OK, here's an awesome example of finding the needle in the haystack. What if you could analyze the security logs of all the computers on your network to detect the first time 2 computers ever connect?
First, what's the value? Well, let's set some context. If packets left trails like foot traffic leaves on a landscape you'd see that there are well established paths on your network:
- Workstations initiate connections to servers
- Any specific workstation tends to talk to the same servers
- Some servers initiate connections to other servers
- Again, a typical server is going to talk to a finite set of other servers
There's always exceptions. Like vulnerability management systems. They are going to try to connect to every IP address out there.
The point is that any given computer over time will establish a pattern of systems it talks to and those that it never talks to because it has no reason to. For instance most workstations in customer service department will never have reason to talk to the project management server used by the R&D department.
No legitimate reason anyway. But when a computer in customer service gets compromised by a phishing attack, that attacker is going to use that workstation as a beachhead from which to work his way out into other systems. He will invariably attempt to communicate with computers the legitimate user of that system has no reason to access.
So keeping an eye on new and odd traffic patterns is a very cool way to get early warning that an attacker is embedded in your network and on the prowl.
In this webinar we'll look at how to accomplish this using Windows Security Events. It requires more sophisticated analysis than your average filter but it's possible. We will examine using:
- Windows logon events
- Windows firewall events
Windows logon events are a good place to start because you are already likely collecting them. Windows firewall events though provide even deeper visibility but of course there are a lot more of these events.
I'll start of by showing you
- Exactly which security events we'll be analyzing
- How to configure your audit policy to generate them
- What it takes to analyze the events and what they mean. For instance we'll look at event ID 4624 and 4625 to understand why only utilizing the Logon Type, Computer Name and Workstation Name fields matters.
Later in the program Caitlin NoePayne and Chris Martin, both from LogRhythm, will join to highlight Behavioral Analytics Rules and case management features that help an analyst following up on alerts of 2 computers communicating for the first time. This is a key activity since there's always more to investigate that time allows so you need to be able to quickly determine “Is this alert a real breach or not?”. In addition, Caitlin will show how you can quickly get more context from Active Directory and other resources to do just that.
Please register now and join us for this real training for free ™.