Intercept X Early Access Program Root Cause Analysis

Slides:



Advertisements
Similar presentations
Netflow Data-Mining Techniques Chris Poetzel Argonne National Laboratory Scott Pinkerton.
Advertisements

1 Anti Virus System i-Specific Anti-Virus Product.
SACM Terminology Nancy Cam-Winget, David Waltermire, March.
Lesson 19: Configuring Windows Firewall
IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Incident Response Updated 03/20/2015
John Prisco President and CEO Triumfant, Inc. Our defenses are designed to defeat threats we have seen before. We have very little protection against.
Acceleratio Ltd. is a software development company based in Zagreb, Croatia, founded in We create innovative software solutions for SharePoint,
Malware Hunter How To Guide for SecurityCenter Continuous View™
Using Windows Firewall and Windows Defender
Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.
Administrator Protect against Malware by: Brittany Slisher and Gary Asciutto.
September 29, 2009Computer Security Awareness Day1 Fermilab.
ENDPOINT PROTECTION PROJECT 2014 Presentation to CTSC.
What’s New in WatchGuard XCS v9.1 Update 1. WatchGuard XCS v9.1 Update 1  Enhancements that improve ease of use New Dashboard items  Mail Summary >
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Synchronized Security Revolutionizing Advanced Threat Protection
Sky Advanced Threat Prevention
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Computer Security By Duncan Hall.
BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
1 #UPAugusta Today’s Topics What are Deadly IT Sins? Know them. Fear them. Fix them. #UPAugusta201 6.
ECAT 4.1 – Rule Your Endpoints What’s New Customer Overview.
Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
This courseware is copyrighted © 2016 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.
Financial Sector Cybersecurity R&D Priorities The Members of the FSSCC R&D Committee November 2014.
COPYRIGHT © 2015 THE BOEING COMPANY ARINC 820 Security Derek Schatz, CISSP Boeing Commercial Airplanes Presented at ARINC CSS Meeting in Sevilla October.
Tripwire Threat Intelligence Integrations. 2 Threat Landscape by the Numbers Over 390K malicious programs are found every day AV-Test.org On day 0, only.
Next-Generation Endpoint Protection Enduser Protection
Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.
Intercept X Early Access Program Sophos Tester
WannaCry/WannaCrypt Ransomware
Advanced Endpoint Security Data Connectors-Charlotte January 2016
Sophos Intercept X Matt Cooke – Senior Product Marketing Manager.
Sophos Central for partners and customers: overview and new features
WannaCry/WannaCrypt Ransomware
A Virtual Tour of SophosLabs Building next-generation protection
    Customer Profile: If you have tech savvy customers, having your site secured for mobile users is recommended. Business Needs: With the growing number.
How to Provision Group Based Policy and VM Instances
What they are and how to protect against them
Sophos Intercept Next-Gen Endpoint Protection
Ilija Jovičić Sophos Consultant.
Anti Virus System i-Specific Anti-Virus Product
Firmware threat Dhaval Chauhan MIS 534.
C IBM Security QRadar SIEM V7.2.6 Associate Analyst
Intercept X Early Access Program Root Cause Analysis
AESA – Module 8: Using Dashboards and Data Monitors
Common Methods Used to Commit Computer Crimes
Techniques, Tools, and Research Issues
Backdoor Attacks.
Various Types of Malware
Sophos Intercept Next-Gen Endpoint Protection
Kanban Task Manager for Outlook ‒ Introduction
Report Writing.
Security in Networking
Myths About Web Application Security That You Need To Ignore.
Briefing Session Guide
Welcome to our first session!
Intercept X for Server Early Access Program Sophos Tester
Sizing …today. T: Here’s how. .
Secure once, run anywhere Simplify your security with Sophos
E-Invoicing for Network Access Customers
Information Protection
Per Söderqvist Per Söderqvist Sales Engineer
Comodo Dome Data Protection
Information Protection
OSL150 – Get Hands on with Ivanti Endpoint Security
Presentation transcript:

Intercept X Early Access Program Root Cause Analysis Stephen McKay Product Manager – Endpoint Security Group May 2018

So the Endpoint found and removed malware.. What happened? Where did it get in? Should we contact a Regulator? “ What damage has been done? Did they steal important data? “ When? How? Who? Where? What? Why?

Understanding the Root Cause of attack Sophos Data Recorder Operating Systems Windows 7+ Windows 2008R2+ macOS Capacity Up to 30 days of activity 100 MB Local to the device Under 0.5% CPU utilization Memory Registry Network File system Process activity

Datacollector.exe Created Branched Threat Chains – Threat Chain includes suspect activity related to the root cause Process Activity At Risk Assets – Identification of all productivity documents related to the complete threat chain Written by iExplore.exe From URL fred.com Datacollector.exe Created Copied from USB device Fred.pdf created Low rep site Accessed via acrobat.exe Fred.com accessed Written by iExplore.exe From URL fred.com Bob.exe Created Bob.exe reached out to C2 site HIPS cleaned Bob.exe File Infection Event Time Root Cause Attribution– PDF delivered from USB Recommended Action– Leverage Device Control Threat Chain – full list of IOCs from the Sophos Data Recorder including process, registry, file, network activity Timeline of events – View the chain of events from root cause to detection, filter out unrelated activities. Beacon Event Exploit Malicious Traffic Ransomware File analytics HIPS Scan

Main landing page Archive of all RCA cases Provides a list of all RCA Cases RCA in the Server Protection area defaults to show Server RCA cases, you can change the view to show Endpoint RCA cases or All RCA cases Priority is determined algorithmically and can be set by a reviewer See the detection that triggered the RCA Case generation An RCA Case should be available about 5 min after the detection event

Overview Page Overview and activity record Summary showing identified Root Cause application Have business files been interacted with during the attack Admin can mark the case as in-progress, or closed Admin can change the priority based on their investigation Activity Records Allows administrators to take notes on the case and document actions taken

Artifacts View all associated artifacts List of all process, file, registry and network activity involved Excludes processes and actions not associated with the attack Details provide additional information on each artifact Search and sort to see details

Visualization See what happened and how Provides a process graph showing the chain of events that lead to the detection Processes and actions not associated with the attack are not included Understand the type of interaction between processes, files, network and registry Turn on or off visualization of various indicators Selecting a node on the graph provides additional details

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.