In a continuation from my two previous SEP 12.1 Incident Response articles, Part 1 & Part 2, this article will look at using the Network Application Monitoring feature in SEP 12.1 in a situation where incident response is needed.
What is Network Application Monitoring?
The SEP client has the ability to detect and track any application on a workstation that can send and receive traffic. An application's content may change for two reasons:
- Malware has attacked the application
- The application was updated with a newer version
During an incident, you can enable this feature to get a better idea of what applications are doing on your network. It may also help you narrow down the suspect machine(s).
Let's look at how we enable:
Login to your SEPM and navigate to Clients >> select the group you want to enable this feature for >> Policies. Under Location-Independent Policies and Settings select Network Application Monitoring
Place a check in the box to Enable network application monitoring
You can also configure other settings if you wish. You can set an action to take when an application change is detected, display additional text to the end-user, or add applications that will not be monitored (I do not recommend in this in an IR situation as I want ful visibility of everything taking place on my network). Here is how I have configured it for my situation:
Now that this feature has been enabled, all network applications will be monitored going forward.
During an incident response situation, the end-users will see the following prompt when a network application changes:
They can click on Detail >> for more information
There will be an entry in the Security log on the SEP client:
To view this same incident from the SEPM, go to Monitors >> Logs. Set the Log type to Network Threat Protection and set the Log content to Attacks:
You can select the line item and click Details to get more info"
Once you determine whether this particular file is malicious or not, you can now take action and remove the suspect from your network and clean or deem it legitimate.
If you determine that the application is malcious and has spread to multipe PCs on the network you can also create a firewall rule to block the traffic to/from this application until the machines can be cleaned. And if you want to add another layer of security, you can add the application to be monitored so that it won't even be able to execute! Details are in my first article, How to utilize SEP 12.1 for Incident Response - PART 1
I hope this article will be helpful for you.
Comments/Questions/Criticisms are welcome!