Should I install a universal forwarder on everyone's workstation in order to track possible malware attacks through correlation searches? Is this best practice?
Hi,
I would not. Typically malware information can be easily gathered from a database (whether the EPP product's own, or a config management tool).
I'm leaning towards yes on this question.
ES is good at telling you that there are anomalies in flows of data.
You've still got to apply the subject matter expertise to know if that's malware behavior or something else (through the use of a security analyst).
Malware is more likely to occur on a user's machine, which could lead to an outbreak.
Catching anomalies early can prevent an outbreak.
Hi,
I would not. Typically malware information can be easily gathered from a database (whether the EPP product's own, or a config management tool).
Since you did technically answer my question correctly 🙂 I did not phrase it correctly. I mean't to view windows security events that could possibly be malware.. not specifically malware events.. Thanks!
Correct, and those anomalies is what our security analyst would look at to determine the root cause and determine whether or not it is possibly intrusive activity. You'd be able to correlate with several other users' machines to determine what is an anomaly and what is normal activity.
As a Splunker, I suppose that I ought to suggest that you log all events from all software products and use full packet capture too 🙂 However, there's still a question about what you'll do with that data. ES is good at telling you that there are anomalies in flows of data, but you've still got to apply the subject matter expertise to know if that's malware behavior or something else. It won't tell you "this thing is malware that your EPP vendor doesn't know about", it will tell you "this is weird".
What about malware events that do not get detected by anti-malware software. I think that is the benefit of Enterprise security, the ability to track down these threats before they become "known" malware