We all know logging is critical for monitoring activity on enterprise networks to detect malicious activity, especially on endpoints. 'Client side attacks are where adversaries are focused using a variety of methods including spear phishing and watering holes. 'Often most of the evidence of such an attack is at the user endpoint, that is in the host logs. 'Collection of logs from user endpoints is challenging already due to the volume and, if not carefully planed, can easily overwhelm the SIEM of any organization. But if an attack is occurring, these logs are invaluable in being able to detect (and thus alert on) the attack, for responding to the attack, performing forensic analysis to discover how and when the attack occurred, and after remediation has completed, monitoring for re-infections. 'While there are many guides (i.e. Microsoft, NSA, Palantir) for setting up a solid baseline logging configuration, there are few that discuss additional logs and/or items to monitor when machines are under attack, or at least under suspicion. Should all logs be enabled and collected or just a larger subset? If a subset, what is of most interest and value? '
In this webcast Craig will present pros and cons of each option and discuss some of the current standards for configuring logging on workstations, explain what types of attacks leave no, or minimal traces with regards to those configurations, and suggest additional logs to enable or collect when a host is suspected of being compromised.