recentpopularlog in

bwiese : microsoft   132

« earlier  
Description of the standard terminology that is used to describe Microsoft software updates
Update rollup

Definition: A tested, cumulative set of hotfixes, security updates, critical updates, and updates that are packaged together for easy deployment. A rollup generally targets a specific area, such as security, or a component of a product, such as Internet Information Services (IIS).
Security-only update

Definition: An update that collects all the new security updates for a given month and for a given product, addressing security-related vulnerabilities and distributed through Windows Server Update Services (WSUS), System Center Configuration Manager and Microsoft Update Catalog. Security vulnerabilities are rated by their severity. The severity rating is indicated in the Microsoft security bulletin as critical, important, moderate, or low. This Security-only update would be displayed under the title Security Only Quality Update when you download or install the update and will be classified as an "Important" update.
Monthly Rollup

Definition: A tested, cumulative set of updates. They include both security and reliability updates that are packaged together and distributed over Windows Update, WSUS, System Center Configuration Manager and Microsoft Update Catalog for easy deployment. The Monthly Rollup is product specific, addresses both new security issues and nonsecurity issues in a single update and will proactively include updates that were released in the past. Security vulnerabilities are rated by their severity. The severity rating is indicated in the Microsoft security bulletin as critical, important, moderate, or low. This Monthly Rollup would be displayed under the title Security Monthly Quality Rollup when you download or install. This Monthly Rollup will be classified as an "Important" update on Windows Update and will automatically download and install if your Windows Update settings are configured to automatically download and install Important updates.
microsoft  wsus  reference 
25 days ago by bwiese
SQL Server 2014 build versions
patches and cumulative updates
SP = service pack baseline
CU = cumulative update for each baseline
database  sqlserver  patches  software  microsoft 
10 weeks ago by bwiese
Detecting stealthier cross-process injection techniques with Windows Defender ATP: Process hollowing and atom bombing - Microsoft Security
In Windows Defender ATP Creators Update, we have instrumented function calls and built statistical models to detect a broad range of malicious injection techniques used in attacks.
fileless  malware  microsoft  cybersecurity  processhollowing 
june 2019 by bwiese
Microsoft Wants More Security Researchers to Hack Into Its Cloud
Russinovich spoke about protecting the cloud at an academic conference at Microsoft attended by hundreds of Microsoft workers and security engineers from Amazon Web Services, Google, Nike Inc. and others. The event grew out of a trail-running group that includes Microsoft’s Ram Shankar Siva Kumar, who oversees a team of engineers who apply machine-learning to cybersecurity, and peers at AWS and Google. The group would often share techniques and research while on the trail and the idea for a formal conference to exchange ideas was born.
cloud  aws  microsoft  trailrunning  vulnerability 
june 2019 by bwiese
[MS-CSSP]: CredSSP - Security Considerations for Implementors | Microsoft Docs
The purpose of the CredSSP Protocol is to delegate a user's clear text password or pin from the CredSSP client to a CredSSP server, and it is important to make certain that the server receiving the credentials does not fall under an attacker's control. Although trust can be facilitated via public key infrastructure (PKI), the Kerberos protocol, or NTLM, this does not mean that the target server is trusted with the user's credentials, and additional policy settings should be considered.
credssp  rdp  powershell  microsoft  reference 
february 2019 by bwiese
Getting Started with PowerShell Desired State Configuration (DSC) - Microsoft Virtual Academy
This course is retiring on April 30 2019. To earn your certificate of completion, be sure to finish the course by that date. Microsoft Virtual Academy will be fully retiring later in 2019 to make way for a more unified training experience on Microsoft Learn.
Course information
Are you keeping up with PowerShell Desired State Configuration (DSC)? It's one of the fastest-moving technologies today. But more than that, it literally transforms how IT Implementers deploy and manage on-premises resources and those extended to hybrid and other cloud environments for both Windows and Linux. Get a solid foundation with this course, and build on it with "Advanced PowerShell Desired State Configuration (DSC) and Custom Resources."
powershell  training  microsoft 
february 2019 by bwiese
The perils of using Internet Explorer as your default browser - Microsoft Tech Community - 331732
You see, Internet Explorer is a compatibility solution. We’re not supporting new web standards for it and, while many sites work fine, developers by and large just aren’t testing for Internet Explorer these days. They’re testing on modern browsers. So, if we continued our previous approach, you would end up in a scenario where, by optimizing for the things you have, you end up not being able to use new apps as they come out. As new apps are coming out with greater frequency, what we want to help you do is avoid having to miss out on a progressively larger portion of the web!
internetexplorer  microsoft  browser  web 
february 2019 by bwiese
Securing Domain Controllers Against Attack | Microsoft Docs
As previously described in the "Misconfiguration" section of Avenues to Compromise, browsing the Internet (or an infected intranet) from one of the most powerful computers in a Windows infrastructure using a highly privileged account (which are the only accounts permitted to log on locally to domain controllers by default) presents an extraordinary risk to an organization's security. Whether via a drive by download or by download of malware-infected "utilities," attackers can gain access to everything they need to completely compromise or destroy the Active Directory environment.
cybersecurity  microsoft  reference  guidance  internet 
february 2019 by bwiese
RDP (Remote Desktop Protocol)
Destination Host
RDP session connection start/end time and date, source host IP address, logged-in user name and account domain, and success or failure connection (Microsoft-Windows-TerminalServices-LocalSessionManager/Operational, Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational log)
rdp  threathunting  cybersecurity  microsoft  dfir 
january 2019 by bwiese
Windows RDP-Related Event Logs: Identification, Tracking, and Investigation | Ponder The Bits
notes and tips on tracking RDP events
Winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx
Event ID: 1149 - Description: “User authentication succeeded” (NO - only successful connection)
Event ID: 21
Description: “Remote Desktop Services: Session logon succeeded:”
TL;DR: Indicates successful RDP logon and session instantiation, so long as the “Source Network Address” is NOT “LOCAL”.
Event ID: 22 - Description: “Remote Desktop Services: Shell start notification received:”
TL;DR: Indicates successful RDP logon and shell
Event ID: 24 - Description: “Remote Desktop Services: Session has been disconnected:”
Event ID: 25 - Description: “Remote Desktop Services: Session reconnection succeeded:”
Event ID: 39 - Description: “Session <X> has been disconnected by session <Y>”
Event ID: 40 - Description: “Session <X> has been disconnected, reason code <Z>”
Event ID: 23 - Description: “Remote Desktop Services: Session logoff succeeded:”



Winevt\Logs\Security.evtx
Event ID: 4624 - LogonType: 10 (RemoteInteractive / a.k.a. Terminal Services / a.k.a. Remote Desktop) OR Type 7 from a Remote IP (if it’s a reconnection from a previous/existing RDP session) - Description: “An account was successfully logged on”
Event ID: 4625 - Description: “An account failed to log on” (Logon_Type=10 or 7)
Event ID: 4778 - Description: “A session was reconnected to a Window Station.”
Event ID: 4779 - Description: “A session was disconnected from a Window Station.”
Event ID: 4634 - Description: “An account was logged off.” (Logon_Type=10 or 7)
Event ID: 4647 - Description: “User initiated logoff:” (not all RDP)


Winevt\Logs\System.evtx
Event ID: 9009 - Description: “The Desktop Window Manager has exited with code (<X>).”
dfir  rdp  eventid  reference  cybersecurity  microsoft 
january 2019 by bwiese
Hacker Discloses New Unpatched Windows Zero-Day Exploit On Twitter
https://sandboxescaper.blogspot.com/2018/12/readfile-0day.html

The newly disclosed unpatched Windows zero-day vulnerability is an arbitrary file read issue that could allow a low-privileged user or a malicious program to read the content of any file on a targeted Windows computer that otherwise would only be possible via administrator-level privileges.

The zero-day vulnerability resides in "MsiAdvertiseProduct" function of Windows that’s responsible for generating "an advertise script or advertises a product to the computer and enables the installer to write to a script the registry and shortcut information used to assign or publish a product."

According to the researcher, due to improper validation, the affected function can be abused to force installer service into making a copy of any file as SYSTEM privileges and read its content, resulting in arbitrary file read vulnerability.
exploit  microsoft  github  cybersecurity 
december 2018 by bwiese
The Story Behind the Photo You Won't Forget
https://www.youtube.com/watch?v=AVXY8OEZAEQ (2014 upload)

"Bliss" Scanned Photograph Used with permission from Microsoft
Owner Microsoft
Agency Corbis
Artist Charles O'Rear
Estimated diffusion (until 2016) 1.2 Billion
Camera Mamiya RZ67, Velvia 6x7
rz67  bliss  photograph  microsoft 
december 2018 by bwiese
How to configure a firewall for domains and trusts
Windows Server 2008/2012
Client Port(s) Server Port Service
49152 -65535/UDP 123/UDP W32Time
49152 -65535/TCP 135/TCP RPC Endpoint Mapper
49152 -65535/TCP 464/TCP/UDP Kerberos password change
49152 -65535/TCP 49152-65535/TCP RPC for LSA, SAM, Netlogon (*)
49152 -65535/TCP/UDP 389/TCP/UDP LDAP
49152 -65535/TCP 636/TCP LDAP SSL
49152 -65535/TCP 3268/TCP LDAP GC
49152 -65535/TCP 3269/TCP LDAP GC SSL
53, 49152 -65535/TCP/UDP 53/TCP/UDP DNS
49152 -65535/TCP 49152 -65535/TCP FRS RPC (*)
49152 -65535/TCP/UDP 88/TCP/UDP Kerberos
49152 -65535/TCP/UDP 445/TCP SMB (**)
49152 -65535/TCP 49152-65535/TCP DFSR RPC (*)
microsoft  activedirectory  networking  reference  techsupport 
november 2018 by bwiese
Protecting the protector: Hardening machine learning defenses against adversarial attacks – Microsoft Secure
Another effective approach we’ve found to add resilience against adversarial attacks is to use ensemble models. While individual models provide a prediction scoped to a particular area of expertise, we can treat those individual predictions as features to additional “ensemble” machine learning models, combining the results from our diverse set of “base classifiers” to create even stronger predictions that are more resilient to attacks.
ai  machinelearning  cybersecurity  microsoft 
august 2018 by bwiese
Microsoft - Security Update Guide
The Microsoft Security Response Center (MSRC) investigates all reports of security vulnerabilities affecting Microsoft products and services, and provides the information here as part of the ongoing effort to help you manage security risks and help keep your systems protected.
microsoft  security  software  update  patches  cybersecurity  vulnerability 
august 2018 by bwiese
Microsoft’s undersea data center now has a webcam with fish swimming past 27.6 petabytes of data - The Verge
Microsoft has taken the oppor-tuna-ty to install a webcam next to its undersea data center, offering live views of just how well the metal container is rusting and the hundreds of fish suddenly interested in cloud data and artificial intelligence. The software maker originally sunk a data center off the Scottish coast in June to determine whether the company can save energy by cooling it in the sea itself, or if it should leave it to salmon else.
microsoft  cybersecurity  globalwarming  datacenter  webcam 
august 2018 by bwiese
How Microsoft Advanced Threat Analytics detects golden ticket attacks – Enterprise Mobility + Security
Mimikatz’s DCSync and Impacket’s secretsdump are two tools that an adversary may use to “replicate” the Kerberos encryption “master key” (also known as a KRBTGT account) from a domain controller. Microsoft ATA detects the use of these tools and tactics.

ATA learns normal replication and ticket usage patterns to automatically detect and alert if an attacker steals the “master key”. More importantly, Microsoft ATA will alert you when an adversary begins using a golden ticket on your network.
goldenticket  kerberos  microsoft  threathunting  cybersecurity 
august 2018 by bwiese
Post Configuration Tasks for the Security Monitoring Management Pack – Working with System Center
Forwarded Events – anything coming out of the desktop environment.  Alerts coming from these servers are a good indication that a desktop may have been compromised. Security professionals operated under an “assumed breech” module, as no matter how much you train users, they will still click on things they shouldn’t.  This allows the organization a quick response to investigate and/or re-image a desktop that has been compromised.
Operational Events – These are likely normal, but the types of things that need verification. It also helps determine where operational security gaps exist.  Examples include domain admin logons, creation of scheduled tasks, etc.
Credible Threats – These should be investigated immediately.  Examples include service creation on DCs, credential swap alerts, any 4688 detection rule in this MP, etc.
Exterior Threats – Presently this is only the failed logon check specified above.
Threat Hunting – These are monitors/rules that alert against known vulnerabilities that an org should address.  Examples include the WDigest registry keys.
microsoft  cybersecurity  scom  threathunting 
july 2018 by bwiese
A New Feedback System Is Coming to docs.microsoft.com | Microsoft Docs
When the owner submits a pull request that fixes the issue, you'll be notified (based on your GitHub notification settings), that the issue has been resolved/closed, creating a virtuous cycle of feedback.
microsoft  feedback  github  documentation 
july 2018 by bwiese
The Tale of SettingContent-ms Files – Posts By SpecterOps Team Members
This is why attackers have resorted to Object Linking and Embedding (OLE), ZIP files, etc. To combat the file delivery vector, Office 2016 introduced blocking all of the “dangerous” file formats from being embedded via OLE by default. This reduces the effectiveness of one of the most relied upon payload delivery methods

I stumbled across the “.SettingContent-ms” file type. This format was introduced in Windows 10 and allows a user to create “shortcuts” to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.

As you can see, with Office 2016’s OLE block rule and ASR’s Child Process Creation rule enabled, .SettingContent-ms files combined with “AppVLP.exe” in the Office folder allow us to circumvent these controls and execute arbitrary commands.

While Office documents are often marked with MOTW and are opened in the Protected View Sandbox, there are file formats that allow OLE and aren’t triggered by the Protected View sandbox. You can find more on that here.

6/4/2018: MSRC responded with a note that the severity of the issue is below the bar for servicing and that the case will be closed.
microsoft  office  vulnerability 
july 2018 by bwiese
Apple macOS Security: Flaw Let Malware Pose as Apple Software
The vulnerability is in how vendors such as Google and Facebook verify the origin of code to ensure it hasn’t been modified. Tools produced by these companies and several others use official code-signing APIs to confirm that code can be trusted. The method being used was flawed, however, making it easy for a hacker to pass off code as if it had been signed by Apple—to masquerade as Apple, in other words.

The issue was discovered by security firm Okta in February 2018.

In remarks published by Okta, Apple seems to indicate it was the developers’ fault for not running the checks properly. The developers, meanwhile, say that Apple’s documentation—which has supposedly been updated—was both confusing and unclear. Given the wide range of products affected, the latter seems more than likely.
cybersecurity  codesigning  certificates  apple  software  microsoft 
june 2018 by bwiese
How Microsoft’s top-secret database of bugs got hacked | Reuters.com
How Microsoft’s top-secret database of bugs got hacked
Friday, October 13, 2017 - 02:23

Microsoft’s top-secret internal database for tracking bugs in its own software was broken into by a highly sophisticated hacking group several years ago, five former Microsoft employees told Reuters.

Breach hidden for 4 years, Joseph Men (would be super embarrassing for the arsenal to have been exposed), security was insufficient, password only access, internal review said bugs not used in hacking campaigns (presumably), NSA lost control of even larger bug/exploit database with Vault7
microsoft  history  apt  cybersecurity  vulnerability 
june 2018 by bwiese
Now you see me: Exposing fileless malware – Microsoft Secure
The second tool was a strain of fileless malware called Misfox. Once Misfox was running in memory, it:

Created a registry run key that launches a “one-liner” PowerShell cmdlet
Launched an obfuscated PowerShell script stored in the registry BLOB; the obfuscated PowerShell script contained a reflective portable executable (PE) loader that loaded a Base64-encoded PE from the registry
Misfox did not drop any executable files, but the script stored in the registry ensured the malware persisted.

Reflective DLL injection
Memory exploits
Script-based techniques
WMI persistence
malware  cybersecurity  microsoft  powershell  fileless 
june 2018 by bwiese
What is Azure Advanced Threat Protection (ATP)? | Microsoft Docs
proprietary network parsing engine to capture and parse network traffic of multiple protocols (such as Kerberos, DNS, RPC, NTLM, and others) for authentication, authorization, and information gathering.
- Deploying Azure ATP sensors directly on your domain controllers
- Port mirroring from Domain Controllers and DNS servers to the Azure ATP standalone sensor
receive events and logs from:
- SIEM Integration
- Windows Event Forwarding (WEF)
- Directly from the Windows Event Collector (for the sensor)
- RADIUS Accounting from VPNs

Analytics
Pass-the-Ticket (PtT)
Pass-the-Hash (PtH)
Overpass-the-Hash
Forged PAC (MS14-068)
Golden Ticket
Malicious replication
Directory Service Enumeration
SMB Session Enumeration
DNS Reconnaissance
Horizontal Brute Force
Vertical Brute Force
Skeleton Key
Unusual Protocol
Encryption Downgrade
Remote execution
Malicious Service Creation

Weak protocols
Known protocol vulnerabilities
Lateral movement path to sensitive accounts
azure  cloud  cybersecurity  microsoft  analytics 
may 2018 by bwiese
Azure Advanced Threat Protection and Detection | Microsoft Azure
Detect and investigate advanced attacks on-premises and in the cloud

Identify suspicious user and device activity with both known-technique detection and behavioral analytics
Analyze threat intelligence from the cloud and on-premises
Protect user identities and credentials stored in Active Directory
View clear attack information on a simple timeline for fast triage
Monitor multiple entry points through integration with Windows Defender Advanced Threat Protection
microsoft  azure  analytics  cybersecurity 
may 2018 by bwiese
Azure Advanced Threat Protection: Securing Your Identities Right From the Cloud - MSSP Alert
Back in 2016, we have reviewed Microsoft Advanced Threat Analytics (ATA), the first product Microsoft released with the Security Graph technology... However, the product was only intended for on-premises deployment and provided very limited forensic and mitigation capabilities due to lack of integration with other security tools.

Microsoft has successfully addressed both of these challenges. Azure ATP, as evident from its name, is a cloud-based service. Although you obviously still need to deploy sensors within your network to capture the network traffic and other security events, they are sent directly to the Azure cloud, and all the correlation magic happens

Azure ATP integrates with Windows Defender ATP – Microsoft’s endpoint protection platform. If you’re using both platforms, you can seamlessly switch between them for additional forensic information or direct remediation of malware threats on managed endpoints. In fact, the company’s Advanced Threat Protection brand now also includes Office 365 ATP - for Office365
microsoft  cloud  cybersecurity  analytics  saas  office365 
may 2018 by bwiese
Microsoft Edge Favorites URL Links - Microsoft Community
I (and apparently many, many others) want to edit the url.  If the only way to do this is not use Edge, please so state.  I can use either IE, Chrome, or Firefox and edit my urls.  Crazy.  (Maybe I can be a "Support Engineer"!!)
microsoftedge  techsupport  microsoft  browser 
may 2018 by bwiese
It's 2018, and a webpage can still pwn your Windows PC – and apps can escape Hyper-V • The Register
The VBScript Engine can be exploited, via memory corruption bug CVE-2018-8174, by a malicious webpage to execute arbitrary nefarious code on a system, paving the way to the installation of malware.

Hackers – including nation-state agents – are already abusing this programming cockup right now to compromise computers in the wild and spy on targets. The flaw was discovered and reported by Anton Ivanov and Vladislav Stolyarov of Kaspersky Lab, as well as Ding Maoyin, Jinquan, Song Shenlei, and Yang Kang of Qihoo 360 Core Security.

The Chakra Scripting Engine in Edge can also be exploited, via CVE-2018-0943, by evil webpages to run code and malware on a computer visiting said page.
microsoft  cybersecurity  vulnerability 
may 2018 by bwiese
How to Steal Windows Login Credentials Abusing the Server Message Block (SMB) Protocol
“Thank you for checking in on this case.  Microsoft issued an optional security enhancement [0] late last year that provides customers with the ability to disable NTLM SSO authentication as a method for public resources.  With this mitigation available to customers, we are not planning to make changes in Acrobat. ”
microsoft  cybersecurity  smb  ntlm  pdf 
may 2018 by bwiese
A Suspicious Use of certutil.exe - SANS Internet Storm Center
VirusTotal to collect samples that are (ab)using the "certutil.exe" tool. The purpose of this tool is to dump and display certification authority (CA) information, manage certificates and keys.

task for attackers: To fetch data from the Internet! Indeed, many Microsoft tools are able to fetch an online file using a URL schema (ftp://, http://, etc). I presume you already know that, in every dialogue box used to open/save a file, you can provide a URL:
cybersecurity  certificates  vulnerability  microsoft  c2  threathunting 
may 2018 by bwiese
Win 7, Server 2008 'Total Meltdown' exploit lands, pops admin shells • The Register
Create a new set of page tables which will allow access to any physical memory address;
Create a set of signatures which can be used to hunt for _EPROCESS structures in kernel memory;
Find the _EPROCESS memory address for our executing process, and for the System process; and
Replace the token of our executing process with that of System, elevating us to NT AUTHORITY\System.
microsoft  meltdown  vulnerability  exploit  xen 
april 2018 by bwiese
PSExec Demystified
PSExec has a Windows Service image inside of its executable. It takes this service and deploys it to the Admin$ share on the remote machine. It then uses the DCE/RPC interface over SMB to access the Windows Service Control Manager API. It turns on the PSExec service on the remote machine. The PSExec service then creates a named pipe that can be used to send commands to the system.
psexec  cybersecurity  microsoft  smb  pentest  metasploit 
april 2018 by bwiese
New Document Attack Exploits Design Behavior Rather than Macros - Security Boulevard
“The malicious .docx file does not contain macros and does not leverage any exploits. Inside the .docx file, embedded in the frame section, is a URL. Framesets are HTML tags and contain frames responsible for loading documents.”
Microsoft Word will automatically make a request to the URL to load the remote content into a frame. In this case, that content is an RTF file with an embedded Package object.

Due to a design behavior of RTF documents, Package objects are dropped inside the Windows temporary directory. This particular document drops a .sct (scriptlet) file, which, when executed, writes and loads an .exe file.
attempt to leverage the CVE-2017-8570 vulnerability, which was patched in Office last July. Without this vulnerability, the attack chain is not complete, highlighting the importance of keeping Office up to date as well as Windows.
hird-stage component downloads and installs a malware program known as Formbook that exfiltrates data, takes screenshots and logs keystrokes
microsoft  msword  cybersecurity  msoffice  exploit 
april 2018 by bwiese
What is Microsoft Advanced Threat Analytics (ATA)? | Microsoft Docs
ATA leverages a proprietary network parsing engine to capture and parse network traffic of multiple protocols (such as Kerberos, DNS, RPC, NTLM, and others) for authentication, authorization, and information gathering. This information is collected by ATA via either:

Port mirroring from Domain Controllers and DNS servers to the ATA Gateway and/or
Deploying an ATA Lightweight Gateway (LGW) directly on Domain Controllers
ATA takes information from multiple data-sources, such as logs and events in your network, to learn the behavior of users and other entities in the organization and build a behavioral profile about them. ATA can receive events and logs from:

SIEM Integration
Windows Event Forwarding (WEF)
Directly from the Windows Event Collector (for the Lightweight Gateway)
microsoft  security  cybersecurity  analytics  threathunting 
march 2018 by bwiese
Machine Learning and the Cloud: Disrupting Threat Detection and Prevention - YouTube
RSA 2016
@24 - compressed random model instead of PCA, builds in 8 minutes
@25 - red team attacking from Azure API, identify suspicious activity
@29 - false positive less than 1% after 28% challenge for MFA
@31:30 - only baseline normal past 45 day dataset for optimal fidelity
@45 - Lisa Brown locked out from RSA conf without MFA option
microsoft  machinelearning  cybersecurity  cloud  azure 
february 2018 by bwiese
In-depth Malware Analysis: Malware Lingers with BITS | Secureworks
Figure 1. Sample log entry from Microsoft-Windows-Bits-Client/(Microsoft-Windows-Bits-Client/Operational.evtx) event log. (Source: SecureWorks)

Logged details about the pending tasks were terse. The log indicated that new jobs had been created but did not provide detail. CTU researchers used tools that parsed the BITS job database and provided the missing details (see Figure 2)

CTU researchers recommend that clients consider enumerating active BITS tasks on a host ...(bitsadmin /list /allusers /verbose)

now use powershell bits commandlet
microsoft  bits  malware  incidentresponse  auditing  forensics  exploit  cybersecurity 
february 2018 by bwiese
Threat Intelligence At Microsoft: A Look Inside - Cyber Threat Intelligence Summit 2017 - YouTube
Microsoft "controls the physics" of the problem, change the physics of infosec
talk more about "how" we do our work (see IMF talk?)
@7:30 - exabytes of data needs to be normalized
@8:00 - analytics "unicorn" word needs explanation:
consumed IOCs simply because "expected to" - brought negative value to the SOCs. best insights/detection/tracking came out of "behavioral analytics" which are Very Simple. 3 properties:

1) transposability - apply across various telemetry data sets (linux, windows, etc - any file write/net connection/etc) - requires "normalized" data
2) composability - small atomic analytics chained and composed together into an ensemble of detection
3) shareability - share across environments and customers (needs improvement, sigma?) every environment is different

Almost all bad things caught from behavioral analytics - not IOCs
Adversary Agnostic - Did not care who the threat actor was
Analytics Apply to Every Customer in the World

90% of time "data wrangling" to normalize data and log sources

Need "enrichment" sources - not IOCs
cybersecurity  microsoft  video  cyberthreatintel  analytics  azure  threathunting  ueba 
february 2018 by bwiese
Moving Beyond EMET – Security Research & Defense
Updated Support End Date for EMET 5.5x
Finally, we have listened to customers' feedback regarding the January 27, 2017 end of life date for EMET and we are pleased to announce that the end of life date is being extended 18 months. The new end of life date is July 31, 2018. There are no plans to offer support or security patching for EMET after July 31, 2018. For improved security, our recommendation is for customers to migrate to Windows 10.
microsoft  emet  win10 
february 2018 by bwiese
« earlier      
per page:    204080120160

Copy this bookmark:





to read