This whitepaper gathers the results of the work carried out by Telefonica Chief Data Officer and ElevenPaths Product Unit in order to detect a sucession of events, not necessarily security related, giving hints to consider a Windows Machine jeopardized, using for that purpose the ElevenPaths´ Product “Security Monitoring”. The Whitepaper was written by Pablo González Pérez (Security Researcher, ElevenPaths), Santiago Hernández Ramos (Security Researcher, ElevenPaths) and Santiago Urbano López de Meneses (Product Manager, ElevenPaths).
Microsoft Windows Operating Systems generate a lot of security and health information in form of events. Not all these events suppose a risk a priori, but they can give us clues to realize that something is going on.
The developed work is a Proof of Concept to parameterize, in a first step, some single events, and then determine that a combination of these events, in time, certify that a machine is really under threat or have been jeopardized, and in this way, be able to alert the system administrator that malicious activity is occurring on that machine.
This experience has allowed us to modify some elements of the developing cycle of “Security Monitoring” product, so the event gathering and correlation platform from “Logtrust”, which empowers “Security Monitoring”, could implement, easily and flexibily, these detections and, in the future, be able to make these features available to the service clients.