In the 24 hours since Tuesday’s release of Supercharger Free our downloads are already double the amount since Supercharger was released earlier this year!
But that’s just step 1 in my roadmap for helping you to detect intrusions much earlier in the attack cycle by monitoring workstation logs using free tools and technology you already own – optionally augmented with commercial software where you can justify it.
Why workstations?
- Because workstations are where today’s attacks start. Ransomware and APTs start with one end user’s workstation. Then they spread laterally through your network. If we want to catch attacks early – if we want to catch attacks before they cause real damage, we’ve must already be there when the attack gets started. If we aren’t monitoring workstations we are setting ourselves up for late stage detection.
- Because workstations are our #1 blind spot. Consider the irony of today’s situation: When I talk to different security teams they often admit that because of limited resources and management decisions they focus their monitoring on high-value targets. Sometimes that means not even monitoring all servers let alone workstations. I totally get the concept but the concept isn’t working – witness the constant breaches. Waxing philosophical and idealistic here: only monitoring high-value targets smacks of an overwhelmed survival mode mentality. We can do better. Let’s get out of survival mode and start catching these bad guys. I’ll start by reviewing the reasons I commonly hear for not doing this.
Reasons for Not Monitoring Workstations
- “We don’t know which events to analyze”
- “We can’t afford to send that much data to our SIEM”
- “Workstations are many and logs are huge”
- “No more agents!”
None of these need to stand in your way to monitoring workstations. In my next webinar I’m going to outline my roadmap for Workstation-based Early Detection but here are the overall steps in what we plan to roll out over the coming months:
- Free Edition of Supercharger for Windows Event Collection Done!
- Implementation Guide for Workstation Security Log Collection
- This focuses on the Windows Security Log and on the events you should be monitoring specifically for early detection of APT activity and ransomware.
- Will include xpath filters provided through Supercharger Free Edition for collecting these events while leaving the noise behind
- Workstations are different than servers in terms of behavior and scale. And this has an impact on how you should implement Windows Event Collection, how to assess health, scalability. We’ll provide guidance on these issues
- Implementation Guide for Continuous Laptop Monitoring
Laptops are a subset of workstations. Laptops are not always connected to your network. But laptops are always at risk. Windows Event Collection supports secure log forwarding over the Internet but it’s more complicated. We will provide guidance on
- Deploying Windows Event Collectors in the DMZ
- DNS configuration so that laptops find your WEC collector both when inside and outside your network
- Server certificates on your WEC collector
- Computer certificates on your laptops
- Patient-Zero Technology
We are developing an exciting feature that we currently plan to include in Supercharger Free Edition which we are calling Patient-Zero. Wikipedia: “In medical science, the … initial patient in the population of an epidemiological investigation.” We think that is a great term for describing this feature. We’ll talk more about this in the webinar but let’s just way it relies on nothing more than native logs collected agentlessly and it will catch attacks like WannaCry on the very first computer where they execute.
- Beyond the Security Log
The Windows Security Log is the obvious place to start but you shouldn’t stop there.
- PowerShell: Let’s watch PowerShell audit logs to help detect bad guys living off the land.
- AppLocker: Let’s consider enabling AppLocker in audit mode and getting the actual hashes of unrecognized EXEs and DLLs so that bad guys can’t fool us with re-using common file names or injecting malicious code into legitimate programs.
- Sysmon: Let’s figure out how to install and configure sysmon at scale to get the improved telemetry it provides over some areas of the Security Log.
We’ll provide guidance on how to efficiently collect and analyze these logs.
Elements of this roadmap will be delivered through both divisions of our company as appropriate: UltimateWindowsSecurity.com and LOGbinder. We plan to make as much of the guidance and resources as possible – free. This roadmap is forward looking and may change but I’m excited and I hope you will participate. Your feedback and engagement has already helped so much and I hope we get even more from you. Come to webinar to learn more and share your valuable insights on this project.