_01

I can't even think of what it is. All I know is a little search duty to bab that you see. They pull that out and they're looking at everything. They operate layer three and up, and they are aware of any valid outbound communications and respond accordingly to them. So again, stateful firewalls will inspect it all, and they're looking for any sort of malware that might be in the environment or in the traffic that they're looking for all of that. It's checking it out. You need a really beefy box to be able to do this, a very um powerful firewall to be able to accomplish all of these things. It will do also do deep packet inspection, is a common with a stateful firewall, which basically means the traffic going to and from is shunted and inspected while it is there. I've done this with many organizations where we will put firewalls within the areas areas as well as just maybe a tap, a network tap that is taking the data out. And then you're doing deep packet inspection of the traffic going across the network. So you can use firewalls to do that. You can use taps, you can use various different aspects. But it's a it's an orchestrated path. Deep packet inspection is very, very good. I highly recommend you do it, but it's also very expensive, and you need to do it very judiciously on where you're gonna put it within your network. And you need to know what you're looking for. You don't just put it in place just to put it in place. You need to truly understand what is the overall goal of looking for all this information. Various other firewall types. You have next generation firewalls, which are NGFWs. These are known as a multi-function device. Now, when I was flying in the airplanes, we had MFDs, which are multi-function displays. Very different. But in a multi-function device is it's enabled to incorporate firewall capabilities, right? Your filtering, your inspection, all those things with the Gucci of an IDS or IPS, intrusion detection or intrusion prevention system. These are all integrated in many other different types of security appliances and tools. And in today's world, a lot of the stuff is getting baked in on many different places. So next generation firewalls are a great tool in your quiver of security capabilities, and I would highly recommend that you use them as much as you possibly can. Now, an internal segmentation firewall. So I could kind of talked about it a little bit already, but if you're going to segment, say, your research and development area from your overall network, you may put in an internal segmentation firewall or ISW. And what'll happen then is that that area is segregated from the rest of your network. Now you can this can be created without having to develop what they call an air gap network. Now you have different types of networks in this space. So let's just kind of pull on that thread just a little bit. You have this case where you have an internal segmentation firewall that's set up to specifically look at segmenting your network from other networks. You have the second piece of this isn't a what we call a Purdue model, which is sort of like that, like an air gap, but it's a hybrid between an air gap and a regular segmentation network, where you have a couple model, a couple firewalls in place and you don't have a direct path down, you actually have to do a little hippety-scopity thing to get down to the overall other network. Works really well with manufacturing facilities and areas where you're trying to protect the network from things that can go boom. Now you can do this with research and development as well, but it's typically not even done there because it's just an edit of steps that may or may not be needed. Then you have the full air gap network where it you can't connect the two. You have to take, you have a process by which you pull data off of one network and put it onto another network. That is an air gap network. These are commonly used in micro-segmentation networks and where you're you're having multiple security groups, multiple segmentations, and this is like an AWS or any of those,

Segmentation And Air Gaps

SPEAKER_01

you may have an internal segmentation firewall set up specifically for that. Now, the thing is when you're getting into the cloud, what it's a little bit different is you have security groups which act like firewalls, but they're not. And then you have your traditional firewalls that you would have within anywhere else. You they get confused a lot where with the security group and a normal firewall, they seem very similar, but they are very different. Uh, the security group is mainly designed for users and the accounts that can get in and out, and they allow very specific requirements of getting in and out of an area. The firewall itself is can allow that, but also is doing the inspection that you would not get from a security group. It doesn't do any of those types of activities. So again, think about that. Also, when they're asking a question, if they ask you a question around security groups versus air gap versus internal segmentation firewalls, think about which the actual question they're asking you. Asking, are you asking about air gapped? Are you asking about the Purdue model? Are you asking about just internal segmentation firewalls that are separating different areas of your network? So again, think through it. Take your time. Do not be in a hurry when you're studying for when you're getting ready to take this test and you're doing it. Take your time when you're taking the test, ensure that you have all the information you need and go step by step by step on the question, word by word by word, and then move on. Make a decision, move on. So intrusion detections and intrusion prevention. So, what these are designed to do is these are very specific monitoring of events in near real time. So, intrusion detection, these are an effective method for detecting DOS, DDoS, which is your denial of service, distributed denial of service, and they are really helpful when traffic is coming into your network that they're shunting this traffic away. They recognize the attacks are coming from external sources, and then they will raise alarms and alerts that can help avoid the situation depending upon the variation. Changes within the environment and all of that can be brought into when it's related to an intrusion detection system. Now, we talked about with the next generation firewalls, they can have these enabled on them. Intrusion prevention systems, these operate in the same manner as an IDS, but they work to stop the incident, as is hence the term prevention. The thing comes in, they crack, the G18 comes down and chops it off. That's the ultimate point of an intrusion prevention system. Functions can be disabled to operate as an IDS if required. What it really becomes down to is I would recommend this. And if you're going to get asked a question on it as it relates to the CISP, think about it this way. You have an intrusion prevention system, you let it run for a period of time. But you have a in that system, you have an IPS as well. So you have an IDS and an IPS. The IDS you let run. It's stateful, it's paying attention to what's going on, it's alerting to anything that's occurring. After you feel confident that it understands the traffic patterns that are coming into your environment, you then flip on the IPS piece of this to block certain levels of traffic that may be malicious. You don't probably want it to go into full IPS mode, maybe into a partial IPS mode. So the functions can be disabled to operate it. Again, you can then say, oh, you know what? I don't want this to be an IPS anymore. I'm gonna make it an IDS. I will tell you that many organizations will not put the IPS functionality in place unless it's very specific and very scripted. They just don't want things to break. Um, so you're gonna have to weigh the risk to you and your business organization to go, should I flip this on or should I leave it off? Again, IDS should always be on, but do you kick the IPS piece on? That's something you have to kind of work through. So again, running IPS in blocky mode can have detrimental impacts. No question about it. I'm telling you from experience, it can cause a lot of drama and a lot of heartache. So continue on with IDS and IPS systems, it's built-in expertise that's a resident within the IDS or IPS system. So you have knowledge base and you have a behavior-based. So the knowledge base is signature-based. It's all based on the specific signature that it has within its brains, and it is basically making changes based on known attacks and it's just doing that, and it's doing a great job of that. But it does

Cloud Security Groups vs Firewalls

SPEAKER_01

not work well on the fly. What does that mean? It doesn't have the ability as a knowledge base system to make changes based on what it's seeing. That is behavior-based detection or heuristic-based detection. And this statistical intrusion is caught is going to be stopped by the behavior aspects of it. So it creates a baseline of normal activities and events. And then from there, it create over a period of time will start figuring out okay, this is normal, this is not normal. And then it starts making changes based on what it sees that is not normal. Now, this works really well on malware that does not have a signature or that one that changes over time. In the past, again, I know it's changed since then, but in the past, we would go in and just make a modification to the code, the source code, and then from there, we could go ahead and it would change the signature of that malware. That doesn't happen anymore because they have the ability now to be able to look inside your network and decide what it's doing from a heuristic standpoint to determine what is the best course of action. So again, behavior-based, really cool, works very well. Uh is it perfect? No. But can it help protect your organization? Most definitely. Now we have response types, active and passive response. Active response can modify your current environment in an event of an incident, right? So it is actively doing it in the event that there's something going on. Passive response provides notifications to your security or network operations centers. So active is making changes, passive is sitting there saying, hey, we have a problem. Hey, we have a problem. And you then go and will have to address the issues. Now you have host and network-based IDSs. So we call them HIDs or NIDs. The host-based IDS, it monitors it at the endpoint. And this is where the heuristic stuff can come into play. And it includes processes, applications, and all those things. And it allows for detection of immediately at the endpoint. The downside is it can take a lot of work. And what does that mean? Is you have to deploy

IDS vs IPS Strategy

SPEAKER_01

this to all of your endpoints that you want to be monitoring. It's not as simple as I launch a button and everything gets deployed. You deploy it, it doesn't work, got to reinstall it, doesn't work, got to reinstall it. Okay, installed, but over here it didn't work. So you're just touching on all these systems trying to get them to be installed. Once they're installed, life is good, right? Don't have to worry about it anymore as far as having to have those issues. It works like a champ. Network-based IDSs, these will monitor and evaluate your network activity within an environment. And they they monitor data on key systems in centralized points and are useful in detecting malicious activity that could be occurring within the network. Host base is at the endpoint, network is at in the network, right? So they're different systems. They're both considered very useful as the tool in your company's arsenal, but a proper architecture is required. Again, work with your architecture team to figure out which one works best for you. The whitelisting and blacklisting. So the whitelist and blacklist, these define what can and cannot run within your network. So blacklist, uh-uh, hands up, can't get can't get out there. Whitelist, allowed in. You're allowed to come in. So those are the two different ones that are occurring. Now you're gonna have a list of different IP addresses that are gonna be on your blacklist, or you may have some that are on your whitelist that are allowed, depending on how what your security is within your company. These are what can are defined, what can and potentially cannot run within the network. They're also based on an allow list of application services andor capabilities that are allowed to run. So these systems are allowed to run, they're allowed to keep going. This is a situation where you decide from a whitelist or blacklist point of view, which ones are you going to use? Limited malicious software from running within your network. So let's just talk about this. I know from a bunch of IPs that are not allowed to come in. So I am going to blacklist those IPs so they cannot even enter into my network. The downside of that is you now have a long list of IPs that are blocked that can't come in. What happens if all of a sudden those IPs or you need to communicate with them for some reason, whatever that might be, and now your traffic is not occurring. Because that blacklist is typically used as just you put people in there and you forget about it. Set it and forget it. Then when you have a problem, people do not go back and look at the blacklist and they spend time. And time and time trying to figure out why the connection will not occur just to find out it's part of the blacklist. So it's important for you to keep that in your your repertoire to always go from a network standpoint and look at these areas. Now it's based on an allowed list of applications, services, andor capabilities which are allowed to run. And there's also malicious software keeps it from running within your network because it can't communicate outbound. There's lots of different pieces you can use for this. Some include a hashing algorithm to create a hash of the application. And there's also some that are very granular listing that can cause network challenges and complete documentation is required. What that basically means is there they you have to have the documentation to make these work and to be effective. So again, very granular, causing lots of network challenges, but you need complete documentation as well to be fully engaged. Third party provided security services. This is where you consider outsourcing security services to a third party. These are folks that would be ones that would actually like your MSPs, your managed service pro or your managed security service providers, uh, these would be folks that you would outsource this information to. They would be monitoring your network for you. This can include many different types of services to include monitoring, penetration testing, audit, you name it. And I would highly recommend that if you in your company, if you have security services needed within your company, you need to go and reach out to different companies to have them help you with this. You don't have the people to be able to go and set up your own security operations center. I will tell you from personal experience, a security operations center is extremely expensive. It costs a lot of money. And if you don't have those deep pockets, you will be struggling substantially to make sure that you have what you need to make that happen. So rather than trying to build it from your ground up, you need to go out and reach out to the right people to help you with that. This may be required because of regulatory requirements. Maybe you have through PCI DSS, maybe through NYDFS. You have different requirements that are requiring you to have a security operations center in place. Now, these SaaS providers will give you security services via the cloud, uh, such as your WAF, your next generation firewalls, etc.

Host And Network IDS

SPEAKER_01

So, therefore, it's imperative that you have something in the line to be able to help you with that. Uh, Amazon, AWS, and Microsoft Azure, these are great places that you can get the security services you need, uh, but they they just give you the platform. They're not the ones that are actually gonna provide that for you. You're gonna need to reach out to a Sentinel One, a Microsoft, a uh Palo Alto. You're gonna reach out to anybody that's gonna provide these MSP type of capabilities to you. Uh so therefore, plan for that. Have a good idea of what you want to do there. Uh, ensure that these third parties are giving you the information that you need to protect your organization. Sandboxing. So, this key thing around sandboxing, it provides security boundary for applications and keeps from them from interacting together. Sandboxes are also great as a litter box. I'm joking. If you've ever been to a sandbox, you'll notice that if you go there, uh there's lots of droppings from cats. Cats love sandboxes. So I used to have my kids all playing the sandbox. We used to have this as a kid growing up, and yeah, there was lots of stuff that was dropped off in there from the local cats. Uh so that yeah, that's pretty gross. I understand. And that's very different than what we're talking about. But it isn't. It's allowed to be in that sandbox. You can operate in there and it keeps other things from interacting with it. So you have an application, it goes into the sandbox and it starts to run. What the goal is to look for any sort of known malware in this sandbox. So anti-malware applications will use a sandboxing to test known application, an unknown application or a file. So an unknown application comes in, it will test it in the sandbox, it will blow it up and it will say, Oh, we found a problem. And it will then fix the problem. Or it won't fix it, but it'll say, We have a problem. You don't want to install this application. So that's the sandbox. But because of that, it doesn't touch anything else. Now the application thinks that it's touching the network because it might be network aware, but in that sandbox, it is it has its own little mini network,

Whitelists, Blacklists, And Pitfalls

SPEAKER_01

so it thinks that it's there. Now the virtualization techniques are used in the set that to test applications, which we call blow up. They run run them in that application sandbox. And then testing within a sandbox doesn't affect any of the outside from a virtual machine standpoint because it's all done compartmentally within that virtual machine. The utilization of a sandbox can also tell anti-malware vendors how the software operates. So anti-malware folks, they see it blow up in the sandbox, they can go, oh, that's new. Let's put a signature for that. And they will then create a signature based on what they see, how it occurs within this overall environment. So sandboxing is a great tool for you in your overall quiver of security capabilities. Highly recommend that you do this. Now, many of the systems that you will buy security software from already have this built into their systems right now. You don't have to do anything with it, but you may have in your company the ability, you may want to incorporate your own sandbox specifically. Just kind of comes down to what your plans are. Honey pots and honey nets. I will tell you that I have some level of reservation talking about these. They are on the CISSP exam. I would say they work in some organizations, they have probably worked very well. In organizations I've led, they do not work very well. They could be because of me, probably, but they don't, they're just an expense and they didn't seem to really do much value. That being said, what is a honeypot? They're computers or virtual systems that are used to trap or decoy malicious software or actors. They are the apple. They're the apple you want to take a bite of, right? It's like out of Cinderella. I don't know if it's Cinderella, one of the whatever, whatever one of the Disney shows, you bite in the apple and then it's full of poison. So the honey pots are very similar to that. They look and feel legitimate as normal systems, but in many ways they're virtualized. So the people coming in may go, oh, this looks like a really sweet target. I need to go after this target. But after they realize it and they get there, it's not. It's not what they thought it was. And it's then has bells and whistles, fireworks go off, and everybody goes, oh no, somebody's at the gate. What are we gonna do? Um, those are important parts of all that. So they typically have various security vulnerabilities built into the system to make them look attractive so that you want to go after them. They grab the intruders' attention so that they focus on the target versus other systems within the network. Again, go after the shiny penny, go after the apple, avoid these systems over here. Now, they're designed to be an early warning system for intruders if they're on the network. And I will tell you that an attacker sees a honeypot. They're gonna come up to it, they're gonna be like a dog, they're gonna sniff it, they're gonna look at it, they might even poke it a little bit just to kind of see what it is. But if it looks too good to be true, they're not gonna touch it. They're gonna walk away. They may come back to it at another point in time, but they're gonna walk away. Well, real fast, walk away. And the point of it is they know better, right? Now, if your entire network is full of really

MSSPs And SOC Realities

SPEAKER_01

crappy systems and nothing is protected, then okay, well, then it probably will work for you. But the point I'm trying to make is if if you are focused on putting a honeypot in your environment, uh, you obviously like security and you're gonna do everything you can to secure your network as much as you possibly can. Uh, so therefore, it's probably gonna look like everything is secure except this one little thing sitting out there, and they're gonna go, yeah, no, I'm not touching that. No way I'm touching that. So keep that in mind as you're doing these different things. Um, they're designed as an early warning system, kind of talked about that. Honey nets are a group of honey pots used together to create a net. What does that mean? Okay, so now I cascade a bunch of these really cool old these systems that are now vulnerable, and there are lots of little honey pots. Well, as they get together and they connect, you call that a honey net. Again, you how many fish can you catch with one hook? One. How many fish can you catch with a net? A lot. So the point was that if you put more of these honey pots out there, you have a better chance of catching some bad people. I come back to this point. It's a lot to manage, and I there's probably some value in it. Depending on how much you spend on them, maybe it's worth it. I'm just not a big fan of honey pots and honey nets. But again, help me respond to me and tell me that I'm wrong. I would love to hear it, and I would love to hear your guys' opinion on it. Enticement and entrapment. Okay, there's a big difference between this. Enticement is that on your network, it's legally fine to bring have a honeypot or honey net where people come in and they get it. And they see it, they nibble on it, and it's a poison and they get caught. And versus entrapment is that on the internet, if you put a honeypot out there or just available to everybody, that could be labeled entrapment. So, why is this brought up? Well, the point of it is there's probably been some legal precedence that somebody got caught on a network and said, You entrapped me. Well, like, no, you actually trespassed and you went on the network, you got into this and we caught you. That's not entrapment. Okay, that's enticement. It's them enticing you to do something you decided to sin, you decided to go do the thing you shouldn't do. That's your problem. If you decide to throw a honeypot out on the internet and say, hey, everybody, go check it out, and everybody goes and checks it out, that would be what they call entrapment.

Sandboxing For Safer Testing

SPEAKER_01

Anti-malware. Okay, so we're now at the end here. We got different types of endpoints, and you're dealing with anti-malware. This is used, they're the use some type, every system out there has some level of anti-malware import it that's on it, and it's really an important arrow in your overall security quiver. Anti-malware companies work to provide a better mousetrap, and that's the goal is that they deploy these to the endpoints, and the goal is that people will find them, see them, and then ingest them. It's important to understand that having multiple anti-malware tools is not better. So, what does that mean? So you have out there your Sentinel One is deployed. You also have the Microsoft product that's out there and it's deployed, and then you decide to deploy another endpoint detection and response system out there. So you have two or three different ones going on. Having multiple tools is not the best option. It causes for false positives, it calls for all kinds of architectural challenges, it makes it extremely hard to manage. Pick one, stick with one. You don't need multiples of this space. I've seen people that go, well, this one won't get for this security issue, so I'm gonna get this one because this one works on this one. That don't do that. That is just not a good idea. Having anti-malware loaded on individual computer systems is considered a best practice and highly recommended. Uh, I'd say if you're not doing it, then you should have been doing it a long time ago because it's it, if anything, it gives you a sensor what's happening on that device. Not having anti-malware software can leave companies open to all kinds of legal issues in the event something were to happen and you get hacked. So anti-malware systems are imperative to have them on your systems completely. So do not even think about not having them. Just you don't, you you want that because one, it's it's your best best education and best judgment. Two is legally it'll put you in a position where you're not wanting to be. So anti-malware on those systems. Machine learning and artificial intelligence. Now I know with the CISSP they've made some big changes around AI and ML. And one thing to consider is this is changing dramatically. I mean, incredibly quick. This is all changing. Uh, machine learning is part of AI, and it means that the system can improve through experience. So the system sees it, it's learning, it's also making changes, and it's getting really smart. Talk about

Honeypots, Honeynets, And Legal Lines

SPEAKER_01

Claude, you've got Chat GPT, you've got all kinds of these systems out there that are available. Now, artificial intelligence includes the ML designed to help improve the processes better than what a human would do. And in addition, it's designed to do tasks that require intelligence to complete. Claude just released something as of the past couple weeks that it will integrate with all of your Word documents and all of those things and do stuff for you where you don't even have to do it. That's great. There's also some security challenges that go with some of this. So those are areas that I would challenge you all as you're listening to this to be prepared for the things that are coming within AI. The CIS IC Square is making changes to make domain to domain one related to AI, and you'll be seeing more changes as that comes for here in 2026. Artificial intelligence starts with zero knowledge again, and it builds upon that premise. So you don't know who you are, but then it starts building based on what you know, and then it builds a model around you specifically, and what is how do I help Sean with what he's got going on? Many are considering this as the future of security, and I would totally agree with that. The incorporation of AI and ML into software and into these security tools is gonna be a viable part of protecting organizations because the the attackers are using that against you. So you're gonna want to incorporate AI and ML into your overall security plan as well. Okay, that's all I have for you today. I hope you all have a blessed day. I hope you all have a wonderful day, and I appreciate you listening to me. Please head on over to CISSP Cyber Training, check out what I've got for free. You also can go to YouTube. You can see all my stuff on YouTube as well. And then finally, if you would go to the podcast and give a shout out, thumbs up. If you don't want to, that's fine too. If you have any questions or concerns, reach out to me at contact at CISSP Cyber Training, and I'm happy to help you in any way possible. Thank you again for your time today and have a wonderful day. We'll catch you on the flip side. See ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training, and you will find a plethora of or a conocopia of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 363 CISSP questions to help you in your CISSP journey. Thanks again for listening.

Contributor

Shon Gerber

Host