Shulou(Shulou.com)06/01 Report--

Threat detection and response

Advanced threats are designed to escape traditional signature-based AV solutions by using diversified, automatically updated, environment-aware malware, not surprisingly, old detection is based on different threat scenarios, and its evolution is very slow and uncomplex. Not long ago, security factories only needed to know a signature and rules to fight him.

EDR is a new way to evolve into the industry by correlating people who cannot defend against intrusion. Instead, we need to assume that they have invaded, so we need to focus on real-time detection marked as a destructive behavior, and then establish an effective event response design to limit the damage. EDR complements traditional, signature-based technology by detecting abnormal behavior and visualization across enterprise terminals, not just servers and workstations.

A, faster than sniping * *: modern phishing occurs at the same speed as the speed of light. For the first time, * is like an unrelated user clicking on URL in an email associated with malware, which can cut off security protection after running.

B, * people customize specific * for your business: where the goal is *, * will use technologies that are not * *, such as social engineering, to collect the identity of employees and what their email address will be.

BOOT CAMP:

Make sure the groundwork is done for each of your terminals.

Remember your SOPS: we discussed establishing your standardized operating procedures earlier, and recently each individual damage has been detected for environmental damage. Previously indicated that * came from "underground", monitored the operation of the application, and issued an alarm against the important data obtained by the new software. If your SOPs restricts the software to remove the whitelist, then every abnormal behavior needs to be investigated.

Unusual user access may be aware of a compromise, frequently upgrade users' credentials, test users through random security awareness training, and finally, make sure that users do not reuse their credentials before the company to prevent sabotage from others.

2. Running antivirus software: in today's society, antivirus software can not block the operation of most malware, but it can block some, symantec can block 45% of the *, but this is useful.

3. Run host-based firewalls and IPS: remember that when we talk about blocking unnecessary ports and services, advanced malware may still manage and find a port or process for hijacking on each terminal by restricting the application's authorization to run and the ports that may be open, but at least you can make it more difficult for people to operate.

ADVANCED TRAINING

4. Replace antivirus software: we already know that AV is not high-level enough to protect most people. Information criminals know how AV works, and they actively try to deal with these protective measures.

You need to focus on possible vectors and how to use the most efficient protection techniques to prevent *. For example, a lot of recent * use eclectic sites as a first step in connecting with victims. Web filtering is probably the most efficient way to protect against such effects by preventing accidental contact.

Some other possible options include whitelist, sandboxie, interrupt exploitation, email and web filtering, NAC,HIPS or even changing user passwords, all of which have opportunities to develop their talents and should be considered as part of multiple levels of defense in depth to protect most of your valuable terminals.

5. Send the log to SIEM for association: in some cases, you need to build evidence of destruction or prove that the most recent * * is included. In order to do this, logs need to be accessed into log management systems such as tripwire log center, as an added bonus. If you collect and analyze these logs in real time, you may be able to catch some traces of flow and delete logs on a large scale to hide their tracks. Analyzing a large number of log-related data in the same place allows you to reinforce safety gems and more accurate forensics.

6. Make sure the virus software is running: make sure your AV processing is running and update the virus library in real time by defining the use of the enterprise management panel, or using a solution such as the tripwire enterprise's security panel.

7. The best changes are through approved changes: if you ticket and reconcile every change, and then anything without a ticket is an unauthorized change, which is sometimes malicious and always aimed at the administrator's moment of education, using this approach, malware detection becomes a by-product of natural security configuration management practices.

COMBAT READY

Incorporate threat intelligence into your control

8. Unify network threat intelligence and terminal detection: use tripwireenterprise and check point software technologies,palo alto netwroks,cisco,lastline,bluecoat and fireeye of network threat intelligence leaders. These solutions bring network and terminal security a more accurate and timely combination of available third-party processes to detect and defend against advanced threats, first, identify suspicious files on important assets, then, send files to threat analysis services, and finally, security controls are upgraded based on identified threats.

9, the combination of HASH detection and terminal detection: the use of personal and community resources of IOC hash to obtain new threat intelligence, by using STIX,TAXII standards or customized business threat intelligence services, you can find the threat hidden behind the defense blind spot, IOC can be automatically downloaded to tripwire enterprise, and then search for evidence, if the threat is detected, you can receive alerts and can be remedied.

10. Integrate for eclectic network metrics: these vectors, as well as others, provide threat intelligence, commands, control services, and other frameworks about ip, domain names, and host malware names, and use this intelligence to modify firewall rules, IPS blocking and SIEM associations. By collecting network intelligence and security data through big data solutions like splunk, you can quickly decide when your business will communicate with a well-known villain.

Summary: terminal security score

We recommend that you manage your organization through the following guidelines to help you improve your security risk posture, complete the following scores and calculate the results to help you understand what you need to do to improve the efficiency of each control measure as an EDR program.

We didn't do anything.

1: we only do a little, and often because of the need for service.

2: yes, we did this, but it wasn't perfect.

3: we use scientific methods to implement and often look for ways to improve.

Control score

Terminal discovery

Software discovery

Vulnerability management

Security configuration management

Log management

Threat detection and response

0-6 boot camp

You face a lot of challenges in combining powerful EDR programs, but don't worry, we'll cover it for you. Here are some additional resources. Read terminal detection and response e-books for robots to learn to deploy and manage security measures for a variety of terminal types.

Read the white paper "meeting this Real File Integrity Monitoring"

Read the ebook Security configuration Management for dummies

Sign up for a free vulnerability assessment using your tripwire securescan account.

7-12 advanced training

Well done, and then we'll give you advice on how to take your security program to the next level.

Understand why the vulnerabilities in which strategies and policies respond to high impact are different from those used in security incidents.

Read: "restoring trust after a breach:which systems can i trust"

Watch video: "how to protect against the ransomware epidemic"

13-18 combat ready

Congratulations, in this leadership, you have become an expert, constantly looking for ways to improve security. Here are some materials for highly mature security organizations: aimed at taking your organization's security management procedures to the next mature level. Learn about executable threat intelligence: automatic IoC matches tripwire. Get advice on taking your organization's vulnerability management program to the next level of maturity. Find ways to evaluate the current level of terminal security programs through the "SANS-A maturity model for endpoint security" white paper

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.