Understanding Sysmon & Threat Hunting with A Cybersecurity Specialist & Incident Detection Engineer
Ғылым және технология
This discussion with Amanda Berlin, Lead Instant Detection Engineer at Blumira. The focus of the conversation is on utilizing Sysmon for threat hunting and testing detections in cybersecurity. Amanda, a seasoned cybersecurity professional, shares her expertise in detecting malicious behavior in the wild through practical examples. The discussion covers anomaly detection, the utilization of various tools (with links provided in the video description), and the importance of understanding threat detection in a real-world context.
lawrence.video/
Links mentioned in the video
- www.blumira.com/enable-sysmon/
- github.com/SwiftOnSecurity/sy...
- github.com/SecurityRiskAdviso...
- github.com/redcanaryco/atomic...
- www.blumira.com/how-to-test-y...
- thedfirreport.com/2023/12/18/...
Sending Windows Event Logs to Graylog With NXLOG
• Step-by-Step Guide: Se...
Connecting With Us
---------------------------------------------------
+ Hire Us For A Project: lawrencesystems.com/hire-us/
+ Tom Twitter 🐦 / tomlawrencetech
+ Our Web Site www.lawrencesystems.com/
+ Our Forums forums.lawrencesystems.com/
+ Facebook / lawrencesystems
+ GitHub github.com/lawrencesystems/
+ Discord / discord
Lawrence Systems Shirts and Swag
---------------------------------------------------
►👕 lawrence.video/swag/
AFFILIATES & REFERRAL LINKS
---------------------------------------------------
Amazon Affiliate Store
🛒 www.amazon.com/shop/lawrences...
UniFi Affiliate Link
🛒 store.ui.com?a_aid=LTS
All Of Our Affiliates that help us out and can get you discounts!
🛒 lawrencesystems.com/partners-...
Gear we use on Kit
🛒 kit.co/lawrencesystems
Use OfferCode LTSERVICES to get 10% off your order at
🛒 www.techsupplydirect.com?aff=2
Digital Ocean Offer Code
🛒 m.do.co/c/85de8d181725
HostiFi UniFi Cloud Hosting Service
🛒 hostifi.net/?via=lawrencesystems
Protect you privacy with a VPN from Private Internet Access
🛒 www.privateinternetaccess.com...
Patreon
💰 / lawrencesystems
CHAPTERS:
0:00 - Introductions
5:19 - Cyber Threat Defense Strategies
7:38 - Understanding Sysmon Essentials
13:57 - Exploring Sysmon Advantages
15:29 - Standard Deviation Explained
18:41 - Adversary Emulation Techniques
24:00 - Sysmon Use Case: Scenario 1
30:47 - Sysmon Use Case: Scenario 2
36:43 - Sysmon Use Case: Scenario 3
44:06 - Exchange Server Compromise Case Study
52:53 - Enhancing Detection with Testing
55:30 - Insights from Incident Response
57:21 - Conclusion and Thanks
Пікірлер: 17
Thanks, Tom and Amanda! This was super useful and informative!
super interesting stuff guys! thanks!
Thanks Tom and Amanda for that Interesting Presentation. Great Info. Brought back memories of Sleepless nights from my previous Job Posting as a lone System Administrator in a private medical clinic in Canada. It was a constant (losing) battle with the users (Doctors) to improve security. Thankfully those scary days are years behind me now. Any upcoming video to transfer sysmon logs into Graylog?
@LAWRENCESYSTEMS
4 ай бұрын
As I said in the video, I have a video on how to do that linked in the description kzread.info/dash/bejne/k2eAxLOop5rPZLQ.html
How nice would it be if Microsoft included these utilities in a default install rather than the crap I have to spend an hour uninstalling! Great video thanks!
@MD-es3rv
4 ай бұрын
Most companies do not have storage requirements, system requirements etc to run sysmon by default this stuff would require planning, infrastructure etc. It would also require some sort of siem fowarder setup to ingest all that data recorded back into the siem. In other words, by default it would cause to much trouble. Corporate networks have all sorts of old tech, old OS's and legacy shit that shouldn't be there, but are bc well, they unfortunately need to be.
@davidanderson2436
4 ай бұрын
@@MD-es3rv Couldn't agree more - point was that a professional version of windows should have more utilities like these installed (by default - not necessarily running or configured - but at least available) rather than SnapChat, GameBox, Facebook, ChimClip, Spotify, Latest Office version - or whatever MS wants to shove down users throats at the time of install - they should save that for the Home version or not install it at all.
This is great. Made me want to check if Blumira is hiring.
Awesome talk! Thanks for the information. I would love to see a similar talk on Unix system security logging. Maybe even Sysmon for Linux.
@LAWRENCESYSTEMS
15 күн бұрын
Sysmon is needed for Windows because it does not have a good logging export system without it. Linux already has syslog and rsyslog to export to another server.
Really Helpful, Cheers...
So I've used sysmon for brief debugging, but how do you tack it up to log app network connections 24/7? There goes my weekend...
Thank you!
Great content, Thanks. Is it beneficial to implement Sysmon in conjunction with CrowdStrike EDR? What benefits does Sysmon provide that CrowdStrike doesn't?
@LAWRENCESYSTEMS
Ай бұрын
I don't get the question. Sysmon is for logging and Crowdstrike is an EDR.
@kasta851984
Ай бұрын
@@LAWRENCESYSTEMS Thank you for your reply. My question is: Is it worthwhile to implement Sysmon if we are already using Crowdstrike? I believe that Crowdstrike monitors everything that Sysmon does?
@LAWRENCESYSTEMS
Ай бұрын
@@kasta851984 I don't use Crowdstike so I don't know