Below are links to my articles on using SEP for incident response with a brief description of what each one entails. Please feel free to have a look and leave questions, comments, or feedback. Ideas for future articles are welcomed as well. Additionally, you can subscribe to posts by me to be kept update on any new releases. Thanks for looking!

How to utilize SEP 12.1 for Incident Response - PART 1​​​

• This article discusses using the 'Application to Monitor' feature in SEPM to stop the spread when current definitions are not detecting it.

How to utilize SEP 12.1 for Incident Response - PART 2​

• This article discusses using the System Lockdown component to stop the spread of a threat.

How to utilize SEP 12.1 for Incident Response - PART 3

• This article discusses using the 'Network Application Monitoring' feature in SEPM to track which applications in your network are making connections to the Internet and determine if they've been compromised.

How to utilize SEP 12.1 for Incident Response - PART 4

• This article discusses using the 'Application Learning' feature to hunt for malicious processes on endpoints.

How to utilize SEP 12.1 for Incident Response - PART 5

• This article discusses using the firewall component to create specially crafted rules to lockdown endpoint traffic during an incident response situation.

How to utilize SEP 12.1 for Incident Response - PART 6

• This article discusses using a custom IPS policy to detect file downloads over HTTP/HTTPS.

How to utilize SEP 12.1 for Incident Response - PART 7

• This article discusses using the Application and Device Control component to monitor all file and registry activity on a system, very similar to what Process Monitor can do.

How to utilize SEP 12.1 for Incident Response - PART 8

• This article discusses the Tamper Protection component and how it can be used to detect potentially malicious processes that try to disable SEP.

How to utilize SEP 12.1 for Incident Response - PART 9

• ​This article discusses using both the Application and Device Control and Firewall component to allow file execution but restrict its access to the Internet. 

How to utilize SEP for Incident Response - PART 10

• This article discusses using the custom IPS feature to detect inbound network connection attempts.

Note: The following is based on Symantec Data Loss Prevention v.14.6.01. Always backup your system before making any modifications.

Creating / Importing the New .Keystore, Certificate Signing Request and SSL Certificate

1. On the Enforce server, backup entire contents of \SymantecDLP\Protect\tomcat\conf directory to a TEMP directory.
2. On the Enforce server, open a Command Prompt with elevated privileges.
3. Change current directory to \SymantecDLP\jre\bin\
4. Delete any current .keystore file that may exist.
5. From the command prompt, type this command: keytool –genkey –alias tomcat –keyalg RSA –keysize 2048 –keystore .keystore –validity 365 –storepass protect –dname “CN=<yourserverurl>, OU=<yourdepartment>, O=<yourcompany>, L=<yourcity>, ST=<yourstate>, C=<countrycode>” [PRESS ENTER]
6. This should produce the .keystore file in the \SymantecDLP\jre\bin directory folder.
7. From the same command prompt, type this command: keytool –certreq –alias tomcat –keyalg RSA –keystore .keystore –storepass protect –file “signingrequest.csr” [PRESS ENTER]
8. This should produce the signingrequest.csr file. Send this file to your CA admin so they can generate the certificate file in PKCS#7 format. This is the format suitable for Tomcat. The file should have an extension of *.p7b.
   
   1. NOTE: If you plan on using Google Chrome v.58 or newer, you must include the extension SubjectAlternativeName when creating the certificate. Google Chrome deprecated the use of CN= and now relies on the extension. The CN= is needed though for IE. With both CN= and the extension SubjectAlternativeName, the certificate should work with both IE and Google Chrome. This is an example of the extension:

#8: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [

                                DNSName: *.acme.com

                                DNSName: acme.com

                Also, if you are planning on using Google Chrome with DLP, you have to modify the manager.properties file located in the \SymantecDLP\Protect\config directory folder. Look for the entry com.vontu.manager.unsupported_browser_autentication = false

And change it to true. Save the file. This will allow the usage of Google Chrome and Apple Safari browsers.

1. When you receive the *p7b file, copy it to the |Symantec\DLP\jre\bin directory folder on the Enforce server.
2. On the Enforce server, open a Command Prompt with elevated privileges.
3. Change current directory to \SymantecDLP\jre\bin\
4. From the command prompt, type this command: keytool –import –alias tomcat –keystore .keystore –trustcacerts –file <filename>.p7b [PRESS ENTER]
5. From the SymantecDLP\jre\bin directory folder, copy the .keystore file to the \SymantecDLP\Protect\tomcat\conf directory folder.
6. Stop ALL Vontu services.
7. Start ALL Vontu services.

Verify authenticity and working order of the certificate by accessing the Enforce GUI via your browser application.

The system requirements for (SEPM) Symantec Endpoint Protection Manager and the (SEPC) Symantec Endpoint Protection clients are the same as those of the operating systems on which they are supported.

• Symantec Endpoint Protection Manager system requirements
• Symantec Endpoint Protection client for Windows system requirements
• Symantec Endpoint Protection client for Windows Embedded system requirements
• Symantec Endpoint Protection client for Mac system requirements
• Symantec Endpoint Protection client for Linux system requirements

Symantec Endpoint Protection Manager system requirements

 This SEPM version manages 11.0.x and 12.0.x clients, regardless of the client operating system.

Note :-  If you use a SQL Server database, you may need to make more disk space available. The amount and location of additional space depends on which drive SQL Server uses, database maintenance requirements, and other database settings.

Symantec Endpoint Protection client for Windows system requirements

Symantec Endpoint Protection client for Windows Embedded system requirements

Symantec Endpoint Protection client for Mac system requirements

Symantec Endpoint Protection client for Linux system requirements

Introduction

This is the eighteenth in my Security Series of Connect articles.  For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles.

Symantec Security Response and Technical Support are always advising end users, "Be suspicious and think before you click: Never view, open, or execute any email attachment unless you expect it and trust the sender."  What exactly do they mean?  What should mail recipients be careful about?

Let me show you....

Here's a rogues gallery of screenshots from recent malicious macro spam.  Malicious macros are one of the main delivery mechanisms for threats, lately.  If you open the email attachment, let the macro run... you're infected.  Full details on how to fight threats like this can be found in Support Perspective: W97M.Downloader Battle Plan.

It's For Your Own Protection

This sample uses Security as a method for Social Engineering the recipient. "This document is protected."  That sounds safe! 

I can blindly trust whatever random sender mailed it, and follow their prompts to "please click Enable Content", right?  

Um, no. 

It's a scam. 

Here's another trying the exact same trick.

Wait Mr. Victim, You're Missing Something

Here's one that pretends that the email attachment cannot properly be viewed until the recipient enables editing and downloads the "Media dynamic content plugin missing."

You're actually not missing anything.  It's a fake error.  "Please enable Editing and Content to see this document"? No.

What If I Ask Nicely?

"The contents of this document require macros to be displayed correctly.  In order to view this document, please press Enable Content above."

Even well-mannered MS Word documents that say "please" and "thank you" can be up to no good.  Don't click, it's a scam.

It's Not You, It's Me

A big error message "Document created in earlier version of Microsoft Office Word"?  That's weird, seeing as my MS Office easily opens every other ancient .doc file created since, what, Office 97? 

Don't fall for it!  Do not "Enable Editing from the yellow bar and then click Enable Content"!   

Packed Full of Goodness!

Oh, this unexpected mail attachment is full of other mail attachments!  Boy those look good.  I will get a payment if I only "Please enable editing mode to view included documents."

Wait, why isn't the sender putting those in a .zip, .rar, .7z or other normal container-?

Remember: macros are disabled by default in modern Office for good reason. Don't enable them!

A Worldwide Sensation!

The malware distributors try it out in any market where they think they can make money.  Here's one in Japanese....

A rough translation for this one is "If you need to keep the compatibility with older version of Excel after conversion Please click [Enable Contents]".  それをクリックしないでください！

This targeted Spanish markets.... How tantalizing! I can almost read the blurred text behind this error!

"Error while loading the document.  It has been issued an error while loading the document.  1. Microsoft Word macros are disabled causing an unexpected error...."  No haga click en este enlace!

Sometimes The Creative Juices Just Won't Flow

This one just demands "Enable Editing".  Couldn't think of any good reason why someone should, I guess.  And too busy to pick a nicer font.

Short answer: nope.

So What Should We Do?

You've received a mail with a macro attachment.  How to check it out before enabling anything?  Some ideas:

1. Submit the suspicious mail to Symantec Security Response for examination.  They will be able to determine if the attachment is malicious or safe.

Symantec Insider Tip: Successful Submissions!
https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions

2. Open the attachment with Word Viewer or Excel Viewer instead of the full version of Word or Excel.

3. Pick up the phone and ask the sender, "Hey, did you just send me a document which needs macros enabled?"

4. Ask your IT department, mail security team, well-informed co-worker.... whoever you've got.  Get an expert opinion!

5. Open your favorite search engine and type in the attachment name or the text of the prompt message.  Does it come back with a lot of hits related to malware?

6. Unless you are certain it is safe, leave it!

Conclusion

Many thanks for reading!  And for thinking before opening documents and enabling dynamic content. 

Final word:  "When in Doubt, don't click it!"

Please leave comments and feedback below. 

Symantec offers three live, instructor-led training courses for Symantec Endpoint Protection 14.

The Symantec Endpoint Protection 14: Plan and Implement course is designed for the network, IT security, and systems administration professional in a Security Operations position tasked with planning and implementing a Symantec Endpoint Protection environment. This course covers how to architect and size a Symantec Endpoint Protection environment, install or upgrade the Symantec Endpoint Protection Manager (SEPM), benefit from a SEPM disaster recovery plan, and manage replication and failover. The class also covers how to deploy new endpoints and upgrade existing Windows, Mac, and Linux endpoints.

The Symantec Endpoint Protection 14: Manage and Administer course is designed for the network, IT security, and systems administration professional in a Security Operations position tasked with the day-to-day operation of the SEPM management console. The class covers configuring sever-client communication, domains, groups, and locations and Active Directory integration. You also learn how Symantec Endpoint Protection uses LiveUpdate servers and Group Update Providers to deliver content to clients. In addition, you learn how to respond to incidents using monitoring and reporting.

The Symantec Endpoint Protection 14: Configure and Protect course is designed for the network, IT security, and systems administration professionals in a Security Operations position who are tasked with configuring optimum security settings for endpoints protected by Symantec Endpoint Protection 14. This class brings context and examples of attacks and tools used by cybercriminals. This course includes practical hands-on exercises and demonstrations that enable you to test your new skills and begin to use those skills in a working environment.

Symantec offers live, instructor-led training for Data Loss Prevention.

The Symantec Data Loss Prevention 14.6: Administration course is designed to provide you with the fundamental knowledge to configure and administer the Symantec Data Loss Prevention Enforce platform. The hands-on labs include exercises for configuring Enforce server, detection servers, and DLP agents as well as performing policy creation and incident detection, incident response, incident reporting, and user and role administration. Additionally, you are introduced to deployment best practices and the following Symantec Data Loss Prevention products: Network Monitor, Network Prevent, Cloud Service for Email, Network Discover, Network Protect, Cloud Storage, Endpoint Prevent, and Endpoint Discover.

Problem:

DLP incidents showing the date format as MM/DD/YY and you wish to change it to DD/MM/YY

Solution:

By default DLP incidents date format shows as MM/DD/YY (08/29/17) and if you wish to change it to DD/MM/YY (29/08/17), follow the steps given below:

1) Login to the Enforce Server and navigate to \SymantecDLP\Protect\bin

2) Execute the LanguagePackUtility.exe with the argument as shown below:

    LanguagePackUtility.exe  -c  "en_GB"

3) After the enforce service is restarted, go to “system” -> “Settings” -> “General” and click “configure” Then change the System Default Language to “English (United Kingdom) - English (United        

    Kingdom)”     

4) Log off and log back in. Then incidents date format should be chnage to DD/MM/YY format

Cheers !!!  :)

Hello,

Here is system requirements for Symantec Endpoint Protection 12.1.2 and 12.1.3, for enterprise version and Small Business Edition, and Network Access Control.

These sytem requirements for equally to the "enterprise version" and "Small Business" Edition of Symantec Endpoint Protection 12.1 RU2 and 12.1.3, ( Network Access Control is a component of the enterprise version only.)

Specified, all updates, editions, and Service Packs (SPs) for a listed Windows version are supported, e.g. Windows 7 = Windows 7 Home Premium, Professional, and Ultimate editions, all SPs. As Microsoft releases new Service Packs for Windows, these requirements may need to be re-evaluated--the newest Service Pack may require an updated version of the Symantec product.

Here, we include following list of system requirement:

• Symantec Endpoint Protection Manager
• Symantec Endpoint Protection client (Windows and Macintosh)
• Virtual Image Exception Tool (enterprise version only)
• Symantec Network Access Control client
• Symantec Network Access Control On-Demand client

Additional requirements:

• Internationalization requirements

Virtual Image Exception Tool (enterprise version only)

The Virtual Image Exception tool must run in one of the following supported virtual environments:

• VMware ESX 4.0 Update 1 or later
• Microsoft Hyper-V 2008 or later
• Citrix XenServer 5.6 or later

The Symantec Endpoint Protection client must meet all of the following requirements:

• The client must be installed in one of the supported virtual environments.
• The client must run Symantec Endpoint Protection client software version 12.1 or later.

Some Language Requirements and limitations:-

Restrictions apply when you install Symantec Endpoint Protection Manager in a non-English or mixed-language environment.

Computer names, server names, and workgroup names

Non-English characters are supported with the following limitations:

• Network audit may not work for a host or user that uses a double-byte character set or a high-ASCII character set.
• Double-byte character set names or high-ASCII character set names may not appear correctly on the Symantec Endpoint Protection Manager console or on the client user interface.
• A long double-byte or high-ASCII character set host name cannot be longer than what NetBIOS allows. If the host name is longer than what NetBIOS allows, the Home, Monitors, and Reports pages do not appear on the Symantec Endpoint Protection Manager console.

English characters:

• Deploying a client package to a remote computer.
• Defining the server data folder in the Management Server Configuration Wizard.
• Defining the installation path for Symantec Endpoint Protection Manager.
• Defining the credentials when you deploy the client to a remote computer.
• Defining a group name.
  You can create a client package for a group name that contains non-English characters. You might not be able to deploy the client package using the Push Deployment Wizard when the group name contains non-English characters.
• Pushing non-English characters to the client computers.
  Some non-English characters that are generated on the server side may not appear properly on the client user interface. For example, a double-byte character set location name does not appear properly on non-double-byte character set named client computers.

License Activation Wizard:

Do not use double-byte characters in the following fields:

• First name
• Last name
• Company name
• City
• State / Province

Introduction

This is the nineteenth in my Security Series of Connect articles but the first to reference a sequel starring Billy Crystal, Jack Palance and Jon Lovitz.  For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles.

Symantec Security Response and Technical Support are always advising end users, "Be suspicious and think before you click: Never view, open, or execute any email attachment unless you expect it and trust the sender."  In What NOT to Click we saw how malicious Office attachments (Word, Excel and so on) would attempt to "social engineer" end users into enabling content and unleashing Macro mayhem on their organization.  Office spam is not your attackers' only trick, though.  This article illustrates what recent phishing PDFs look like so that you are not bamboozled into giving away your valuables to identity thieves.

Let me show you.... Part 2

All of the screenshots below are from .pdf documents sent out in recent phishing spam campaigns. Stampedes of these mails are whipped up every day by no-good varmints, in hopes that at least a few unsuspecting newcomers will be trampled.  The mails have .pdf attachments which open in Acrobat Reader and present some sort of message, often imitating a trusted brand (Including "Norton Secured" logos), designed to hoodwink recipients into clicking on a link.  Those links will (usually) open a phishing webpage or (sometimes) download a malicious file.  

Now, dear reader, I humbly ask your kind pardon in advance for all the Wild West terminology....     

It's For Your Own Protection Part 2

Just like with malicious macro spam, phishing spam will often pretend that the end user's necessary actions are done in the cause of Security. "Secured PDF Online Document"!

"View On Adobe" - as if that makes any sense.  If it sounds like a stranger is trying to hornswoggle you, they probably are. 

Here's another very secret and secure example: "This Document is Password Protected" 

Yessir, I always trust anything that switches font in mid-sentence. 

This next phishing lure seems to tell that network security measures are working!  "Your system firewall rules have stored files online.  Show received doc here." 

Now, I am no firewall expert, but... trust me: storing files online ain't what Symantec's firewalls do.  If in doubt about how your company's firewalls work, ask the IT security team.  Guaranteed, that posse will be glad you did rather than blindly clicking.

Wait Mr. Victim, You're Missing Something Part 2

Oh no! "This pdf version is outdated. Click here to preview online"

No thanks!  I'd rather not get bilked out of my riches by some villain.

Packed Full of Goodness! 2

Oh! Excitement!  Someone is sending me a package!  That's always mighty pleasant.

Too bad there is no www.dhl.cn site.  And that page presented when clicking "View File" has a different country's TLD, and looks nothing like a legit DHL site....

Please don't send the scammers a present! Don't give 'em nothing.

Here's a similar phishing lure, but for a document....

Looks official! Why getting a document is dear like a letter from my auntie back East!  Better click....

Wait a tick.... how come this URL is some site in India, by hooky, rather than the legitimate https://www.dropbox.com/ ?  And how come it looks kinda flim-flam? 

This here's from some bunko artist.

Wait, Is That A Real Stagecoach-?

Now a national chain in the US, Wells Fargo is a bank that dates back to the Gold Rush days of the Wild West.  Here's a screenshot of some modern-day rustler trying to hijack a greenhorn's claim:

"Dear Valued Customer"? The capitalization, punctuation and spelling mistakes are big smoke signals that something's not right.  Stranger yet is that I don't even have one of them WellsaFargo online profiles.  Let's click anyway and see where this trail leads us....

What in tarnation-? This website with the long random domain name is about as legitimate as snake oil.

Sometimes The Creative Juices Just Won't Flow 2: The Legend of Curly's Gold

Here are a couple "Coffee Boiler" phishing lures, plumb-lazy offerings by some skunk who would rather sit around the fire all day than do any work.

This one does not bother with any fancy graphics.  "Click HERE to login and unlock file."

For who?  Why-?  I ain't some dumb dude, no sir.

This next example can't decide it if it is imitating Dropbox or Docusign. 

So font and punctuation are not their strong suit.  And getting the logo turned the right way around.  Maybe the sender of this important document will earn extra credibility bonus points on spelling-?

Nope.

So What Should We Do?

Remember: Curly looked a lot like his twin brother Duke.  Phishing mails and webpages might seem at first glance to be the real McCoy, but ease on back in the saddle, pardner, and take a good, slow gander...

1. Keep your eyes peeled for pigs in a poke.  That is, low quality text, graphics, phrasing... these are sure give-aways.
2. Pay close attention to the URLs.  Go to the legit site rather than being led up whatever blind trail them outlaws planned.
3. Submit the suspicious mail and its phishing attachment to your AntiSpam vendor.  They will be able to determine if the attachment is safe or something that will dry gultch ya.
4. Unless you are certain it is safe, leave it be!  Ride off into the sunset, amigo!

Conclusion

Thanking you kindly for reading!  And for cogitating before opening documents or clicking links. 

Final word:  "When in Doubt, don't click it!"

Please leave your weapons at the saloon door and your comments below. 

First confirmed in Japan in December of 2016, the DreamBot Trojan infected computers and tricked victims into giving up their credentials and one-time passcode, which a criminal group used to siphon off funds.

By the time Japan’s Metropolitan Police Department announced, on October 5, 2017, that it had exposed the criminals, the group had pilfered a staggering 240 million yen (approximately US$2.1 million) from consumer accounts. DreamBot exposed the need for banks to move away from one-time passcodes (OTPs) as their only two-factor authentication for access and embrace a strong form of transaction verification. 

Strong Authentication for Access

DreamBot was a man in-the-browser attack, facilitated by malware installed on a Windows machine. Traditional OTP has never been the right security measure to protect against man-in-the-middle or man-in-the-browser attacks. Given the growing scale of data breaches, banks, in particular, have an obligation to implement stronger security measures to protect sensitive consumer accounts. Banks need to leverage a multifactor authentication (MFA) solution that provides a secure out-of-band authentication method for both account logon as well as transaction verification. Whether the action is a password reset or a wire transfer, banks need to require two-factor authentication on any risky actions to confirm their legitimacy.

Contextual Authentication for Transactions

The DreamBot attack could have been mitigated had unsuspecting users received a push notification asking them to confirm the (malicious) account activity. While human error cannot be completely eliminated, the vast majority of transfers would have been stopped when users recognized the malicious activity and denied the unauthorized request. 

If the transaction details match what you were submitting—for example, “Transfer $100 to my friend’s account”—then a simple Accept on your smartphone will let the transaction proceed. If the details have changed—for example, “Transfer $10,000 to an unknown account”—then a Deny will stop it dead in its tracks. Assurance is provided through the user response from a unique, secure device, answered by the intended human that previously linked this device to the account. The attacker cannot compromise both communication channels (web and mobile) without significant effort.

Choosing the Right Authentication Solution

When selecting a strong, out-of-band authentication software method, look for security vendors with proprietary technology, which is unique and cannot be cloned. When implementing a soft authenticator solution, ensure your authentication vendor leverages the Trusted Execution Environment (TEE). We believe a TEE-protected soft authenticator approach is more secure than a dedicated hardware approach because it resides in a full-stack computing platform that enables secure updates, such as secret rotation, which can quickly mitigate possible threats.

Banks also need to consider vendors that offer complementary security services. DreamBot took advantage of compromised Windows machines—it is as critical to protect user devices as it is to protect user credentials. Consider authentication vendors who can provide malware detection for all user devices. Soft authenticators are oftentimes hosted on mobile devices so choose a vendor that can check for mobile risk factors and ensure good device hygiene. Mobile device risk factors include outdated operating systems, jail-broken or rooted phones, and debuggers or other development tools.

Last, banks should ensure any security solution easily fits with their consumer-facing applications. Look for a scalable solution that delivers strong, out-of-band authentication and device protection using supporting APIs and advanced business logic. By building these capabilities into their applications, banks can preserve the user experience while promoting their brand.

By leveraging all the above-mentioned security capabilities for access control and transaction verification, banks can greatly decrease the attack surface and protect themselves and their consumers from future criminal activity. 

GDPR: How prepared are you for May 2018? And what’s likely to happen if your business is not compliant

By Robert Arandjelovic, EMEA Director of Security Strategy, Symantec

Symantec recently hosted a live panel to help organisations get ready for the imminent GDPR. With contributions lawyer firm White & Case, Mandiant, Commvault and Symantec one issue rang out particularly strongly to me: is GDPR a ‘cliff edge’ issue?

We polled over 1,000 participants, only 19% of whom said they feel ready for GDPR – a figure that might decline when more granular conversations about the ins and outs of information risk and mapping begin. 

So how do the majority of respondents feel who say they are either not ready for, or are not sure if they are ready for GDPR? Concerned.

The main issue surrounds the fines that could be imposed for non-compliance: the worst infractions could mean a whopping €20 million or 4% of your organisation’s global annual turnover.[1] It is this spectre that got me thinking… With the GDPR coming into force imminently, many organisations will be wondering whether, should they be hit with a large fine, it could send their business off a cliff.

Our panellists felt that even if hefty fines are levied as a result of compliance violations, the ultimate objective is to see organisations putting consumers and citizens first, chiefly through greater transparency into the use and, should it happen, the loss or misuse of their personal or sensitive data.  While enforcement motivations and attitudes will vary between authorities across the EU, the ICO recently made a statement elaborating the position of British authorities with regards to fines.

Therefore, if your organisation can demonstrate it has taken measures to increase transparency and improve how it collects, processes, and protects data, these can go towards mitigating the consequences of a breach or violation, and whether your business will be issued with a sizeable fine. That’s not to say that regulators will do nothing if you are found to be in violation of the GDPR on May 25th 2018. So make sure you meticulously document the progress you have made to support compliance and what work you have still to do – along with a timetable and investment plan.

You cannot ignore GDPR. Organisations are obliged to report data breaches to the Data Protection Authority (DPA), without undue delay, and at the least within 72 hours, unless the breach is unlikely to result in a risk to the rights and freedoms of the affected individuals.

Ensure that you have the right technology in place to encrypt all personal data, to quickly identify a breach occurrence, and thoroughly comprehend the nature and impact of the breach. A mitigating factor both in terms of notification obligations and potential sanctions, is the encryption of personal data, which, if exfiltrated, makes them effectively unusable by attackers.

Ensure that you have the right technology in place to quickly identify a breach occurrence, and assess the nature and impact of the breach. Refresh and refine your processes over time as your use of data evolves, and practice it as appropriate.

The sooner you take action the better. May 25th, 2018 is not a deadline after which your compliance efforts don’t matter. Regardless of your organisation’s state of readiness, what’s important is to build your own compliance timeline with a well-documented plan. This can go a great way towards mitigating or avoiding penalties if an investigation takes place before you are fully compliant. And just like cybersecurity, don’t assume that there is an end-state: GDPR compliance is an ongoing process of continual improvement, evolving as your business and data processing practices change.

Start with an impact assessment. To truly embrace the GDPR’s objectives of putting consumers and data privacy first, create a cross-organisational GDPR team that extends beyond compliance to include stakeholders from legal, risk, lines of business, digital & marketing, IT, cyber security and senior operations personnel. Together, map all the personal and sensitive data that your organisation processes on-premises, in the cloud and on user devices, and get a clear understanding of who can access it, how well it’s protected, and whether there are any data residency concerns. Understand any potential gaps vis-à-vis GDPR and how resolutions can be woven into any existing compliance processes you have in place.

Once you’ve gained a clear understanding of the gaps between your organisation’s processes and the requirements of the GDPR, you can prioritise which ones present the greatest business risk. Then plan any process improvements and supplement your existing security investments – including those that tell you where compliance data resides, make it safer, govern access, and help detect and prevent breaches.

You can access all the practical support our panellists delivered to get better prepared for GDPR. The full BrightTALK panel, Benchmark Special: How prepared are you for May 2018? is available now.

Access the panel: Benchmark Special: How prepared are you for May 2018? Listen now

Several online media sources are reporting about an ongoing ransomware campaign targeting companies in Europe, which involves a new variant of ransomware called as BadRabbit.

What is BadRabbit?  and How does it affect?

A ransomware campaign targeting companies in Europe, which involves a new variant of ransomware.

Dubbed Bad Rabbit, the ransomware first started infecting systems on Tuesday 24 October, 2017.

After witnessing cyber attacks of WannaCry and Petya (aka ExPetr), a new deadly ransomware dubbed Bad Rabbit is on the prowl affecting government, corporate and media houses of Russia, Ukraine, Bulgaria, Germany and some eastern European regions.

Bad Rabbit does not employ any exploits to gain execution or elevation of privilege. The Ukrainian computer emergency agency CERT-UA has issued an alert incident and mentioned that Odessa airport and Kiev subway were also affected. It is unsure whether this alert is regarding Bad Rabbit, but they suspect that it may be the start of a new wave of cyberattacks.

Affected victims are reporting that the Bad Rabbit creators are asking 0.05 Bitcoin (approx. $271/€231/Rs. 17,689) as ransom in return for encrypted PC data.

Symantec is currently investigating the collected samples and ensuring that proper coverage is in place.

Symantec Security Response is indeed aware of this threat (and other developments in the threat landscape.) 

Ransom.BadRabbit

https://www.symantec.com/security_response/writeup.jsp?docid=2017-102503-0423-99

BadRabbit: New strain of ransomware hits Russia and Ukraine

https://www.symantec.com/connect/blogs/badrabbit-new-strain-ransomware-h...

The following articles contains additional good tips:

1) Hardening Your Environment Against Ransomware

https://www.symantec.com/connect/articles/hardening-your-environment-against-ransomware

2) Ransomware removal and protection with Symantec Endpoint Protection

https://support.symantec.com/en_US/article.HOWTO124710.html

The threat belongs to a ransomware family and will encrypt data files and ask users to pay a ransom.
 

According to initial reports, the malware seems to be a variant similar to Petya.

Security Response is also looking into the distribution mechanisms of this threat, as some reports indicate that this variant might be using the SMB exploit to spread.

It is recommend to block the domain 1dnscontrol[.]com at the corporate firewall.

As ever, ensure that backups against all manner of disasters are in place and that end users are educated in how to react to threats and to emergencies. 

Indicators of Compromise (IoC):

URLs:

• 1dnscontrol[.]com/index.php - fake Flash download URI
• 1dnscontrol[.]com/flash_install.php - fake Flash download URI
• 185[.]149[.]120[.]3/scholargoogle/ - URI called out to from watering hole sites
• caforssztxqzf2nm.onion

Watering hole sites:

• Fontanka[.]ru - Referrer to 1dnscontrol[.]com
• Adblibri[.]ro - Referrer to 1dnscontrol[.]com
• Spbvoditel[.]ru - Referrer to 1dnscontrol[.]com
• Grupovo[.]bg - Referrer to 1dnscontrol[.]com
• sinematurk[.]com - Referrer to 1dnscontrol[.]com
• argumenti[.]ru - Referrer to 1dnscontrol[.]com

Hashes

• 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da - fake flash installer
• 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 - C:\Windows\dispci.exe associated with DiskCryptor
• 682ADCB55FE4649F7B22505A54A9DBC454B4090FC2BB84AF7DB5B0908F3B7806 - C:\Windows\cscc.dat (x32 diskcryptor drv) associated with DiskCryptor
• 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6 - associated with DiskCryptor
• 579FD8A0385482FB4C789561A30B09F25671E86422F40EF5CCA2036B28F99648 - C:\Windows\infpub.dat [malicious DLL with some similarities to Nyetya]
• 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035 - Mimikatz x86
• 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c - Mimikatz x64

Scheduled Tasks names

• viserion_
• rhaegal
• drogon

Spreading via SMB

Win32/Diskcoder.D has the ability to spread via SMB. As opposed to some public claims, it does notuse the EternalBlue vulnerability like the Win32/Diskcoder.C (Not-Petya) outbreak. First, it scans internal network for open SMB shares. It looks for the following shares:

• admin
• atsvc
• browser
• eventlog
• lsarpc
• netlogon
• ntsvcs
• spoolss
• samr
• srvsvc
• scerpc
• svcctl
• wkssvc

List of compromised sites:

• hxxp://argumentiru[.]com
• hxxp://www.fontanka[.]ru
• hxxp://grupovo[.]bg
• hxxp://www.sinematurk[.]com
• hxxp://www.aica.co[.]jp
• hxxp://spbvoditel[.]ru
• hxxp://argumenti[.]ru
• hxxp://www.mediaport[.]ua
• hxxp://blog.fontanka[.]ru
• hxxp://an-crimea[.]ru
• hxxp://www.t.ks[.]ua
• hxxp://most-dnepr[.]info
• hxxp://osvitaportal.com[.]ua
• hxxp://www.otbrana[.]com
• hxxp://calendar.fontanka[.]ru
• hxxp://www.grupovo[.]bg
• hxxp://www.pensionhotel[.]cz
• hxxp://www.online812[.]ru
• hxxp://www.imer[.]ro
• hxxp://novayagazeta.spb[.]ru
• hxxp://i24.com[.]ua
• hxxp://bg.pensionhotel[.]com
• hxxp://ankerch-crimea[.]ru

The SEP Cloud client for Windows has been updated to version 22.11.0.41. In this release, we have improved usability and fixed issues reported by customers.

• Added support for the proxy settings that are required for self-enrollment of Windows 10 devices in a full proxy environment.

• Made it easier to distinguish Symantec Product Tamper Protection events from other threat events so that you don't miss any important threat detections.

In this release, we've improved device management and added new security features.

• Take action on multiple devices simultaneously

  Now you can select multiple devices and update or scan them all with a single command. For example, if several devices are at risk, you can multi-select them and then initiate a scan on all of them at once.

  See Performing actions on multiple devices

• Protect applications from exploits

  SEP Cloud protects you from zero-day exploits that take advantage of popular vulnerable applications through a Memory Exploit Mitigation feature. You can now apply Memory Exploit Mitigation (MEM) settings in a security policy.

  See Application protection settings

• Use predefined templates for reports

  To make it faster and easier to generate reports, templates for all predefined reports are now available on the Reports and Templates page.

  See Working with templates

Enhancements to alerts and events

• Support for custom outbreak alerts added

  To ensure that you know about a possible outbreak as soon as possible, you can now create a custom alert rule that is triggered if five or more devices are infected in a specified time frame.

  See Alert rules

• License capacity alert added

  To ensure that you don't run out of licenses, we've added an alert rule that is triggered when you reach 90% of your user license capacity.

  See Creating custom alert rules

• Event visibility increased

  To improve the level of detail that is available to you, the SEP Cloud portal now displays additional events that are relate to the following protection features:

  • File reputation assessment (Download Insight)

  • Device controls

  • Firewall block events

  • See Alert and event categories

Other enhancements in this release

• Streamlined sign-in to identity providers

  If your company uses a third-party identity provider, you can now simplify your authentication workflow by using a special SEP Cloud URL that redirects users to your provider, bypassing the Symantec native authentication.

  See Configuring an identity provider

• Streamlined Windows 10 enrollment

  We've enhanced the enrollment experience so that users can enroll a Windows 10 device as easily as other devices.

  See Enrolling Windows 10 devices

• Windows 10 Creators support

  Users can now enroll devices that run the Windows 10 Creators Update.

• Deactivated users shown by default

• On the Groups, Users, and Devices page, in the Users tab, deactivated users are now included by default in the list of all users.

  See Deactivating a user account

The SEP Cloud client for OS X has been updated to version 7.5.

• Added support for the new Mac High Sierra operating system (OS X 10.13) and fixed some defects.

  See Latest updates to the SEP Cloud client for OS X

Presentation given by Salah Nassar at the New York DLP/Security User Group meeting on November 2, 2017

Introduction to Cookie-Based OAuth:

Cookie based authentication means a record or session is kept on both server and client after successful authentication. The server needs to keep track of active sessions in a database, while on the front-end a cookie is created that holds a session identifier, thus the name cookie based authentication. Let's look at the flow of traditional cookie based authentication:

• User enters their login credentials
• Server verifies the credentials are correct and creates a session which is then stored in a database
• A cookie with the session ID is placed in the users browser
• On subsequent requests, the session ID is verified against the database and if valid the request processed
• Once a user logs out of the app, the session is destroyed both client and server side

An Example for a response Cookie after a successful authentication on login.yahoo.com; as you can see below, the cookie can used for all yahoo services :

Once I click on the Mail icon (mail.yahoo.com) for example, the following cookie is attached to my request , the same cookie I received in response to my authentication on login.yahoo.com 

How does this relate to Isolation?

Short Answer: You must configure the proxy forwarding policy to isolate both login.yahoo.com and mail.yahoo.com or Both Search Engines/Portals and Email if you match using URL categories, for the user to be able to open his Email account.

Long Answer:

If you have a use case where the proxy is configured to forward only Email Category to FG, and this Email service delegates authentication to OAuth Portal (Example; you request mail.yahoo.com, you are redirected to login.yahoo.com for authentication) , the user will fail to open his Email Account and redirection keeps happening even if the user is successfully authenticated, why? because login.yahoo.com (as an example for an OAuth portal) is not isolated, which means the response cookie is saved on the user machine , while the mail.yahoo.com is sent from the isolation VM which has no cookies!

Isolating both Search Engines/Portals (login.yahoo.com & accounts.google.com) and Email (mail.yahoo.com and mail.google.com) is required

The SEP Cloud client for Windows has been updated to version 22.10.1.10 to make it easier to understand the history of management actions that were taken on a Windows device.

• In the SEP Cloud client, in the History > Security History > Activity column, you can now view the actual action name instead of a technical command identifier. For example, you can view the activity as, Command 'FixNow', Command 'LiveUpdate', etc.

  See Latest updates to the SEP Cloud client for Windows

The SEP Cloud client for OS X has been updated to version 7.5.

• Added support for the new Mac High Sierra operating system (OS X 10.13) and fixed some defects.

  See Latest updates to the SEP Cloud client for OS X

In this release, we've improved device management and added new security features.

• Take action on multiple devices simultaneously

  Now you can select multiple devices and update or scan them all with a single command. For example, if several devices are at risk, you can multi-select them and then initiate a scan on all of them at once.

  See Performing actions on multiple devices

• Protect applications from exploits

  SEP Cloud protects you from zero-day exploits that take advantage of popular vulnerable applications through a Memory Exploit Mitigation feature. You can now apply Memory Exploit Mitigation (MEM) settings in a security policy.

  See Application protection settings

• Use predefined templates for reports

  To make it faster and easier to generate reports, templates for all predefined reports are now available on the Reports and Templates page.

  See Working with templates

• Support for custom outbreak alerts added

  To ensure that you know about a possible outbreak as soon as possible, you can now create a custom alert rule that is triggered if five or more devices are infected in a specified time frame.

  See Alert rules

• License capacity alert added

  To ensure that you don't run out of licenses, we've added an alert rule that is triggered when you reach 90% of your user license capacity.

  See Creating custom alert rules

• Event visibility increased

  To improve the level of detail that is available to you, the SEP Cloud portal now displays additional events that are relate to the following protection features:

  See Alert and event categories

  • File reputation assessment (Download Insight)

  • Device controls

  • Firewall block events

• Streamlined sign-in to identity providers

  If your company uses a third-party identity provider, you can now simplify your authentication workflow by using a special SEP Cloud URL that redirects users to your provider, bypassing the Symantec native authentication.

  See Configuring an identity provider

• Streamlined Windows 10 enrollment

  We've enhanced the enrollment experience so that users can enroll a Windows 10 device as easily as other devices.

  See Enrolling Windows 10 devices

• Windows 10 Creators support

  Users can now enroll devices that run the Windows 10 Creators Update.

• Deactivated users shown by default

  On the Groups, Users, and Devices page, in the Users tab, deactivated users are now included by default in the list of all users.

See Deactivating a user account