Endpoint Security and Behavior Analysis

Biggest security risk? The users and their devices

Behavior Analysis Solutions

• HIDS, HIPS (Host based intrusion detection/prevention)

• File Integrity Monitoring

  • Tripwire

• EPP (Endpoint Protection Platforms)

  • Signature based

• EDR (Endpoint Detection and Response)

  • Machine learning

• UEBA (User and Entity Behavior Analysis)

  • What do users do, when, why, and how?

  • Splunk UEBA

  • Microsoft Advanced Threat Analytics

Low on budget? Here’s some things to look for:

• Single idle and system PIDs

• One wininit.exe

• One services.exe others should be children of services.exe or svchost.exe (just a wrapper)

• System services should be digitally signed

• Services should be launched by either the SYSTEM, LOCAL SERVICE, or NETWORK SERVICE accounts

• One lsass.exe

• One winlogon.exe

• Userinit.exe should not persist

• Explorer.exe file manager and parent process

• Sysinternals procmon

Found a suspicious process? Check the following:

• Read/write file access

• Launch location

• Obfuscated/compressed

• Parent process

• Try killing it

• Network traffic

• Sysinternal Process Explorer

• Tasklist command

• Sysinternals Autoruns