Get to know us better! Gain valuable insights into how we think by visiting our blog, or take a look at the industry events we're frequenting on our events page. You can also geek out with us by attending one of our security management webinars, or dive head first into the products and solutions we provide in our Resource Library. There's lots to keep you busy!
Unless you’re under a rock, you know that the WannaCry Ransomware cyberattack swept worldwide headlines last week.
Organizations scrambled to apply the latest Microsoft security patch to their computers to prevent the spread of the attack. It’s estimated that the ransomware attack hit more than 300,000 victims in 150 countries.
In my last post I covered how you can centralize your Windows logs on one system, send them as JSON for full detail, and use Immediate Insight's fast search and analytics to investigate alerts and discover the unknown. Now - let's take it a step further and use Sysinternals' Sysmon to capture rich details from your workstations and servers. Details like process creation/termination, file creation, driver load, network connections, and more. All of this data can then be rapidly queried, correlated, and alerted upon within Immediate Insight.
sysmon -i - accepteula -h md5 -n -l
The above installs Sysmon as a service (so it will survive reboots) and will collect data on the loading of modules, log network connections, and record MD5 hashes for any processes created.
If you want to get more in-depth: here are links to two Sysmon configuration XML files that you can review and edit on your own, conveniently pre-configured for both servers and workstations. They are excellent starting points.
Select the computers from where you want to collect the Sysmon data:
Define the query filter to grab the Sysmon events:
Unfortunately, by default, Windows Event Collector will be unable to access the Sysmon logs in the same way as it does standard logs (Application, Security, System, etc.).
You will need to set additional permissions. For each server or workstation that will be running Sysmon and centralizing those logs you will need to add the Network Service local account and the event collector local computer account into the Event Log Readers local group:
You will also need to use your domain's (or if you lack a domain - set it locally on each machine) Group Policy Management Editor to give those same two accounts permission to Manage auditing and security log as shown:
Finally - reboot each changed machine. Hey - I didn't say this would be completely easy. :)
Use Association Analytics to examine patterns of frequency and infrequency within your dataset - entities, geolocated locations (at time of data ingestion), IP addresses, networks, and more...rapidly investigate what is outside of the normal.
Use Event Clusters to investigate a large dataset rapidly - Immediate Insight finds commonality in your data and puts it in buckets so you can find both common and unusual anomalies quickly. What data looks strange?
Visualize your data using the Timeline. Look for outliers - spikes in traffic or strange locations (either in the U.S. or in the World).
Check Activity & Change to investigate how your data has changed since other periods of time - is traffic significantly higher than a normal Monday at this time? Significantly lower? Dig in! Find new data that wasn't there before - is it just a new system or application coming online or is it something anomalous?
Take a look at the Firehose to see the data streaming in live - pause and filter to troubleshoot in real-time when there is an ongoing issue or incident:
Thanks for reading - I hope that you found this post useful. Sysmon is an incredibly powerful tool that makes Windows logs substantially more valuable - it is very worth the effort to deploy it where it makes sense within your organization.
So you’ve purchased a new firewall. Now what?
You’ve got to decide which access is allowed, which isn’t allowed and whether or not rules are compliant with internal and regulatory standards.
Things are running along smoothly and then the dreaded “change.” A user submits a new access request and the fun begins. Is this access necessary? Safe? Compliant? And what happens when it’s time to retire unused rules?
How Effective Security Management Can Help Teams Cover the Exponentially Increasing Gap between Technology & the Resources Available to Manage It
Security teams today are under tremendous pressure due to the rising frequency and impact of breaches and a business that wants to move faster and faster. The answer to both of these challenges has always been to add more technology and staff resources.
However, each new technology added creates complexity. More rules are created and more data is generated. As networks continue to evolve, this complexity will only grow. And while staff resources may increase, they will never match the exponential growth of technology.
FireMon calls this phenomenon The Complexity Gap and has set out to help security teams close it.
Join us for this webinar with Frost & Sullivan where we’ll explore the causes of “The Gap” and how workforce multipliers such as intelligence and automation help staff manage their security more efficiently and more effectively.
Helping Enterprise Security Teams Improve Resource Efficiency & Reduce Overall Risk Exposure
Firewall technology has come a long way since its initial, most rudimentary forms. Next-Generation Firewalls (NGFW) are the latest development, and organizations are accelerating adoption to the new technology. But NGFWs aren’t a fix-all solution.