Most attacks begin on the workstation. Some end-user clicks on a link in a phishing email or falls victim to a drive-by download or opens an infected document and the attacker has gained a foothold in your network. From there the attacker escalates his authority on that computer and uses a plethora of methods to jump to other systems, collecting credentials as he goes.
Not only are workstations where attacks begin; ironically, they are also the most exposed and vulnerable of system on your network. Think about all the risk factors:
- Non-technical users predominate workstations
- Many of the exploits discovered today rely on interactive, local user scenarios, which is exactly the usage that dominates workstations
- Most attacks today exploit malicious file and web content and because of web-browsing and knowledge worker activities, workstations come into contact with far more files from the Internet than servers
- Most vulnerabilities today involve 3rd party interactive/GUI applications like Acrobat, and patching 3rd party applications remains the weak point in many organizations who still rely on auto-updaters or spend a long-time packaging and testing patches
To catch attacks as early as possible and stop them before real damage is done, you’ve got to be monitoring your workstations.
In this webinar, I’ll show you the 3 most important logs on Windows workstations:
- Security Log – this is your main record of security activity on workstations and there are so many important security events that are only logged here – on the workstation
- PowerShell – attackers are increasingly trying to live off the land and PowerShell is one of the key resources they rely on. But PowerShell has robust auditing to help you catch misuse
- Sysmon – sooner or later most attackers end up deploying some kind of executable such as a Remote Administration Tool (RAT), exfiltrator or other agents of evil. Sysmon logs the hash of every EXE and DLL loaded, which is the first step in discovering new and unauthorized programs running on your network. But Sysmon logs many other security events specially designed to catch modern attacks
I will cover all three of these areas, explain how to enable logging, which events to collect, what to look for and provide examples of how this data can be used in threat-hunting.
Of course, with the number of workstations and amount of log data, there are some real challenges with collecting workstation logs, let alone monitoring, searching, analyzing and archiving. Brian Hymer will briefly show you how Quest InTrust and IT Security Search help you meet these challenges.
Please join us for this technical, real training for free event.