Achieving tailored event monitoring and implementing behavioral baselines

In this session, discover the challenges specific to macOS event monitoring and why it’s critical to organizational cybersecurity. Also, learn which questions help IT/Security admins decide on the SIEM solution that works best for them, and finally, follow the guided demo that uses a custom analytic/rule to mitigate malware on macOS.

October 10 2024 by

Jesus Vigo

JNUC 2024 Nashville: Achieving tailored event monitoring & implementing behavioral baselines

macOS event monitoring challenges

Navigating security without event monitoring is like driving without headlights — you’re in motion, but you won’t see the danger until impact.” — Thijs Xhaflaire

Thijs Xhaflaire opens the presentation by addressing some of the challenges present when organizations have no event monitoring in place. Simply put: Xhaflaire likens it to driving a car in complete darkness where any dangers on the road will not be visible to the driver until, sadly, it’s too late; whereas by having and using the headlights, sensors and taillights, drivers are better equipped to not only see the oncoming risk but are able to take corrective action to mitigate it.

In the IT and security realm, admins are responsible for multiple devices, each running a myriad of applications, performing many processes, working with sensitive data and subject to countless user actions. Event monitoring at its core enables admins to gain insight into the many aspects of device usage, a few critical ones are:

  • Which applications are executed
  • What processes are running
  • How data is used
  • When users take action

How to choose the best event monitoring tool

As with many things technology-related, there are multiple ways to perform a task and event monitoring is no different. Many vendors develop Security Information and Event Monitoring (SIEM) solutions to aid administrators in gathering, sorting, quantifying and reporting all the security information obtained from event monitoring across your fleet.

Xhaflaire touches upon some of these vendors but, rather than pointing to one clear solution above all, Xhaflaire understands that organizational needs will play a significant role in which solutions are chosen, opting instead to highlight the features that are most beneficial based on a series of questions that security analysts should ask themselves when considering the SIEM solution that best meets their organizations' needs.

Some of these critical questions are:

  • Does telemetry collect the data needed?
  • Can a Unified Log filter capture this activity?
  • Is it required to create custom rules?
  • Do we integrate our endpoint security with SIEM?

Demonstration: detecting malware through event monitoring

During the presentation, Xhaflaire speaks about the various ways event monitoring can help identify and mitigate security-impacting risk on enterprise endpoints. But if a picture is worth a thousand words, as the saying goes, how valuable is an in-depth demo on how to create a custom analytic and use it to detect infostealer malware on macOS endpoints?

While you’ll have to watch the almost 20-minute demonstration for yourself to find out, we’ll share a few high-level points below to whet your appetite:

Scenario walkthrough

  • Reverse engineer: gathering the ingredients
  • Detection engineer: building the analytic and building the rule in the SIEM
  • End-user action: installing the malware from a compromised app
  • Threat actor: discovery and credential access
  • Security analyst: alerting and investigation

Takeaway

  • Staying informed is a crucial component of endpoint security
  • Detecting events at an early stage is made possible by event monitoring
  • Various options, like integrating with a SIEM, are available to monitor activity