Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intercept X Early Access Program Root Cause Analysis

Published byImogen Cox Modified over 6 years ago

Similar presentations

Presentation on theme: "Intercept X Early Access Program Root Cause Analysis"— Presentation transcript:

1 Intercept X Early Access Program Root Cause Analysis
Stephen McKay Product Manager – Endpoint Security Group May 2018

2 So the Endpoint found and removed malware.. What happened?
Where did it get in? Should we contact a Regulator? What damage has been done? Did they steal important data? When? How? Who? Where? What? Why?

3 Understanding the Root Cause of attack
Sophos Data Recorder Operating Systems Windows 7+ Windows 2008R2+ macOS Capacity Up to 30 days of activity 100 MB Local to the device Under 0.5% CPU utilization Memory Registry Network File system Process activity

4 Datacollector.exe Created
Branched Threat Chains – Threat Chain includes suspect activity related to the root cause Process Activity At Risk Assets – Identification of all productivity documents related to the complete threat chain Written by iExplore.exe From URL fred.com Datacollector.exe Created Copied from USB device Fred.pdf created Low rep site Accessed via acrobat.exe Fred.com accessed Written by iExplore.exe From URL fred.com Bob.exe Created Bob.exe reached out to C2 site HIPS cleaned Bob.exe File Infection Event Time Root Cause Attribution– PDF delivered from USB Recommended Action– Leverage Device Control Threat Chain – full list of IOCs from the Sophos Data Recorder including process, registry, file, network activity Timeline of events – View the chain of events from root cause to detection, filter out unrelated activities. Beacon Event Exploit Malicious Traffic Ransomware File analytics HIPS Scan

5 Main landing page Archive of all RCA cases
Provides a list of all RCA Cases RCA in the Server Protection area defaults to show Server RCA cases, you can change the view to show Endpoint RCA cases or All RCA cases Priority is determined algorithmically and can be set by a reviewer See the detection that triggered the RCA Case generation An RCA Case should be available about 5 min after the detection event

6 Overview Page Overview and activity record
Summary showing identified Root Cause application Have business files been interacted with during the attack Admin can mark the case as in-progress, or closed Admin can change the priority based on their investigation Activity Records Allows administrators to take notes on the case and document actions taken

7 Artifacts View all associated artifacts
List of all process, file, registry and network activity involved Excludes processes and actions not associated with the attack Details provide additional information on each artifact Search and sort to see details

8 Visualization See what happened and how
Provides a process graph showing the chain of events that lead to the detection Processes and actions not associated with the attack are not included Understand the type of interaction between processes, files, network and registry Turn on or off visualization of various indicators Selecting a node on the graph provides additional details

9

Download ppt "Intercept X Early Access Program Root Cause Analysis"

Similar presentations

Netflow Data-Mining Techniques Chris Poetzel Argonne National Laboratory Scott Pinkerton.

Netflow Data-Mining Techniques Chris Poetzel Argonne National Laboratory Scott Pinkerton.
1 Anti Virus System i-Specific Anti-Virus Product.

1 Anti Virus System i-Specific Anti-Virus Product.
SACM Terminology Nancy Cam-Winget, David Waltermire, March.

SACM Terminology Nancy Cam-Winget, David Waltermire, March.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
John Prisco President and CEO Triumfant, Inc. Our defenses are designed to defeat threats we have seen before. We have very little protection against.

John Prisco President and CEO Triumfant, Inc. Our defenses are designed to defeat threats we have seen before. We have very little protection against.
Acceleratio Ltd. is a software development company based in Zagreb, Croatia, founded in 2009. We create innovative software solutions for SharePoint,

Acceleratio Ltd. is a software development company based in Zagreb, Croatia, founded in We create innovative software solutions for SharePoint,
Malware Hunter How To Guide for SecurityCenter Continuous View™

Malware Hunter How To Guide for SecurityCenter Continuous View™
Using Windows Firewall and Windows Defender

Using Windows Firewall and Windows Defender
Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.

Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.
Administrator Protect against Malware by: Brittany Slisher and Gary Asciutto.

Administrator Protect against Malware by: Brittany Slisher and Gary Asciutto.
September 29, 2009Computer Security Awareness Day1 Fermilab.

September 29, 2009Computer Security Awareness Day1 Fermilab.
ENDPOINT PROTECTION PROJECT 2014 Presentation to CTSC.

ENDPOINT PROTECTION PROJECT 2014 Presentation to CTSC.
What’s New in WatchGuard XCS v9.1 Update 1. WatchGuard XCS v9.1 Update 1  Enhancements that improve ease of use New Dashboard items  Mail Summary >

What’s New in WatchGuard XCS v9.1 Update 1. WatchGuard XCS v9.1 Update 1  Enhancements that improve ease of use New Dashboard items  Mail Summary >
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Synchronized Security Revolutionizing Advanced Threat Protection

Synchronized Security Revolutionizing Advanced Threat Protection
Sky Advanced Threat Prevention

Sky Advanced Threat Prevention
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Similar presentations

Ads by Google