This article is in response to Andy Chow’s request for correlating data from the SEPM Risk Report on figuring out where the threat came from. This will not pickup every source accurately but will give you some great “extra data” to work with and provide to management. It worked for me getting a remote web filtering client installed on our remote workforce…. We’ll should be beginning to see the payoff if the remote filtering software is blocking access to malicious websites in the next couple of months.
Here is how I do some cheap correlation. Let’s go back to the original article (https://www-secure.symantec.com/connect/articles/metrics-using-data-sepm) and get our csv risk report imported into Excel. We can stop at the point just before we open a pivot table (or you can use the pivot table to get the information).
Now looking at our excel spreadsheet containing all of this information we can see the following columns.
Events
Computer name
Source
Risk Name
Occurances
File Path
Description
Actual Action
Requested Action
Secondary Action
Event Date
Event Insert Time
Domain
User Name
Server
Client Group
Source Computer Name
Source Computer IP
Event End Date
Timestamp
Deleted
There is a wealth of information in here. Let’s look specifically at the File Path column. We can see if a file was detected in our Temp folder, under our profile, on different drive letter and what type of file it was (exe, tmp, htm, …) Lots to work with here folks.
Now let’s perform an AutoFilter (look under Data) in Excel, on the first row of items. Now each of these rows contains enough information that we can make some logical assumptions as to where the threat originated. Look at the below image (click to enlarge). Each item highlighted in red can be filtered on (somewhat).
So let’s use that little drop down button on the File Path column. Select custom and you should see the image below (click to enlarge).
Now we can further filter our data in the File Path column. If you use the drop down on the Custom AutoFilter you’ll see there are a lot of options. Below is the list found in Excel.
Equals
Does not equal
Is greater than
Is greater than or equal to
Is less than
Is less than or equal to
Begins with
Does not begin with
Ends with
Does not end with
Contains
Does not contain
For example let’s select “Begins with” and enter “?:” (not the quotes) in the field immediately to the right. Now keep the radio button on “And” and drop down the selection below to read “Does not begin with” and enter “C:” (again not the quotes). Click ok. You have just generated a list of malware detections on either network or removable drives.
Here is how I slice and dice most of my risk report and what it means to me.
|
Malware detections from removable media
|
|
Begins with
|
?:
|
|
And
|
|
|
Does not begin with
|
C:
|
|
|
|
|
Malware from drive by downloads
|
|
Contains
|
Temporary Internet Files
|
|
|
|
|
Malware threats targeting popular Adobe products
|
|
Ends with
|
.pdf
|
|
Or
|
|
|
Ends with
|
.swf
|
|
|
|
|
Executable downloaded malware
|
|
Ends with
|
.exe
|
|
|
|
|
Malware detected by either Lotus or Outlook SEP component
|
|
Does not begin with
|
?:
|
|
And
|
|
|
Does not begin with
|
Unavailable
|
Depending upon how you want to slice and dice these logs can either generate great or not so great information. YOU need to play with the filters to determine what works for your environment. The above examples are only a small start to the ways you can tear apart the logs generated by SEP. If enough patience and time you’ll see the data beginning to jump out from your screen.
Stay tuned... Part 3 will hopefully be published this weekend.