Securing a New Way of Working: Wait, What’s This Thing Running on Your Machine?

By George Panousopoulos

With more and more users working remotely, it is highly likely that more apps will be downloaded and installed onto the endpoints. Here is an analytic story from the Splunk Enterprise Security Use Case Library.

Analytic Story: Monitor for Unauthorized Software

This story provides guidance to identify and investigate prohibited/unauthorized software or processes that may be concealing malicious behavior within your environment. There is a similar Analytic story to monitor out of date software as well. Consider that the risk of installing more software in the endpoints will be higher. Also, if you are already using this search, consider reviewing the frequency at which this is run, as with the new operations model the specific requirement will most likely change.

Example searches include among others Prohibited Software on Endpoint, Get Authentication Logs for Endpoint, Get Vulnerability Logs for Endpoint, Investigate Web Activity From Host, and Add Prohibited Processes to Enterprise Security. For each one of these, users can edit the correlation search as shown below for the Prohibited Software on Endpoint one:

Tha main data source type for this Analytic Story is EDR, including the likes of Carbon Black, Tanium, CrowdStrike, and Sysmon.

Check here for more practical guides on how to secure your organization in the new work-from-home era.

Thanks to the contributors of this blog post, Bryan Sadowski, Lily Lee, Rene Aguero, James Brodsky, Chris Simmons.

SUPERNOVA Redux, with a Generous Portion of Masquerading

A review of the Pulse Secure attack where the threat actor connected to the network via a the Pulse Secure virtual private network (VPN), moved laterally to its SolarWinds Orion server, installed the SUPERNOVA malware, and collected credentials, all while masquerading the procdump.exe file and renamed it as splunklogger.exe.

Security 7 Min Read

Use Cloud Infrastructure Data Model to Detect Container Implantation (MITRE T1525)

Using cloud infrastructure data model to detect possible container implantation (Mitre Cloud Matrix technique T1525)

Security 4 Min Read

UEBA Superpowers: Simplify Incident Investigations to Increase SOC Efficiency

Fernando Jorge explains how Splunk UBA simplifies incident investigations and enhances SOC efficiency with advanced machine learning and behavior analytics.

About Splunk

The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.

Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.

Learn more about Splunk

Securing a New Way of Working: Wait, What’s This Thing Running on Your Machine?

Analytic Story: Monitor for Unauthorized Software

Related Articles

SUPERNOVA Redux, with a Generous Portion of Masquerading

Use Cloud Infrastructure Data Model to Detect Container Implantation (MITRE T1525)

UEBA Superpowers: Simplify Incident Investigations to Increase SOC Efficiency

About Splunk

Subscribe to our blog

Connect with Splunk on X

Connect with Splunk on Instagram