In this webinar I will take you through the guidance in NSA's Spotting the Adversary with Windows Event Log Monitoring. I'm sure you will agree that it's an intriguing and highly targeted topic for folks like us who geek out on Windows Security Log Event IDs. This in-depth 54-page document is from the NSA's Information Assurance Directorate. And when I say in-depth, I mean it.
- Application Whitelisting
- Application Crashes
- System or Service Failures
- Windows Update Errors
- Windows Firewall
- Clearing Event Logs
- Software and Service Installation
- Account Usage
- Kernel Driver Signing
- Group Policy Errors
- Windows Defender Activities
- Mobile Device Activities
- External Media Detection
- Printing Services
- Pass the Hash Detection
- Remote Desktop Logon Detection
It definitely has its share of recommendations that only highly classified agencies with large budgets could hope to implement but there's plenty of useful knowledge and recommendations as well. We will focus on areas that are relevant and practical for the private and corporate sectors.
In particular I think it's interesting that this document goes beyond just the security log and points out events in other Windows event logs that have high-security value. I've been thinking for a long time that I need to show the community some of these other logs and this is a great opportunity to do it.
I'll also point out areas I think should be addressed differently or additional areas that are missing from the guidance. EventTracker is an apropos sponsor for this event because EventTracker has a purpose-built knowledge and reporting pack for this NSA guidance. And with EventTracker you can avoid the management heavy burden of implementing Windows event forwarding which figures heavily in NSA guidance.
This is will be an interesting real training for free ™ event. Please register now.