If you want to get deep on this, below is a sample CESA Splunk query tuned for this scenario that the customer used to discover stage-2 C&C activities from SolarWinds that their malware solution missed. (An圜onnect) NVM logs in Splunk once again helped to save the day.” We likely never would have seen this data and could not explain our exposure to this severe threat. It also gave us a view into other domains that might have been associated with this attack, but not yet publicly published. With this information we could quickly understand what our endpoint exposure was for all managed hosts from their NVM logs.
#Pinpoint security windows
We were able to connect local Windows processes to domains that were reported in the IOC lists. “(IR analyst) brought up a great point today while digging out of this Solarwinds mess.
Here’s an excerpt from a customer email we received: How do we know? Our CESA users have told us.
#Pinpoint security software
So how does CESA accomplish this for the SolarWinds breach? Well, it’s actually in its wheelhouse.ĬESA’s ability to associate what endpoint accessed what domain, as well as what software processes and protocols were used, enables immediate visibility to what endpoints are exposed-for both on-net and off-net endpoints-within minutes. As various private organizations and high-value government bodies figure out the blast radius of the recent state-sponsored SolarWinds attack, with Cisco Endpoint Security Analytics (CESA) in your toolkit you could quickly assess your own exposure…like the CESA customer noted below.ĬESA brings together the unparalleled endpoint behavioral visibility of Cisco’s An圜onnect Network Visibility Module (NVM) and the data transformation power of the Splunk analytics platform to help address the endpoint visibility gap left behind by traditional EDR/EPP solutions and network security analytics platforms.
0 kommentar(er)
