Category Archives: Endpoint security

What Is E-PDR (Endpoint Prevention, Detection and Response)?

Cybersecurity evolves with the times and always needs to stay one step ahead of malicious groups that seek to harm organizations and individuals for various benefits. The age of simple protection (such as traditional Antivirus) is long past. In its stead, today, we have E-PDR (Endpoint Prevention, Detection and Response) as the new golden standard […]

The post What Is E-PDR (Endpoint Prevention, Detection and Response)? appeared first on Heimdal Security Blog.

IAM-Driven Biometrics: The Security Issues with Biometric Identity and Access Management (IAM)

The increase of cybersecurity incidents brings along a higher demand for enhanced security protections. Thus, in the attempt of preventing unauthorized third parties from accessing their accounts and sensitive data, companies are increasingly turning to biometric authentication. Contemporary Identity and Access Management (IAM) technologies have moved beyond basic login methods based on usernames and passwords. […]

The post IAM-Driven Biometrics: The Security Issues with Biometric Identity and Access Management (IAM) appeared first on Heimdal Security Blog.

A perspective on security threats and trends, from inception to impact

Sophos published a report which flags how ransomware and fast-changing attacker behaviors, from advanced to entry level, will shape the threat landscape and IT security in 2021. Increased gap between ransomware operators The gap between ransomware operators at different ends of the skills and resource spectrum will increase. At the high end, the big-game hunting ransomware families will continue to refine and change their tactics, techniques and procedures (TTPs) to become more evasive and nation-state-like … More

The post A perspective on security threats and trends, from inception to impact appeared first on Help Net Security.

What Truebill and Other Financial Apps Have in Common With EDR

Truebill, Chargebee, Fusebill and other financial apps have been inundating my social feeds and until recently I didn’t understand why I would need one of these apps. I’m the type that knows her bank account  balance to the penny and I was shocked to discover that many of my co-workers and, of course, my college kid had no idea their balance was low until they tried to use their debit card and got declined. What also surprises me is how many people don’t know what is coming out of their bank account.  I may not realize precisely how much my Starbucks addiction costs but I’m in security and I need my caffeine!  Keeping up with the latest ways cyber criminals can infiltrate an organization or sneak past endpoint solution takes a lot of energy.

Then I got to thinking about these new apps that I can’t imagine why anyone would need to use – UNTIL I decided to try one….and then I discovered I too had been compromised by subscriptions and fees I had no idea I was being charged for.  This led me to think about my false sense of security and how I felt I was protected because I checked my account and tracked what came in and out.  I use my debit card a lot, I use it constantly for purchases and have it attached to Apple Pay, Pay Pal and you name it, it is linked.

So why am I bringing this up? Well, in your job you might have responsibility for corporate security…and you might be feeling pretty comfortable that you have everything under control, a bit like I did with my finances – but you don’t know what you don’t know. It’s all well and good (and indeed highly advisable) having an endpoint protection product in place but is it possible that this is giving you a feeling of security beyond the true situation? Could there be sneaky activity happening at a really low level that is getting past those solutions? I didn’t think so, until I installed the app and I discovered exactly what I didn’t know.

Enter EDR

And that’s where EDR comes in – because EDR is designed to monitor what is happening on your endpoint devices, to track and trace activity, consolidate it and identify potential risks – the really good EDR solutions will also group related items into threads to speed up investigations, prioritize which groups should be examined first and even automate some of the investigation processes.

The Importance of Automation

And don’t overlook the importance of that automation – when I was looking at my finances if the app I tried had simply overwhelmed me with massive amounts of information (some of which I knew, some of which was a surprise, all of which was mixed up together), I’d have likely looked once, and decided that I was right all along…everything was probably under control, and the effort involved in digging deeper was likely to be greater than any return I might have got back. But, it was automated, it consolidated the information, it simplified things…and ultimately it showed me exactly what I needed to know with minimal effort on my part. The net effect of that was a positive result. EDR is the same – I’ve spoken with customers who have tried it and simply given up because it’s proven to be too complicated. It can feel easier not to find out what you don’t know – but it won’t be as secure!

MVISION EDR

That’s what security analysts are loving about MVISION EDR. MVISION EDR helps find what is hidden and lifts it to the surface where it can be examined and then either allowed or blocked. But unlike my bank account, we’re not talking about 5 or 10 things you may not have been aware of, we’re talking about potentially tens of thousands each and every day. And that’s the other thing they love about MVISION EDR – not only does it make identifying these potential risks easier to identify, but it groups them together into a much smaller number of potential incidents, prioritizes those incidents so they know which ones to investigate first and even uses AI to guide those investigations and make suggestions as to how they can reach a resolution quickly and accurately. What’s not to love?

If you want to see what you have been missing check out MVISION EDR.

The post What Truebill and Other Financial Apps Have in Common With EDR appeared first on McAfee Blogs.

Unravel the XDR Noise and Recognize a Proactive Approach

Cybersecurity professionals know this drill well all too well. Making sense of lotof information and noise to access what really matters. XDR (Extended Detection & Response) has been a technical acronym thrown around in the cybersecurity industry with many notations and promises. This can be intriguing and nagging for cybersecurity professionals who are heads down defending against the persistent adversaries. The intent of this blog is to clarify XDR and remove the noise and hype into relevant and purposeful cybersecurity conversations with actionsAnd observe the need for a proactive approach. 

Let’s begin with what does XDR refer to and its evolution. As noted earlier, XDR stands for Extended Detection and Response. “extended” is going beyond the endpoint to network and cloud infrastructure. You will find this cross-infrastructure or cross-domain capability is the common denominator for XDR XDR is the next evolution of a solid Endpoint Detection and Response (EDR). Ironically it was a term introduced by a network security vendor with aspirations to enter the emerging Security Operations market.  

A Look at the Industry Point of Views 

Industry experts have weighed in on this XDR capability for cybersecurity. Gartner’s definition, XDR is “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.” Gartner notes three primary requirements of an XDR system are; centralization of normalized data primarily focused on the XDR vendors’ ecosystem, correlation of security data and alerts into incidents and centralized incident response capability that can change the state of individual security products as part of incident response or security policy setting. If you want to hear more from Gartner on this topic, check out the report. 

ESG defines XDR as an integrated suite of security products spanning hybrid IT architectures, designed to interoperate and coordinate on threat prevention, detection and response. In other words, XDR unifies control points, security telemetry, analytics, and operations into one enterprise system. 

Forrester views XDR as the next generation of Endpoint Detection and Response to evolve to by integrating endpoint, network and application telemetry. The key goals include empowering analysts with incident-driven analytics for root cause analysis, offer prescriptive remediation with the ability to orchestrate it and map uses cases MITRE ATT&CK techniques and chain them into complex queries that describe behaviors, instead of individual events. 

XDR Themes 

The common XDR themes from these XDR discussions are multiple security functions integrated and curated data across the control vectors all working together to achieve better security operational efficiencies while responding to a threat. Cross control points make sense since the adversary movement is erratic.  Emphasis is on removing complexity and offering better detection and understanding of the risk in the environment and quickly sorting through a possible response.  The range of detect and response capabilities also suggest that it cannot be done by one exclusive vendor. Many advocates an integrated partnership approach to unify defenses and streamline efforts across domains and vectors. This is not a new concept to connect the security disciplines to work together, as matter fact, McAfee has been professing and delivering on Together is Power motto for some time.  

Another common XDR theme is the promise to accelerate investigation efforts by offering automatic analysis of findings and incidents to get closer to a better assessment. This makes your reactive cycles potentially less frequent 

Integrating security across the enterprise and control points and accelerating investigations are critical functions. Does it address organizational nuances like is this threat a high priority because it is prevalent in my geo and industry and it’s impacting target assets with highly sensitive data.  Prioritization should also be an XDR theme but not necessarily noted in these XDR discussions. 

Net Out the Core XDR Functions 

After distilling the many point of views and the themes on XDR, it seems the core functions all focus on improving security operations immensely during an attack.  So, it’s reactive function. 

XDR Core & Baseline functions  Why? 
Cross infrastructure—comprehensive vector coverage  Gain comprehensive visibility & control across your entire organization and stop operating in silos 

Remove disparate efforts between tools, data and functional areas 

Distilled data and correlated alerts across the organization  Remove manual discover and make sense of it all 
Unified management with a common experience  From a common view or starting point removes the jumping between consoles and data pools to assure  
Security functions automatically exchange and trigger actions  Some security functions need to be automated like detection or response  
Advanced functions—not noted in many XDR discussions  Why? 
Actionable intelligence on potentially relevant threats  Allow organizations to proactively harden their environment before the attack 
Rich context that includes threat intelligence and organizational impact insight  Organizations can prioritize their threat remediation efforts on major impact to the organization 
Security working together with minimal effort  Simply tie a range of security functions together to create a united front and optimize security investments 

 

Key Desired Outcomes 

The end game is better security operational efficiencies. This can be expressed in handy outcome check list perhaps helpful when assessing XDR solutions. 

Visibility  Control 
More accurate detection  More accurate prevention 
Adapt to changing technologies & infrastructure  Adapt to changing technologies & infrastructure 
Less blind spots  Less gaps 
Faster time to detect (or Mean Time to Detect-MTTD)  Faster time to remediate (or Mean Time to Respond-MTTR) 
Better views and searchability  Prioritized hardening across portfolio—not isolated efforts 
Faster & more accurate investigations (less false positive)   Orchestrate the control across the entire IT infrastructure 

 

A More Proactive Approach is Needed 

McAfee goes beyond the common XDR capabilities in the recently announced MVISION XDR and offers unmatched proactivity and prioritization producing smarter and better security outcomes. This means your SOC spends less time on error-prone reactive fire drills with weeks of investigation.  SOCs will respond and protect what counts a lot quicker. Imagine getting ahead of the adversary before they attack.  

Cyber Attack Lifecycle 

Solution or Approach?  

Is XDR a solution or product to be bought or an approach an organization’s must rally their security strategy to take?  Honestly it can be both.  Many vendors are announcing XDR products to buy or XDR capabilities An XDR approach will shift processes and likely to merge and encourage tighter coordination between different functions like SOC analysts, hunters, incident responders and IT administrators. 

Is XDR for everyone? 

It depends on the organizations’ current cybersecurity maturity and readiness to embrace the breadth and required processes to obtain the SOC efficiency benefits. With the promise to correlate data across the entire enterprise implies some of the mundane and manual efforts to make sense of data into a better and actionable understanding of a threat are removed.  Now this is good for organizations on both spectrums.  Less mature organizations who do not have resources or expertise and do not consume data intelligence to shift through will appreciate this correlation and investigation stepbut can they continue the pursuit of what does this mean to me. Medium to high mature cybersecurity organizations with expertise will not need to do the manual work to make sense of data. The difference with mature organizations comes with the next steps to further investigate and to decide on the remediation steps. Less mature organizations will not have the expertise to accomplish this. So, the real make a difference moment is for the more mature organization who can move more quickly to a response mode on the potential threat or threat in progress.  

Your XDR Journey 

If you are a medium to high mature cybersecurity organization, the question comes how and when. Most organizations using an Endpoint Detection and Response (EDR) solution are likely quite ready to embrace the XDR capabilities since their efforts are already investigating and resolving endpoint threatsIt’s time to expand this effort gaining better understanding of the adversary’s movement across the entire infrastructure.  If you are using McAfee MVISION EDR you are already using a solution with XDR capabilities since it digests SIEM data from McAfee ESM or Splunk (which means it goes beyond the endpoint, a key XDR requirement.)  

Hope this blog removed the jargon and fog around XDR and offers actionable considerations for your organization to boost their SOC efforts. Don’t miss the XDR session at our MPOWER conferenceEmbrace the X-factor: Where to Start Your XDR Journey. 

 

 

The post Unravel the XDR Noise and Recognize a Proactive Approach appeared first on McAfee Blogs.

What A Threat Analyst Really Thinks of Intelligence

When I was a threat analyst, too long ago for me to actually put in writing, I remember the thrill of discovery at the apex of the boredom of investigation. We all know that meme:

 

And over the years, investigation leads became a little more substantial. It would begin in one of a few ways, but the most common began through an alert as a result of SIEM correlation rules firing. In this situation, we already knew for what we were looking… the SIEM had been configured to alert us on regex matches, X followed by Y, and other common logistics often mis-named as “advanced analytics”. As we became more mature, we would ingest Threat Intelligence feeds from third party sources. Eager and enthusiastic about the hunt, we would voraciously search through a deluge of false alarms (yes, the IPS did find a perimeter attack against Lotus Notes, but we had been using MS Exchange for over 5 years) and false positives (no, that’s not Duqu… just someone who cannot remember their AD credentials).

And the idea that these intelligence sources could spur an entirely new mechanic in the SOC, which we affectionately now refer to as Threat Hunting, was incredibly empowering. It allowed us to move beyond what was already analyzed (and most likely missed) by the SIEM and other security control technologies. True, we had to assume that the threat was already present and that the event had already established a foothold in the organization, but it allowed us to begin discovery at enterprise scale for indicators that perhaps we were compromised. I mean, remember we need to know a problem exists before we can manage it. But again, bad threat data (I once received a list of Windows DLL’s as IoCs in a fairly large campaign) and overly unimportant threat data (another provider listed hashes associated with polymorphic malware) led us down a rabbit hole we were all but too happy to come out from.

So, did all of that threat data guised under the marketing of “Threat Intelligence” really help us uncover threats otherwise acting in the shadows like a thief in the night? Or did it just divert our attentions to activity that was largely uninteresting while the real threats were just another needle in a stack of needles?

In most mature organizations, Threat Intelligence is a critical component to the SecOps strategy. Of course, it is; it must be. How else could you defend against such a copious amount of threats trying to attack from every angle? We have ontological considerations. Which threat actors are targeting my industry vertical or geography? Have I discovered any of the associated campaign indicators? And, most importantly, will my existing controls protect me? None of which could be addressed without a Threat Intelligence capability.

I remember working with a customer who was just beginning to expand their security operations resources, and they were eager and excited to be bringing in Threat Intelligence capabilities. The board was putting pressure on the CISO to increase the scope of accountability for his response organization, and the media was beginning to make mincemeat out of any business which was compromised by threat actors. The pressure was on and the intelligence began to flow in… like a firehose. About a month after it began, we spoke over lunch when he was interrupted at least 3 times for escalations. “What’s going on,” I asked. He told me that he was getting called day and night now about findings for which his team lacked complete context and understanding. Surely, they had more threat data, but if you asked him, that feature did not include “intelligence.”

Threat intelligence is supposed to help you filter the signals from the noise. At some point, without context and understanding, it is likely just more noise.

Consider the Knowledge Hierarchy: Data, Information, Knowledge, and Wisdom.

Intelligence is defined by dictionary.com as “knowledge of an event, circumstance, etc., received or imparted; news; information.” If we think of Threat Intelligence as a form of data feeding your Security Operations with a listing of parts, or atomic elements that in and of themselves serve little in the way of context, the SOC will regularly be forced to be reactive. With millions of indicators being pushed daily in the form of file hashes, names, URLs, IP addresses, domains, and more, this is hardly useful data.

When Data is correlated in the form of context using ontology, such as grouping by specific types of malware, we gain just enough to classify the relationships as information. When we know that certain malware and malware families will exhibit groups of indicators, we can better ready our controls, detection mechanisms, and even incident response efforts and playbooks. But, still, we lack the adequate context to understand if, in general, this malware or family of malware activities will apply to my organization. We still need more context.

So, at this point we form an entire story. It’s nice to know that malware exists and exhibits key behavior, but its even better if we know which threat actors tend to use that malware and in what way. These threat actors, like most businesses, operate in structured projects. Those projects, or campaigns, seek to find an outcome. They are targeting specific types of businesses through industry. At the writing of this article, COVID-19 has created such a dramatic vacuum in the pharmaceuticals industry that there is a race to create the first vaccine. The “winner” of such race would reap incredible financial rewards. So, it stands to reason that APT29 (also known as Cozy Bear) who notoriously hacked the DNC before the US 2016 election, would target pharmaceutical R&D firms. Now, KNOWLEDGE of all of this allows one to deduce that if I were a pharmaceutical R&D company, especially one working on a COVID-19 vaccine, that I should look at how APT29 typically behaves and ask some very important questions: what procedures do they typically follow, which tactics are typically witnessed and in what order/timing, which techniques are executed by which processes, and so on. If I could answer all of these questions, I could be reactive, proactive, and even prescriptive:

  • Ensure exploit prevention rules exist for .lnk drops
  • McAfee Credential Theft Protection enabled to protect LSASS stack
  • Monitor for PSExec activity and correlate to other APT29 indicators
  • Monitor/Block for access to registry run keys
  • et al.

However, it seems the one instrument lacking in this race to context and understanding is predictability. Surely, we can predict with the knowledge we have whether or not we may be targeted; but isn’t it much more difficult to predict what the outcome of such an attack may be? Operationally, you may have heard of dry runs or table-top exercises. These are effective operational activities required by functions such as Business Continuity and Disaster Recovery. But what if you could take the knowledge you gleaned from others in the industry, compiled with the security footprint tied to your environment today, and address the elephant in the room which every CISO brings up at the onset of “Threat Intelligence”…

Will I be protected?

– Every CISO, Ever

This level of context and understanding is what leads to Wisdom. Do not wait until the threat makes landfall in your organization. My grandfather always said, “A smart [knowledgeable] man learns from his own mistakes, but a wise man learns from everyone else’s.” I think that rings true with SecOps and Threat Intelligence as well. Once we are able to correlate what we know about our industry vertical, threat actors, campaigns, and geo- and socio-political factors with our own organization’s ability to detect and prevent threats we will truly be wise. Thanks, Pop!

Wisdom as it relates to anti-threat research is not necessarily new. The Knowledge Hierarchy has been a model in Computer Science since about 1980. What is new, is McAfee’s ability to provide a complete introspective of your stakeholder’s landscape. McAfee has one of the largest Threat Intelligence Data Lakes with over 1 billion collection points; a huge Advanced Threat Research capability responsible for converting data gleaned from the data lake, incident response consultations, and underground investigations into actionable information and knowledge; and one of the largest Cybersecurity pure-play portfolios providing insights into your overall cybersecurity footing. This unique position has led way for the creation of MVISION Insights. MVISION Insights provides context in that we have the knowledge of campaigns and actors potentially targeting your vertical. Then, it can alert you when your existing security control configuration is not tuned to prevent such a threat. It then prescribes for you the appropriate configuration changes required to offer such protection.

MVISION Insights allows an organization to immediately answer the question, “Am I protected?” And, if you are not protected it prescribes for your environment appropriate settings which will defend against threat vectors important to you. This methodology of tying together threat data with context of campaign information and the knowledge of your security control configuration allows MVISION Insights to offer a novel perspective on the effectiveness of your security landscape.

When I think back to all of the investigations that led me down the rabbit hole, I wonder what my days would have been filled with had I such a capability. Certainly, there is an element of “fun” in the discovery. I loved the hunt, but I think having the ability to quickly arm myself with the context and understanding of what I was searching for and why I was searching would have accelerated those moments (read hours or days). I’m excited to discuss and demonstrate how McAfee is using MVISION Insights to turn knowledge into wisdom!

To take MVISION Insights for a spin, check out McAfee’s MVISION Insights Preview.

The post What A Threat Analyst Really Thinks of Intelligence appeared first on McAfee Blogs.

Why Ransomware Targets No Longer Need to Wind Up as Ransomware Victims

It was every administrator’s worst nightmare. A small district hospital in western Colorado lost access to 5 years’ worth of patient records after ransomware attackers exploited holes in an aging infrastructure to strike. But it was also an increasingly familiar story as ransomware attackers escalate their attacks and go after targets across all sectors of the economy.

But being a target doesn’t mean you’re fated to become a victim. With the deployment of complete and proactive security software, organizations can still defend their data in the face of a veritable epidemic of attacks against their endpoints. At McAfee, this is one of our core strengths.

The best defense starts with prevention. As we like to say, being informed is halfway to being prepared. With MVISION Insights, for instance, customers receive advance notice whenever there are ransomware attacks happening in their sector or region. Take the example of an attack against hospital attack. MVISION Insights will notice an uptick in ransomware attacks against other healthcare organizations and share that intelligence so other hospitals could get ahead of the potential threat and review the state of their own defenses.

MVISION Insights would help SOC teams know whether their defenses were in shape to protect against an attack. If not, it would offer prescriptive advice about what measures to take before the threat or campaign ever got launched. That is phase number one. Check out MVISION Insights in action.

As an organization goes about the work of hardening its environment, suppose that an APT group then uncovers a loophole. When you have thousands of endpoints, it’s always the case that some endpoint is going to be misconfigured. But before the bad guys can launch an attack, our prevention technology comes into play to prevent ransomware from infecting the endpoint in question.

McAfee leverages an integrated technology stack that includes machine learning, exploit prevention, behavioral blocking and dynamic application containment. That works to stop not just traditional portable executable files but also file-less attacks.

Fig: Intelligent and Proactive Endpoint Security

What’s more, McAfee’s global intelligence capabilities tap into over 1 billion sensors around the world and deploys static machine learning to identify newer types of endpoint attacks. Instead of relying on a signature, we can examine a file’s attributes and calculate a score based on multiple vectors that helps determine whether the file in question exceeds a certain security threshold and whether to flag it as potentially malicious.

The Power of Big Data

McAfee’s advanced AI capabilities also pay other security dividends in terms of prevention. Suppose that someone creates a new piece of ransomware with the contents of the file obscured.  We are able to then apply dynamic machine learning which examines the actual behavior of the process. Malicious malware behaves, well, maliciously and ransomware acts in very specific patterns. On our end, we’ll run all of those behaviors through a machine learning engine to figure out whether to remediate the activities of a questionable process.

This is the unique power of combined intelligence.

Let’s consider a case where a ransomware attack actually manages to infect an endpoint and the malware began to move laterally within the network.

Here’s where McAfee’s host-based intrusion prevention technology helps to stop ransomware’s lateral movement, so it doesn’t spread and infect the rest of your endpoints. EDR will detect and prioritize alerts of anomalous behavior for further investigation so SOCs can respond to these threats – such as isolating or quarantining particular end points.

Typically, customers have had only two courses of action after a ransomware attack. If they were fortunate to have made backups, they can choose to reimage their machines. But that’s also a laborious process that takes time and can be quite expensive. Or they can surrender to the attacker’s demands and pay the ransom to unlock their information.

But McAfee’s endpoint solution includes a unique feature that allows customers to actually roll back the effects of a ransomware attack with enhanced remediation technology that can even restore encrypted data. This is a brilliant technical innovation that further sets our solution apart from the rest of the industry. Organizations can save on average $500 per node in labor and productivity costs by eliminating the need to reimage machines with Rollback Remediation. Watch the video below to see Rollback Remediation in action.

Dynamic application containment (DAC) is another technology that McAfee has developed to further protect endpoints. DAC both reduces ability of greyware to make malicious changes to the system while minimizing end-user impact as it does not use or require heavy sandbox or app virtualization. This works either online or offline and protects endpoints without compromising business continuity.

Human-Machine Teaming

After collecting telemetry from a vast data lake, our threat researchers apply AI to extract insights that translate into actionable intelligence for our customers. This process of “human machine teaming” is a powerful combination that generates proactive intelligence, so organizations remain ahead of the gathering threats on the horizon. SOC teams can view real-time updates as they drill down to learn about new threats in their environments based on geography and industry.

All too often, security defenders find themselves in a mad scramble trying to separate out false positives from an overwhelming number of alerts flooding their screens. All the while, the bad guys are plying their trade. But McAfee takes the guesswork out of that process so they can get a complete and realistic look at the attack landscape.

Our endpoint security platform alerts defenders about any devices in their network that may lack sufficient protection. They can then go ahead and isolate any devices at risk of getting breached or take any remediation actions to protect the organization. When all is said and done, the system is fully protected.

For organizations increasingly in the crosshairs of ransomware attacks, these tools will make all the difference. It’s the future of intelligent endpoint security.

For more information, visit McAfee Endpoint Security.

Live Webinar

Why Ransomware Targets No Longer Need to Wind Up as Ransomware Victims

September 29, 2020
10am PT | 1pm BST | 10am SGT

Register Now

The post Why Ransomware Targets No Longer Need to Wind Up as Ransomware Victims appeared first on McAfee Blogs.

We’re Named 2020 Gartner Peer Insights Customers’ Choice for Enterprise DLP

The McAfee team is very proud to announce today that, for the second time in a row1, McAfee was named a Gartner Peer Insights Customers’ Choice for Enterprise Data Loss Prevention for its McAfee Data Loss Prevention Solution. We see the recognition as an historic landmark for McAfee because it represents a trifecta of Gartner distinction this year: We now were named a 2020 Gartner Peer Insight Customers’ Choice for the three McAfee products that are integrated to make up the innovative cloud-native McAfee MVISION Unified Cloud platform: McAfee MVISION Cloud Access Security Broker, McAfee Secure Web Gateway, and McAfee Data Loss Prevention. McAfee Unified Cloud is a framework for implementing a Secure Access Service Edge (SASE) architecture and a safe way to accelerate digital transformation with cloud services, enable cloud and internet access from any device, and allow ultimate workforce productivity.

 

In its announcement, Gartner explains, “The Gartner Peer Insights Customers’ Choice is a recognition of vendors in this market by verified end-user professionals, taking into account both the number of reviews and the overall user ratings.” To ensure fair evaluation, Gartner maintains rigorous criteria for recognizing vendors with a high customer satisfaction rate.

For this distinction, a vendor must have a minimum of 50+ published reviews with an average overall rating of 4.3 stars or higher. McAfee received 75 reviews and an overall 4.3 rating out of 5, as of 31 May 2020, accordingly.

Here are some quotes from customers that contributed to this distinction:

“Great Product, Broad Protection, Easy to Use.”

 “McAfee DLP offers broad coverage of protection. The product is easy to deploy and use. We have deployed the solution to 100K+ endpoint devices with minimum issues. DLP rules are easy to configure. Integration with other vendor products is smooth.

Manager Cybersecurity, Security & Risk Management, in Transportation Industry: Read full review here

“Implementation Is Easy and It Provides Universal Data Protection Across Endpoints.”

“McAfee DLP is the best solution for Data Loss Prevention tool. It has a lot of features to safeguard the sensitive data. It has ability to connect and synchronize on-premises DLP and cloud DLP policies with single administrative portal and lots of other features like integration with third party tool for analytics which helps the InfoSec teams to safeguard the data and view the details of every endpoints.”

Programmer Analyst, Applications, Finance Industry : Read full review here

To learn more about this distinction, or to read the reviews written about our products by the IT professionals who use them, please visit Gartner Peer Insights’ Customers’ Choice announcement for Enterprise Data Loss Prevention. To all of our customers who submitted reviews, thank you! These reviews mold our products and our customer journey, and we look forward to building on the experience that earned us this distinction!

1McAfee was named a Gartner Peer Insights Customers’ Choice in 2018 and 2020; Gartner did not have one for the Enterprise DLP category in 2019.

The GARTNER PEER INSIGHTS CUSTOMERS’ CHOICE badge is a trademark and service mark of Gartner, Inc., and/or its affiliates, and is used herein with permission. All rights reserved. Gartner Peer Insights Customers’ Choice constitute the subjective opinions of individual end-user reviews, ratings, and data applied against a documented methodology; they neither represent the views of, nor constitute an endorsement by, Gartner or its affiliate.

The post We’re Named 2020 Gartner Peer Insights Customers’ Choice for Enterprise DLP appeared first on McAfee Blogs.

McAfee XDR: Taking Threat Detection and Response to a New Level

In the battle to protect digital data, the stakes have never been higher, and the outcome has never been more uncertain.

Enterprises face ever-changing threats to their digital assets both inside and outside the traditional network perimeter from sophisticated threat actors, who use a changing assortment of techniques to find ways to skirt traditional security controls.

It’s also increasingly difficult for SOC teams to stay ahead of the attackers. Too often, they rely on an assortment of disconnected security tools and data sets supplied by different vendors. This is a flawed approach that requires multiple tools and consoles, driving up cost and the resources to make sense of the sea of data, leaving organizations with less visibility and manageability.

Many organizations still rely on EDR systems to get information about attacks against their endpoints that may be undetected or unclassified by traditional EPP solutions. However, enterprises nowadays require an extended protective umbrella that can defend not just legacy endpoints, but also mobile, and cloud workloads – all without overburdening in-house staff or requiring even more resources. Detecting today’s advanced threats requires more than a collection of point solutions. SOCs need a platform that intelligently reveals advanced adversaries leading to better, faster security outcomes.

The Rise of XDR

Companies simply can’t afford not to have full visibility into who’s trying to attack them. Here is where the deployment of Extended Detection and Response (XDR) can have a powerful security impact. XDR isn’t a single product. Rather, it refers to an assembly of multiple security products (and services) that comprise a unified platform.

Gartner defines XDR as a SaaS-based, security threat detection and incident response tool that natively integrates different security products into a cohesive security operations system. That’s a mouthful, but in practice, XDR makes the job of defenders easier by delivering a full complement of security capacities – everything from asset discovery and threat detection to vulnerability assessment, investigation and response. We see how detection efficacy drops when multiple platforms and consoles are required to identify and remediate threats. But with XDR, defenders have a single pane view into their environment across different platforms, both on-prem as well as in the cloud.

It also changes the nature of threat-hunting. Consider an organization that’s using a SIEM. While the system collects information in batches – typically from non-endpoint data sources and security countermeasures –  that isn’t the same as delivering real-time results. Even if SOC teams try to get faster answers by stitching together custom tools to correlate data, they still lag behind the attackers.

By contrast, an XDR platform will offer access in real time to all necessary telemetry to conduct a hunt and retrieve results in seconds. That helps defenders streamline the process of triage and investigation and unlock insights that were previously unimaginable using previous security tools.

Making a Difference

XDR is not a bullet-point discussion. We’re talking about different needs, delivered in different ways, and for different customers and leveraging a unique set of multi-vendor sensors and countermeasures for each.

This is where a trusted partner with a broad portfolio makes all the difference in that customer journey. As cybercriminals and groups acting on behalf of nation-states step up their nefarious activities, the outcome of this struggle against bad actors turns on speed, reliability, and predictable security outcomes.

An innovator in this field, McAfee is particularly suited to help customers to meet that challenge with a sophisticated intelligence-driven security platform. As Gartner noted earlier this year in a wide-ranging report on XDR, McAfee’s approach leverages a deep technological understanding of the relationships in the underlying data to help speed rapid out-of-the box integration.

McAfee’s XDR also benefits from a rich security legacy and a deep product portfolio. We’re also uniquely equipped to provide actionable intelligence on security threats because we can access over one billion global sensors across devices, networks and in the cloud.

The mobilization of that full complement of security capabilities delivers more complete threat detection, investigation, and response than any other security provider. For instance, when enterprises implement the security products that comprise McAfee’s XDR solution, they also benefit from the following:

  • AI and Expert System Security Analytics
  • A single interface for detections at the endpoint, sandbox, network, Internet perimeter/edge/gateway, and cloud
  • Accurate threat prioritization that helps predict potential impact as well as any countermeasures to foil an attack – the only solution that does this in a concurrent manner
  • Combined threat and detection data from your environment for richer, more meaningful alerts as well as prescriptive configuration suggestions to improve protection efficiency
  • More context and intelligent correlation leading to faster detection and higher fidelity alerts

The upshot is that McAfee XDR dramatically reduces the time defenders need to detect, contain, and respond to threats. Our AI and Big Data analytics capabilities supplies SOCs with threat and campaign insights before an attack changes course, so they avoid wasting time chasing false positives. Defenders get fewer and more meaningful alerts, making it easier to prioritize their response based on the severity and potential impact of a threat.

In a nutshell: McAfee XDR delivers a complete platform that provides SOCs visibility into how threats are impacting your key business processes, prioritization of response and delivers a full-integrated platform of security technologies.

While it may still not be ready for prime time,  XDR is poised to become an important part of the unfolding security story this year and beyond as more enterprises move their information to the cloud. It’s also why having an experienced partner by your side to help unlock the full benefits of a cohesive, unified security incident detection and response platform has never been more important.

For more information visit: mcafee.com/XDR

The post McAfee XDR: Taking Threat Detection and Response to a New Level appeared first on McAfee Blogs.

Meaningful Context for Your Endpoint Threat Investigations

virus scan

Threat intelligence (TI) — the art of distilling down everything that is happening globally in the adversarial threatscape and TI Programs – reducing  to what is necessary context for your company and your security team to know and take mitigation action against — is hard. Yet, many companies continue to try and create a threat intelligence capability from the ground up and find that their TI programs are not what they really want it to be. No wonder, then, that while 64% of companies say they have threat-intelligence programs, only 36% believe they would catch a sophisticated attacker, according to an Ernst & Young report on cyber threat intelligence What is causing the disconnect in effectiveness of those TI programs? 

A significant portion of the problem with TI is that the human analysts must absorb the global TIprioritize it for their organization, and then locally-operationalize any intelligence relevant to their company – and that’s not easy! Having access to TI is only the first step on the road to adding context to events that your team is seeing inside the network. Turning external threat feeds or data from a Threat Intelligence Program (TIP) into useful context for security teams – and then connecting that context to individual actions and projects – takes time and resources to produce results. The process is often slow and resource-intensivefurther delaying detection. Less than 20% of breaches are stopped in a timely fashion (e.g. in a matter of hours), according to VerizonWorse than that, knowing about a threat before you encounter it (e.g. a Campaign) and then being breached while you’re still working on proactively tuning your countermeasures against that threat would be disastrousA lack of timely, actionable context from TI is therefore a main contributor to NOT being proactively prepared for an attackIs there any way to produce actionable context, appropriate for your organization, in a timely and resource-efficient manner? Is there any way to expand that context to threats NOT in your environment but are headed your way?  

Threat Intelligence Context: Leverage EDR or not? 

As companies continue to deploy endpoint detection and response (EDR) on users’ machines, security teams are recognizing that the technology can detect anomalous behavior on the endpoint. But determining the degree to which those activities constitute a real threat that matters to you requires more context. Without the context to interpret whether an activity on the system is malicious or benign, companies are limited in their ability to do Threat Hunting[Sidebar] Define Threat Hunting: Threat hunting is the practice of proactively searching for cyber threats that are hidden, undetected, in an organization’s environment. 

Without context sensitive threat intelligence integrated with EDR, SOC teams are reduced to endlessly searching for endpoint events for known IOCs associated with adversaries and then manually doing cross-correlation to external TI. They have no way to automatically cross-correlate these events with known adversarial activities or known adversarial TTPs (e.g. like knowing the C&C IP address), and they end up having a very low signal-to-noise (SN) ratio where they waste lots of time investigating things that turn out to be a nothing- because they miss all the TI correlationsHaving a way to incorporate TI in a contextual manner would really improve the signal-to-noise ratio and make the SOC team much more effective 

That’s where effective TI integration comes into play and separates effective TI programs from ineffective TI programs. With properly integrated TI, you should have easy access into things like crowdsourced attack data that identifies Tactics, Techniques and Procedures (TTPs.) Once new TTPs have been identified by the Cyber Intelligence Community, this gives threat hunters an easy, high-fidelity way to look for specific attack behaviors in the organization’s environment, knowing what attacks those TTPs are related toWith this kind of TI integration, the Security Operations Center (SOC) can more quickly identify threats and be able to dramatically improve the signal-to-noise ratio for accurately prioritized investigations. However, I would argue that this is just table stakes. What and how can we take TI integration to the next level?  

A truly superior TI Integration would additionally provide prioritization of known threats based on things like whether the threat is targeting your industry sector and geography and most-importantly, predict  the risk of your environment getting impacted by the threat. This actionable TI would offer countermeasures and prescribe what you need to do if the countermeasures are predicted to be ineffective. With this next level of TI integration, the Security Operations Center (SOC) can actually move to being more proactive, by automating the analysis of threats that haven’t even been encountered by the organization. The organization is now prepared for attacks that EDR hasn’t even seen yet!  

Reality check here, how many organizations have this level of context and integration on threats? Not many.  

The ones I am aware of today, are the current McAfee customers who participated in our Joint Development Program for MVISION Insights this past quarter.  

McAfee has created its MVISION Insights service to provide a superiorintegrated TI so that security teams can prioritize and predict threats by cross-correlating known campaigns using industry and geographical threat activity with one’s own  security posture derived from their security telemetry, and prescribe the mosteffective way of dealing with the threat. This kind of solution empowers the SOC to move beyond manual TI cross-correlation and move to much more easily prioritizing threats that matter and moving from being reactive to being a lot more proactive.  

MVISION Insights empowers McAfee MVISION EDR for the SOC analyst on many fronts by offering more actionable context to the SOC to be more proactive 

This kind of TI integration can reduce the unnecessary investigations that a SOC does and can also improve the speed and accuracy of the investigations that have resources assignedBy having the context of a threat (e.g. by having organized, curated TTPs for Campaigns, knowing the attack operation and objective, list of IOCs, etc.) the SOC analyst can leverage this context on a current investigation and really reduce the time and effort to complete the investigation. Additional context like this can both eliminate unnecessary investigations and accelerate the investigation to decisive resolution. 

TI Context is King But… 

We have seen that as EDR capabilities become adopted more widely, it is becoming increasingly clear that knowing what is happening on the endpoint and ‘looking for clues’ is not enough. Without meaningful and automated context from a properly integrated TI capability, companies are slower to identify malicious events, may not prioritize attack investigations for threats headed their way, and could take the wrong steps to remediate threatsThe problem is that time is critical: An attacker can use a couple of days to do really bad things in your network. Having effective automated signal-to-noise improvement through a properly integrated TI program can help you quickly detect and hunt down attackers and be proactive against threats headed your way but are not in your environment. 

Context is not just a brief writeup from a TIP or External Threat Intelligence FeedTypically, a human must read and interpret and analyze that feed, often leading to a significant delay in incorporating the information into the SOC response. In most cases, TI products do not offer enough remediation guidance, they just provide the threat profile.   

Properly integrated TI project can solve these problems and a superior TI integration can move the SOC to being proactiveMcAfee’s MVISION Insights delivers actionable intelligence and context in an automated way that can augment and speed investigations and make the SOC proactive with respect to threats that haven’t even been detected in the organization. By freeing up analysts from manual analysis of intelligence feeds, companies can catch more attacks more quickly and be proactive against threats targeting them. 

Moreover, the insight does not come from a few instances or open-source feeds, but from the entire McAfee customer base across the globe from over 1B sensors 

Many companies are delivering machine learning and artificial intelligence applications to security orchestration, automation and response. Very few possess the data and context from a customer base as large as ours.

Having right TI context from a well-respected source with statistical reach and a threat analysis that is actionable gives organizations confidence to address a sophisticated attacker before their attack, elevates this TI context to new heights while shifting cyber security to be more proactive.    

For more on McAfee Insights, check out our webinar.  

On-Demand Webinar

Get Ahead of the Adversary with Proactive Endpoint Security

On-demand

Watch Now


 

The post Meaningful Context for Your Endpoint Threat Investigations appeared first on McAfee Blogs.

Using Real-Time Events in Investigations

To understand what a threat actor did on a Windows system, analysts often turn to the tried and true sources of historical endpoint artifacts such as the Master File Table (MFT), registry hives, and Application Compatibility Cache (AppCompat). However, these evidence sources were not designed with detection or incident response in mind; crucial details may be omitted or cleared through anti-forensic methods. By looking at historical evidence alone, an analyst may not see the full story.

Real-time events can be thought of as forensic artifacts specifically designed for detection and incident response, implemented through Enterprise Detection and Response (EDR) solutions or enhanced logging implementations like Sysmon. During active-attacker endpoint investigations, FireEye Mandiant has found real-time events to be useful in filling in the gaps of what an attacker did. These events record different types of system activities such as process execution, file write activity, network connections, and more.

During incident response engagements, Mandiant uses FireEye Endpoint Security to track endpoint system events in real-time. This feature allows investigators to track an attacker on any system by alerting on and reviewing these real-time events. An analyst can use our solution’s built-in Audit Viewer or Redline to review real-time events.

Let’s look at some examples of Windows real-time events available on our solution and how they can be leveraged during an investigation. Let’s assume the account TEST-DOMAIN\BackupAdmin was an inactive Administrator account compromised by an attacker. Please note the examples provided in this post are based on real-time events observed during engagements but have been recreated or altered to preserve client confidentiality.

Process Execution Events

There are many historical process execution artifacts including AppCompat, AmCache, WMI CCM_RecentlyUsedApps, and more. A single artifact rarely covers all the useful details relating to a process's execution, but real-time process execution events change that. Our solution’s real-time process execution events record execution time, full process path, process identification number (PID), parent process path, parent PID, user, command line arguments, and even the process MD5 hash.

Table 1 provides an example of a real-time process execution event recorded by our solution.

Field

Example

Timestamp (UTC)

2020-03-10 16:40:58.235

Sequence Number

2879512

PID

9392

Process Path

C:\Windows\Temp\legitservice.exe

Username

TEST-DOMAIN\BackupAdmin

Parent PID

9103

Parent Process Path

C:\Windows\System32\cmd.exe

EventType

Start

ProcessCmdLine

"C:\Windows\Temp\legitservice.exe"  -b -m

Process MD5 Hash

a823bc31395539816e8e4664e884550f

Table 1: Example real-time process execution event

Based on this real-time process execution event, the process C:\Windows\System32\cmd.exe with PID 9103 executed the file C:\Windows\Temp\legitservice.exe with PID 9392 and the MD5 hash a823bc31395539816e8e4664e884550f. This new process used the command line arguments -b -m under the user context of TEST-DOMAIN\BackupAdmin.

We can compare this real-time event with what an analyst might see in other process execution artifacts. Table 2 provides an example AppCompat entry for the same executed process. Note the recorded timestamp is for the last modified time of the file, not the process start time.

Field

Example

File Last
Modified (UTC)

2020-03-07 23:48:09

File Path

C:\Windows\Temp\legitservice.exe

Executed Flag

TRUE

Table 2: Example AppCompat entry

Table 3 provides an example AmCache entry. Note the last modified time of the registry key can usually be used to determine the process start time and this artifact includes the SHA1 hash of the file.

Field

Example

Registry Key
Last Modified (UTC)

2020-03-10 16:40:58

File Path

C:\Windows\Temp\legitservice.exe

File Sha1 Hash

2b2e04ab822ef34969b7d04642bae47385be425c

Table 3: Example AmCache entry

Table 4 provides an example Windows Event Log process creation event. Note this artifact includes the PID in hexadecimal notation, details about the parent process, and even a field for where the process command line arguments should be. In this example the command line arguments are not present because they are disabled by default and Mandiant rarely sees this policy enabled by clients on investigations.

Field

Example

Write Time (UTC)

2020-03-10 16:40:58

Log

Security

Source

Microsoft Windows security

EID

4688

Message

A new process has been created.

Creator Subject:
      Security ID:             TEST-DOMAIN\BackupAdmin
      Account Name:            BackupAdmin
      Account Domain:          TEST-DOMAIN
      Logon ID:                0x6D6AD

Target Subject:
      Security ID:             NULL SID
      Account Name:            -
      Account Domain:          -
      Logon ID:                0x0

Process Information:
      New Process ID:          0x24b0
      New Process Name:        C:\Windows\Temp\legitservice.exe
      Token Elevation Type:    %%1938
      Mandatory Label:         Mandatory Label\Medium Mandatory Level
      Creator Process ID:      0x238f
      Creator Process Name:    C:\Windows\System32\cmd.exe
      Process Command Line:    

Table 4: Example Windows event log process creation event

If we combine the evidence available in AmCache with a fully detailed Windows Event Log process creation event, we could match the evidence available in the real-time event except for a small difference in file hash types.

File Write Events

An attacker may choose to modify or delete important evidence. If an attacker uses a file shredding tool like Sysinternal’s SDelete, it is unlikely the analyst will recover the original contents of the file. Our solution’s real-time file write events are incredibly useful in situations like this because they record the MD5 hash of the files written and partial contents of the file. File write events also record which process created or modified the file in question.

Table 5 provides an example of a real-time file write event recorded by our solution.

Field

Example

Timestamp (UTC)

2020-03-10 16:42:59.956

Sequence Number

2884312

PID

9392

Process Path

C:\Windows\Temp\legitservice.exe

Username

TEST-DOMAIN\BackupAdmin

Device Path

\Device\HarddiskVolume2

File Path

C:\Windows\Temp\WindowsServiceNT.log

File MD5 Hash

30a82a8a864b6407baf9955822ded8f9

Num Bytes Seen Written

8

Size

658

Writes

4

Event reason

File closed

Closed

TRUE

Base64 Encoded
Data At Lowest Offset

Q3JlYXRpbmcgJ1dpbmRvd3NTZXJ2aWNlTlQubG9nJy
Bsb2dmaWxlIDogT0sNCm1pbWlrYXR6KGNvbW1hbmQ

Text At Lowest Offset

Creating 'WindowsServiceNT.log' logfile : OK....mimikatz(command

Table 5: Example real-time file write event

Based on this real-time file write event, the malicious executable C:\Windows\Temp\legitservice.exe wrote the file C:\Windows\Temp\WindowsServiceNT.log to disk with the MD5 hash 30a82a8a864b6407baf9955822ded8f9. Since the real-time event recorded the beginning of the written file, we can determine the file likely contained Mimikatz credential harvester output which Mandiant has observed commonly starts with OK....mimikatz.

If we investigate a little later, we’ll see a process creation event for C:\Windows\Temp\taskassist.exe with the MD5 file hash 2b5cb081721b8ba454713119be062491 followed by several file write events for this process summarized in Table 6.

Timestamp

File Path

File Size

2020-03-10 16:53:42.351

C:\Windows\Temp\WindowsServiceNT.log

638

2020-03-10 16:53:42.351

C:\Windows\Temp\AAAAAAAAAAAAAAAA.AAA

638

2020-03-10 16:53:42.351

C:\Windows\Temp\BBBBBBBBBBBBBBBB.BBB

638

2020-03-10 16:53:42.351

C:\Windows\Temp\CCCCCCCCCCCCCCCC.CCC

638

 

 

2020-03-10 16:53:42.382

C:\Windows\Temp\XXXXXXXXXXXXXXXX.XXX

638

2020-03-10 16:53:42.382

C:\Windows\Temp\YYYYYYYYYYYYYYYY.YYY

638

2020-03-10 16:53:42.382

C:\Windows\Temp\ZZZZZZZZZZZZZZZZ.ZZZ

638

Table 6: Example timeline of SDelete File write events

Admittedly, this activity may seem strange at a first glance. If we do some research on the its file hash, we’ll see the process is actually SDelete masquerading as C:\Windows\Temp\taskassist.exe. As part of its secure deletion process, SDelete renames the file 26 times in a successive alphabetic manner.

Network Events

Incident responders rarely see evidence of network communication from historical evidence on an endpoint without enhanced logging. Usually, Mandiant relies on NetFlow data, network sensors with full or partial packet capture, or malware analysis to determine the command and control (C2) servers with which a malware sample can communicate. Our solution’s real-time network events record both local and remote network ports, the leveraged protocol, and the relevant process.

Table 7 provides an example of a real-time IPv4 network event recorded by our solution.

Field

Example

Timestamp (UTC)

2020-03-10 16:46:51.690

Sequence Number

2895588

PID

9392

Process + Path

C:\Windows\Temp\legitservice.exe

Username

TEST-DOMAIN\BackupAdmin

Local IP Address

10.0.0.52

Local Port

57472

Remote IP Address

10.0.0.51

Remote Port

443

Protocol

TCP

Table 7: Example real-time network connection event

Based on this real-time IPv4 network event, the malicious executable C:\Windows\Temp\legitservice.exe made an outbound TCP connection to 10.0.0.51:443.

Registry Key Events

By using historical evidence to investigate relevant timeframes and commonly abused registry keys, we can identify malicious or leveraged keys. Real-time registry key events are useful for linking processes to the modified registry keys. They can also show when an attacker deletes or renames a registry key. This is useful to an analyst because the only available timestamp recorded in the registry is the last modified time of a registry key, and this timestamp is updated if a parent key is updated.

Table 8 provides an example of a real-time registry key event recorded by our solution.

Field

Example

Timestamp (UTC)

2020-03-10 16:46:56.409

Sequence Number

2898196

PID

9392

Process + Path

C:\Windows\Temp\legitservice.exe

Username

TEST-DOMAIN\BackupAdmin

Event Type

3

Path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
LegitWindowsService\ImagePath

Key Path

CurrentControlSet\Services\LegitWindowsService

Original Path

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LegitWindowsService

Value Name

ImagePath

Value Type

REG_EXPAND_SZ

Base64 Encoded
Value

QwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABsAG
UAZwBpAHQAcwBlAHIAdgBpAGMAZQAuAGUAeABlAAAAAA==

Text

C:\Windows\Temp\legitservice.exe

Table 8: Example real-time registry key event

For our solution's real-time registry events, we can map the event type to the operation performed using Table 9.

Event Type Value

Operation

1

PreSetValueKey

2

PreDeleteValueKey

3

PostCreateKey, PostCreateKeyEx, PreCreateKeyEx

4

PreDeleteKey

5

PreRenameKey

Table 9: FireEye Endpoint Security real-time registry key event types

Based on this real-time registry key event, the malicious executable C:\Windows\Temp\legitservice.exe created the Windows service LegitWindowsService. If we investigated the surrounding registry keys, we might identify even more information about this malicious service.

Conclusion

The availability of real-time events designed for forensic analysis can fill in gaps that traditional forensic artifacts cannot on their own. Mandiant has seen great value in using real-time events during active-attacker investigations. We have used real-time events to determine the functionality of attacker utilities that were no longer present on disk, to determine users and source network addresses used during malicious remote desktop activity when expected corresponding event logs were missing, and more.

Check out our FireEye Endpoint Security page and Redline page for more information (as well as Redline on the FireEye Market), and take a FireEye Endpoint Security tour today.