Has your company been hit by ransomware yet? How about other types of malware? Phishing scams, drive-by downloads or pass-the-hash attacks? If you haven’t already, you probably will be soon.
What do all these attacks have in common? They start on user workstations. There are things you can — and should — do to mitigate this risk, like keeping applications on your endpoints properly patched and educating your users so they’re less likely to click malicious links in phishing emails, open attachments infected with ransomware viruses or insert USB drives of unknown provenance. But attackers are both sophisticated and relentless, so some of them will get inevitably through. You need to be able to catch attacks on your endpoints as early as possible so you can intervene before real damage is done. But how?
By carefully monitoring your workstations. If you’re using native tools, there are three critical logs you need to know how to use to improve endpoint security: the Windows security log, the Sysmon log and the PowerShell logs. Here’s a brief summary of the most important things you can learn from each of these logs.
The Windows security log is the only place you can get many critical events, including these:
Sysmon is a free service from Microsoft that monitors system activity and records it in a Windows event log, which is also called “Sysmon.” Here are a few of the events you should monitor there:
Hackers love to use PowerShell because it’s so powerful, so it’s critical to keep a close eye on PowerShell activity. Monitoring the two PowerShell logs will help you spot:
That’s just a high-level introduction to using these logs. If you’re ready to dig into the details, check out my new ebook, “Top 3 Workstation: Logs to Monitor.” It will tell you exactly which event IDs to monitor and how to collect events from each log, and provide other valuable tips, like how to protect Sysmon from tampering.
If that kind of log monitoring sounds like a lot of work, that’s because it is. Moreover, there’s a strong possibility that you’ll miss critical events, because it’s hard to collect logs from all your endpoints in a timely and efficient way (just how many laptops are in use in your organization?), and the logs are incomplete and as well as notoriously cryptic.
If you’re ready for a better option, check out Quest InTrust and Quest IT Security Search. At the end of the ebook, you’ll learn how these solutions can help you dramatically improve endpoint protection while slashing IT workload and storage costs.