Video Screencast Help

How to utilize SEP 12.1 for Incident Response - PART 3

Created: 25 Sep 2013 • Updated: 25 Sep 2013 | 2 comments
Language Translations
_Brian's picture
+11 11 Votes
Login to vote

In a continuation from my two previous SEP 12.1 Incident Response articles, Part 1 & Part 2, this article will look at using the Network Application Monitoring feature in SEP 12.1 in a situation where incident response is needed.

 

What is Network Application Monitoring?

The SEP client has the ability to detect and track any application on a workstation that can send and receive traffic. An application's content may change for two reasons:

  • Malware has attacked the application
  • The application was updated with a newer version

 

During an incident, you can enable this feature to get a better idea of what applications are doing on your network. It may also help you narrow down the suspect machine(s).

Let's look at how we enable:

Login to your SEPM and navigate to Clients >> select the group you want to enable this feature for >> Policies. Under Location-Independent Policies and Settings select Network Application Monitoring

 

3_4.JPG

 

Place a check in the box to Enable network application monitoring

You can also configure other settings if you wish. You can set an action to take when an application change is detected, display additional text to the end-user, or add applications that will not be monitored (I do not recommend in this in an IR situation as I want ful visibility of everything taking place on my network). Here is how I have configured it for my situation:

 

4_4.JPG

 

Now that this feature has been enabled, all network applications will be monitored going forward.

During an incident response situation, the end-users will see the following prompt when a network application changes:

 

1_4.JPG

 

They can click on Detail >> for more information

 

2_4.JPG

 

There will be an entry in the Security log on the SEP client:

 

5_4.JPG

 

To view this same incident from the SEPM, go to Monitors >> Logs. Set the Log type to Network Threat Protection and set the Log content to Attacks:

 

6_4.JPG

 

You can select the line item and click Details to get more info"

 

7_2.JPG

 

Once you determine whether this particular file is malicious or not, you can now take action and remove the suspect from your network and clean or deem it legitimate.

If you determine that the application is malcious and has spread to multipe PCs on the network you can also create a firewall rule to block the traffic to/from this application until the machines can be cleaned. And if you want to add another layer of security, you can add the application to be monitored so that it won't even be able to execute! Details are in my first article, How to utilize SEP 12.1 for Incident Response - PART 1

I hope this article will be helpful for you.

Comments/Questions/Criticisms are welcome!

Comments 2 CommentsJump to latest comment

Chetan Savade's picture

Good Job, Brian!!!

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

+1
Login to vote