Responding to security events
When a malicious operation occurs or is suspected to have occurred on your pool, SES Evolution can detect and/or block it while generating a security event. It is also possible to respond to the event by performing a remediation on affected workstations. Remediation is a set of operations that make it possible to limit the impact of attacks and fix any damage caused.
EXAMPLES
- An SES Evolution audit rule monitors certain trees in the registry base to detect the addition or modification of any keys or values. This is crucial as some malicious programs use this method to persist after the workstation is restarted. If such an action is detected, an audit log will be generated, and you can launch a remediation to automatically delete or modify suspicious registry keys on the affected workstations.
- A ransomware program was able to encrypt several files before SES Evolution blocked it. Remediation makes it possible to automatically retrieve the unencrypted version of these files from a Windows shadow copy.
- A user unintentionally launched a malicious program. SES Evolution blocked it and prevented it from being run, but it can also be quarantined in addition. It is thus out of the user's reach, allowing the administrator to analyze it before deleting or restoring it.
- Agent logs report suspicious events on a user's workstation. You detect a danger. You can isolate that workstation from the network in order to perform your analysis, which prevents an ongoing attack from spreading to the entire pool.
- After a ransomware attack blocked by SES Evolution, some programs can continue to run on the workstation and facilitate new attacks, for example a remote access Trojan (RAT). You can detect such programs with an IoC scan, then delete them automatically with remediation.