Presentation is loading. Please wait.

Presentation is loading. Please wait.

Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.

Published byJack Allen Modified over 8 years ago

Similar presentations

Presentation on theme: "Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection."— Presentation transcript:

1 Nexthink V5 Demo Security – Malicious Anomaly

2 Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection is not enough anymore to deal with advanced targeted malware detection and prevention By 2018, 80% of endpoint protection platforms will include user activity monitoring, analytics and forensic capabilities, up from less than 5% in 2013 (Source: Prevention Is Futile in 2020: Protect Information Via Pervasive Monitoring and Collective Intelligence, 30 May 2013, ID G00252476, by Neil MacDonald)

3 Solution › Add behavior and anomaly detection to uncover risky activity and compromised devices › Need to deal with a mix of malware, negligence and technology glitches. It’s all about 360 degrees insight all the time to: Quickly mitigates the risks of employees' malware infected PCs. Nexthink automatically analyzes the local and network activity to find PCs that connect to rogue destinations that aren't typical Become aware early enough about suspicious activity, misused systems, privileges abuse or careless behaviors before it turns into damaging attacks or activities Validate if appropriate configurations and policies remain enforced overtime

4 Alert came into our system to notify about a malicious activity in our infrastructure. Here is the alert displayed in the Finder.

5 Let’s drill-down to the alert…

6 4 devices with dangerous activity…

7 Let’s see what binary(ies) are involved

8 We can see a background running process (no user interaction) send quite some traffic out and already flagged as high threat by the analytics platform

9 Let’s look at the network behavior and related anomalies… Here we see a periodic outbound connection sending 4MG of data each time to a web domain in China. 4 internal computers are compromised. We have all the data here (ports, IP addresses, devices name, binary name and path,..) to already react and stop an further impact

10 Here is how to extract all the data behind the visualization…

11 One click and here you are… copy/paste into xls works like a charm to share with your colleagues

12 Let’s look at where the data is going…

13 Oh the Chineese dropbox-like service…

14 Now that the malware is not running and all related ports and domains have been blocked, let’s go back in time to understand how we got hit and why, and put in place to relevant preventive measures

15 Here is the alert related to this device….

16 In all started from this toolbar installation….

17 That looks like executing 2 binaries….

18 Let’s see more…

19 First we have the setup.exe (to install the toolbar)… where what this running from?

20 Hummm…. USB key (again!)

21 How but not only executed locally, also connected to the outside… not for long and not a lot of traffic. But long enough to bring the malware in grrrrr!!!

22 Let’s look at the domain the malware came from…. But initiated from inside to go through our perimeter defense… we need to enhance our protection there for sure!

23 Let’s add some additional information coming from centralized Nexthink Library

24 That’s a web site you don’t want to connect  Let’s also block it!

25 Curious why our endpoint security did not detect and block this activity and malware code…. Let’s see how the AV, Anti-Spyware are configured and up to date… We might have a hole there….

26 Let’s select the security compliance checks I want to make…

27 Here are the 4 infected machines… with all protection in place and well running….

28 So let’s view what this malware is exporting the hash to VirusTotal for an analysis…

29 Ok 16 AV identified this binary as a trojan kind of code. We are running Microsoft ForeFront… Let’s find it….

30 Here it is…. Ok got it… No luck this time… Thanks we did not only rely on protection but had real-time activity monitoring and anomaly analytics otherwise I don’t know him much date would have gone out from how many computers

31 Let implement a watch on exe running from USB key and connecting to the outside, such awareness can definitely help catching many other variants of such type of threats

32 Any time any exe on any device would connected to the outside, now I will know!

33 Let’s use the Portal to report such dangerous activities in a dashboard (for our CISO)

Download ppt "Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection."

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
The Threat Within September 2004. Copyright © 2004 Q1 Labs. All Rights Reserved Agenda Customer Pain Industry Solutions Network Behavior Enforcement Example.

The Threat Within September Copyright © 2004 Q1 Labs. All Rights Reserved Agenda Customer Pain Industry Solutions Network Behavior Enforcement Example.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Microsoft Ignite /16/2017 4:54 PM

Microsoft Ignite /16/2017 4:54 PM
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
LittleOrange Internet Security an Endpoint Security Appliance.

LittleOrange Internet Security an Endpoint Security Appliance.
Customer confidential 1 Privilege Management Sean Moore Solutions Specialist.

Customer confidential 1 Privilege Management Sean Moore Solutions Specialist.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Department Of Computer Engineering

Department Of Computer Engineering
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.

IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.
Using Windows Firewall and Windows Defender

Using Windows Firewall and Windows Defender

Similar presentations

Ads by Google