![]() ![]() Who’s using PSExec and how is it being used?.How many endpoints are syncing data with Dropbox?.It’s great to know that we have thousands of processes that meet some criteria, but many times we really need to start by answering some far simpler questions like: For all of the strengths of EDR, one shortcoming is an inability to answer simple questions related to inventory and scope. It’s easy to find binaries and processes that meet a specific criteria and then investigate them at a low level. ![]() How those processes are being leveraged (i.e., how are they being spawned, and what command line arguments)Īnyone who has used Cb Response (or other leading Endpoint Detection and Response platforms) recognizes the power it offers security teams.The processes that users are executing on each endpoint.The user accounts active on those endpoints.What endpoints we’re monitoring in our customers’ environments.For our purposes, inventory means that we understand: Let’s look at Red Canary’s use case as an example to expand. And inventory is more than simple asset identification and tracking. If you don’t know what you have, you can’t possibly monitor, defend, or respond. Inventory is the cornerstone of any successful security program. Q: What is the failed process undermining your expensive and outwardly mature information security program? The use case that we weren’t able to meet using built-in functionality was inventory. With all of the data recorded, you can easily wind back the tape to determine what happened and where a threat originated. The same principle applies to root cause analysis. Instead of painstakingly collecting terabytes of data that need to be loaded, carved, and analyzed using expensive systems, simply collect most of what you want up front so that it’s available the moment it’s needed. Years ago, as Red Canary began to scale security operations atop the Carbon Black (Cb) Response platform, we immediately started to identify some common use cases:Ĭb Response was built for the express purpose of supercharging the incident response process. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |