In the movies, a security operations center has cool displays with surveillance software that instantly warns protectors with “Intruder Detected” in a flashing OCR font, and visualize the movement of the attacker through the network. If only it were that easy – the system would just stop the intruder in the first place.
In the real world it's so different. You have a flood of information (though most of it is actually data – not information) and vague indicators of attack that could be legitimate anomalies, completely false positives or – and I hate these as much you do – just inexplicable “weirdness”.
But the more you know your systems, the more data you collect, and the more powerful your analysis tools, the better your likelihood of actually catching attackers before they do real damage to your business. In this real training for free ™ webinar we will look at 5 indicators that evil is present on a Windows host:
- Rogue process detection
- Evidence of persistence
- Suspicious traffic
- Unusual OS artifacts
- Command/user role mismatches
I'll explain each of these indicators in detail and provide real world examples.
We will explore useful resources such as the National Software Reference Library (NSRL) which is a collection of known legitimate software programs that you can use to greatly reduce false positive rogue process detections.
This is all part of what many folks are calling Endpoint Threat Detection and Response ("ETDR"). A. N. Ananth, CEO of our sponsor, EventTracker, will briefly show you how EventTracker can automate detection of these five indicators of event. We'll also talk more about what ETDR means, how new is it, and whether or not it's just the next iteration of IDS. We'll also discuss ETDR relationship to SIEM and how log collection agents are the new "endpoint sensors".
Don't miss this technical and timely real training for free ™ event. Please register now.