Endpoint Protection

Background:
We recently went live with an IPS implementation and I am trying to develop a process for reacting to triggered IPS attacks.  At first I had assumed that outbound events would be more concerning as it might imply that the client system was already infected.  However I am seeing more events with an outbound direction than I had expected, often referencing iexplore.exe as the initiating application.  I could execute a SEP scan, but feel that requiring a desktop visit\reimage might be overkill in many of the occurrences.  Additionally I find it odd that administrative notifications are not configurable for NTP events and have had to leverage an external correlation engine to get real time alerting for IPS.

Question:
What are other customers doing as a standard reaction process for IPS events?  How do people scrutinize events to determine what warrants major actions such as PC reimage?  In general are outbound events more concerning than inbound?

Hi,

In SEPM, there is a report for "Top Ttackers". That gives you the IP address of the machines that have attacked other clients with SEP IPS enabled.

You can run the report. Set a threshold, e.g. machines that have attacked more than 10-15 times..

You can investigate those IPs. Searching them in SEPM would be the first step.

If the IP is not there in SEPM and it is a machine/laptop/server then install SEP on the machine and scan.

If its a device [ router , etc .] then ignore.

Regards,
Aniket