Review: Emotet Threat Defense With Sentinel One and Huntress

That's right, Steve. Our policy is setting the automated mitigation action, and we always detect the same

what's SOC?

@@JoaoSilva-gs5jb Security Operations Center en.wikipedia.org/wiki/Security_operations_center

@@lance9749 but if you already have Huntress as a SOC, why would you want a SOC team from SO? Rudundancy or just to have one less thing running on the system?

So I'm trying to figure out why would you need Huntress if you have Sentinel One with a SOC. What I noticed is that I believe that Lawrence is not using a SOC with Sentinel One... sooo if they did have the Sentinel One SOC would have stopped this malware thus eliminating the need for Huntress. Look I like Huntress a lot and I have both these products... however this stuff starts adding up in cost real quick. Tough call ... do you really need both... of course it's easy to say yes you do but then getting a client to pay for both is another story.

You're seeing more endpoint products have their own MTR offerings. Sophos for example bought two MTR companies and now offers it as an add-on to their software.

Thanks!

Just a phishing email, not really that targeted but the end user thought it was click worthy

I am not sold on it. Sounds great in theory but only allowing certain applications to run can be difficult to manage in practice.

I run Microsoft SRP and AppLocker when available (Windows 10 Enterprise). A whitelist is 100% the most useful thing I've EVER done. Big networks, lots of users, single IT person, and never had a virus to resolve. It's more useful then any huristic reactionary method. Yes you have to tune it correctly since a few apps like to run in users AppData, but most don't. Those that do you can use certificate or hash based rules in SRP to allow the end user to install. AppLocker has even better control like allowing apps with certificates signed by certain orgs (like Microsoft). And always look if the App has a alternative all user installer to deploy using SCCM, PDQ deploy, etc. WebEx and other meeting tools were always a problem, but I've got them allowed specifically using certs or all user installers (c:}program files). Microsoft teams has been a problem but I've found a workaround for the desktop app until they resolve the issue in their installer. And finally doing a whitelist lets me control who and what is installed in the PC and when things get patched with our patch management. I don't WANT end users installing whatever they want. Submit an IT ticket.
I don't know why Lawrence has such an opinion on whitelisting but I strongly suggest to him to rethink it. I've felt with huge complex Enterprise environments and small SMB. Everyone acts like it's going to be a problem but in reality it's not. People don't typically install software if they have corporate solutions already.

@@LAWRENCESYSTEMS it's really not hard to manage. I've spend maybe 2 work days in a calendar year to manage an AppLocker whitelist across a 1000+ user base of Windows 10 Enterprise machines. Once you get the basics in place (WebEx and other meeting tools, MS teams or equivalent, and have a patch management tool/solution) you basically never have to touch it. 99.999% of applications install to;
c:\program files or program files (x86)
If your users are just domain users and not admins then they can't write to those folders anyway by default. So you are already pushing most software to the computers that they need (office, photos, Adobe reader, Java, etc). And there is no real overhead there. The issue is the software that tries to install to the users hidden AppData folder in Windows. Which is extremely undesirable to begin with. It's what cryltolocker and other viruses use to run applications under the users context. A whitelist will shut that down so instead of your end users going and installing chrome instances per user account, you just push it to the PC so all users of the PC have it because it runs from program files. And now all your left with is a few random apps to whitelist if you can't find an alternative installer made my the manufacturer for software distribution tools like SCCM, GPO, or PDQ deploy. You whitelist a certificate or hash and let the user run that very specific software. Sometimes the certs will need to be replaced, usually once ever 2 years I find. But with AppLocker you can be even less restrictive and allow users to run software based on the company signing the cert and name of application and even the version. It's incredibly slick. You should seriously setup a test environment and actually try it. It's not hard work at all.

@@LAWRENCESYSTEMS I've been "trying" to use ThreatLocker and to say it is difficult to manage in practice is a huge understatement. In a corporate environment, maybe not so much, but when you are dealing with multiple small businesses it definitely takes some time. Throw in a business or two with multiple legacy applications and a business that writes their own software that is constantly updated and you have a huge headache on your hands. I've had to start with AutoElevate because of those legacy applications needing admin privileges. Add to that trying to install software from your RMM scripts. It's just a nightmare.

@@jgould30 probably just the sheer quantity of things you have to look after the complexity of multiple sites, multiple requirements. Lack of understanding by users. To identify and mange things under control is always wise. I don't disagree.

Check out knowbe4

You can no longer get the dashboard unless you buy directly from sentinel one.

Thanks Guys for the heads up. It sucks really. Took them a year to get our Sentinel one up and running. We paid for year through lockdown and still no credit. Really poor from Solar Winds.

@@LAWRENCESYSTEMS thank you. As always Tom, much appreciated.

I've used S1 with the Solarwinds RMM and AutoTask PSA. It worked well however one thing I can't stress enough is to stay away from the Solarwinds integration. Keep the various panes of glass separate as managing Sentinel One via the SolarWinds panel is a painful process. Keeping them separate also increases your security posture as an attacker would have to break into separate platforms.

@@LAWRENCESYSTEMS Buying through PAX8 gives access to the Sentinel 1 dashboard.

We love you too, John! 💌

lol.. I still have a copy on a zip-disk somewheres in my pile. But alas, no PowerPC processor system to install it on.