Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.

Slides:



Advertisements
Similar presentations
Thank you to IT Training at Indiana University Computer Malware.
Advertisements

The Threat Within September Copyright © 2004 Q1 Labs. All Rights Reserved Agenda Customer Pain Industry Solutions Network Behavior Enforcement Example.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Guide to Network Defense and Countermeasures Second Edition
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
The Most Analytical and Comprehensive Defense Network in a Box.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Microsoft Ignite /16/2017 4:54 PM
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
LittleOrange Internet Security an Endpoint Security Appliance.
Customer confidential 1 Privilege Management Sean Moore Solutions Specialist.
IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Department Of Computer Engineering
Incident Response Updated 03/20/2015
IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.
Using Windows Firewall and Windows Defender
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
Symantec Targeted Attack Protection 1 Stopping Tomorrow’s Targeted Attacks Today iPuzzlebiz
Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.
Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.
Lecture 19 Page 1 CS 236 Online 16. Account Monitoring and Control Why it’s important: –Inactive accounts are often attacker’s path into your system –Nobody’s.
Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
CSCE 201 Windows XP Firewalls Fall Reading Windows XP help and Support: search on “Firewall” Tony Bradley, CISSP-ISSAP, Windows XP SP2 Firewall,
Lesson 11: Configuring and Maintaining Network Security
Advanced Persistent Threats (APT) Sasha Browning.
Marin Frankovic Datacenter TSP
Sky Advanced Threat Prevention
Lecture 12 Windows Firewall and Action Center. Firewalls Protect networks by stopping network traffic from passing through it Implemented as either a.
Nexthink V5 Demo ITSM – Users Impacted. Situation › It’s Wednesday morning › Last night the infrastructure team we worked hard on a proxy migration We.
BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.
Internet2 Abilene & REN-ISAC Arbor Networks Peakflow SP Identification and Response to DoS Joint Techs Winter 2006 Albuquerque Doug Pearson.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Role Of Network IDS in Network Perimeter Defense.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.
©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and individuals CHECK POINT MOBILE THREAT PREVENTION.
Contextual Security Intelligence Suite™ Preventing Data Breaches without Constraining Business.
Why SIEM – Why Security Intelligence??
Welcome Information Security Office Services Available to Counties Security Operations Center Questions.
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
Get Full Protection on Microsoft Azure with Symantec™ Endpoint Protection 12.1 MICROSOFT AZURE ISV PROFILE: SYMANTEC Symantec™ Endpoint Protection is an.
No boundaries with Unified Web Security Solutions Steven Vlastra Sr. Systems Engineer - Benelux.
By: Surapheal Belay ITEC 6322 / Spring ABSTRACT NIST , guide to intrusion detection and prevention systems (IDPS), discusses four types of.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Tripwire Threat Intelligence Integrations. 2 Threat Landscape by the Numbers Over 390K malicious programs are found every day AV-Test.org On day 0, only.
Advanced Endpoint Security Data Connectors-Charlotte January 2016
Cloud App Security vs. O365 Advanced Security Management
Critical Security Controls
“Introduction to Azure Security Center”
Firewalls.
By: Tekeste Berhan Habtu Chief Executive Officer Venue: African Union
Intercept X for Server Early Access Program Sophos Tester
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Shifting from “Incident” to “Continuous” Response
Chapter 4: Protecting the Organization
16. Account Monitoring and Control
Introduction to Internet Worm
6. Application Software Security
Security intelligence: solving the puzzle for actionable insight
Cybersecurity Simplified: Ransomware
AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.
Presentation transcript:

Nexthink V5 Demo Security – Malicious Anomaly

Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection is not enough anymore to deal with advanced targeted malware detection and prevention By 2018, 80% of endpoint protection platforms will include user activity monitoring, analytics and forensic capabilities, up from less than 5% in 2013 (Source: Prevention Is Futile in 2020: Protect Information Via Pervasive Monitoring and Collective Intelligence, 30 May 2013, ID G , by Neil MacDonald)

Solution › Add behavior and anomaly detection to uncover risky activity and compromised devices › Need to deal with a mix of malware, negligence and technology glitches. It’s all about 360 degrees insight all the time to: Quickly mitigates the risks of employees' malware infected PCs. Nexthink automatically analyzes the local and network activity to find PCs that connect to rogue destinations that aren't typical Become aware early enough about suspicious activity, misused systems, privileges abuse or careless behaviors before it turns into damaging attacks or activities Validate if appropriate configurations and policies remain enforced overtime

Alert came into our system to notify about a malicious activity in our infrastructure. Here is the alert displayed in the Finder.

Let’s drill-down to the alert…

4 devices with dangerous activity…

Let’s see what binary(ies) are involved

We can see a background running process (no user interaction) send quite some traffic out and already flagged as high threat by the analytics platform

Let’s look at the network behavior and related anomalies… Here we see a periodic outbound connection sending 4MG of data each time to a web domain in China. 4 internal computers are compromised. We have all the data here (ports, IP addresses, devices name, binary name and path,..) to already react and stop an further impact

Here is how to extract all the data behind the visualization…

One click and here you are… copy/paste into xls works like a charm to share with your colleagues

Let’s look at where the data is going…

Oh the Chineese dropbox-like service…

Now that the malware is not running and all related ports and domains have been blocked, let’s go back in time to understand how we got hit and why, and put in place to relevant preventive measures

Here is the alert related to this device….

In all started from this toolbar installation….

That looks like executing 2 binaries….

Let’s see more…

First we have the setup.exe (to install the toolbar)… where what this running from?

Hummm…. USB key (again!)

How but not only executed locally, also connected to the outside… not for long and not a lot of traffic. But long enough to bring the malware in grrrrr!!!

Let’s look at the domain the malware came from…. But initiated from inside to go through our perimeter defense… we need to enhance our protection there for sure!

Let’s add some additional information coming from centralized Nexthink Library

That’s a web site you don’t want to connect  Let’s also block it!

Curious why our endpoint security did not detect and block this activity and malware code…. Let’s see how the AV, Anti-Spyware are configured and up to date… We might have a hole there….

Let’s select the security compliance checks I want to make…

Here are the 4 infected machines… with all protection in place and well running….

So let’s view what this malware is exporting the hash to VirusTotal for an analysis…

Ok 16 AV identified this binary as a trojan kind of code. We are running Microsoft ForeFront… Let’s find it….

Here it is…. Ok got it… No luck this time… Thanks we did not only rely on protection but had real-time activity monitoring and anomaly analytics otherwise I don’t know him much date would have gone out from how many computers

Let implement a watch on exe running from USB key and connecting to the outside, such awareness can definitely help catching many other variants of such type of threats

Any time any exe on any device would connected to the outside, now I will know!

Let’s use the Portal to report such dangerous activities in a dashboard (for our CISO)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.