How to Remediate a macOS Security Incident

Jamf
18 Aug 202019:56

Summary

TLDRKelly Conlon, a security solution specialist at Jamf, presents a comprehensive guide on remediating a security incident on a Mac. The presentation covers the Incident Response (IR) cycle, emphasizing the importance of preparation, detection, analysis, containment, eradication, and recovery. Conlon highlights the evolving threat landscape for Macs and the need for robust security solutions beyond built-in tools. She introduces Jamf Pro, an MDM solution, and Jamf Protect, an in-point security tool for Mac, to monitor, enforce, and respond to threats. The talk includes detailed examples of remediation workflows using Jamf tools for various threat levels and concludes with post-incident activities to enhance defenses and resume the IR cycle, reinforcing continuous preparedness.

Takeaways

  • πŸ›‘οΈ The importance of a security incident response plan is emphasized as it directly correlates to the damage, recovery time, and potential cost an organization may face in the event of a cyber attack or security breach.
  • πŸ“ˆ As Mac adoption rises, so does the threat landscape, necessitating better methods to protect Macs and the organizational data they may contain beyond built-in security tools.
  • πŸ” The incident response (IR) cycle, as defined by the National Institute of Standards and Technology (NIST), consists of preparation, detection and analysis, containment, eradication, recovery or remediation, and post-incident activity.
  • 🧩 Incident response and remediation are used interchangeably in the script, with incident response being the process of handling a data breach or cyber attack, and remediation being the act of correcting something corrupted.
  • 🌐 To prepare for an IR plan, one must have a thorough understanding of the environment, infrastructure, and potential threats, developing situational awareness.
  • πŸ› οΈ Jamf Pro, an MDM solution, is highlighted as a tool for monitoring and enforcing security measures on Mac devices, helping to identify devices not meeting security standards.
  • 🚨 Jamf Protect is introduced as an endpoint security solution for Macs that blocks known threats, gathers forensic data, and monitors for behavioral detections.
  • πŸ”Ž The script stresses the importance of constant analysis and vigilance by security teams to identify unknown threats and to not become complacent while waiting for an attack.
  • πŸ›‘ Remediation can be automated and immediate following an incident or threat, or it can be done after a threat has been identified to clean up the attack.
  • πŸ‘₯ The script provides examples of how to set up automated responses using Jamf Pro and Jamf Protect, including quarantine and isolation of devices, and custom scripts for user notification and cleanup.
  • πŸ”„ The final step in the IR cycle, post-incident activity, involves readjusting and enhancing defenses, staying vigilant, and providing training and education to end users to increase overall security preparedness.

Q & A

  • What is the primary goal of Kelly Conlon's presentation?

    -The primary goal is to provide a better understanding of how to prepare and manage a security incident on a Mac, and to inspire the implementation of different workflows in one's environment.

  • What is the Incident Response (IR) cycle as defined by the National Institute of Standards and Technology (NIST)?

    -The IR cycle includes four components: preparation, detection and analysis, containment, eradication and recovery or remediation, and post-incident activity.

  • Why is it important for an organization to have a security incident response plan?

    -A security incident response plan is important because the speed and effectiveness of an organization's reaction to a cyber attack or security breach directly correlates to the amount of damage inflicted, the recovery time needed, and the potential cost lost.

  • What is the role of Jamf Pro in managing the security of Mac devices?

    -Jamf Pro is an MDM (Mobile Device Management) solution that provides monitoring and enforcement to help keep Mac devices up to date on security, identify devices not meeting standards, and automate security-related tasks.

  • How does Jamf Protect contribute to the security of Mac devices?

    -Jamf Protect is an endpoint security solution built for Mac that blocks known threats, gathers process and file information for forensic analysis, and monitors for specific behavioral detections.

  • What is the significance of situational awareness in the context of building an IR plan?

    -Situational awareness is crucial as it involves understanding the environment and infrastructure as well as being aware of the threats that could affect the organization, which is the foundation for building an effective IR plan.

  • What steps should an IT admin take to ensure devices are as secure as possible?

    -IT admins should manage, monitor, and configure devices for the best security posture, using tools like Jamf Pro for device management and Jamf Protect for additional security measures.

  • What is the importance of constant analysis of events by security teams?

    -Constant analysis of events is important to increase the chances of identifying unknown threats and to maintain focus and vigilance, even when no immediate attack is detected.

  • How does Jamf Pro and Jamf Protect work together to automate the response to a security incident?

    -Jamf Protect detects threats and communicates with Jamf Pro to trigger predefined actions such as isolating devices, running scripts, or notifying users, all based on the severity and nature of the threat.

  • What is the purpose of the 'threat prevention' feature in Jamf Protect?

    -The 'threat prevention' feature allows blocking and quarantining known Mac threats and creating custom lists to block processes from the binary level, providing a proactive defense against new and emerging threats.

  • How does the post-incident phase of the IR cycle enhance future security?

    -The post-incident phase involves readjusting to normal operations while enhancing defenses, increasing vigilance, and providing additional training and education to end users, which in turn improves preparation for future incidents.

Outlines

00:00

πŸ›‘οΈ Introduction to Mac Security Incident Response

Kelly Conlon, a security solution specialist at Jamf, introduces the topic of remediating a security incident on a Mac. The session aims to enhance understanding of incident preparation and management, and to inspire the implementation of different workflows. The focus is on the incident response (IR) cycle, which includes steps for building a remediation plan, preparing for security incidents, detecting and analyzing incidents, and responding with remediation. The importance of a rapid and effective reaction to cyber attacks is emphasized, as it can significantly reduce damage, recovery time, and potential costs. The discussion also highlights the changing threat landscape for Macs and the need for better protection methods beyond built-in security tools.

05:01

πŸ” Building an Incident Response Plan and Detection Analysis

The speaker outlines the first step in building an IR plan, which is preparation. This involves understanding the environment, infrastructure, and potential threats to develop situational awareness. The importance of security as a top priority is discussed, especially with the shift to remote work. IT administrators are advised to ensure devices are secure through management, monitoring, and configuration. Jamf Pro, an MDM solution, is introduced as a tool for maintaining the security posture of Macs. The use of smart groups in Jamf Pro allows administrators to identify devices needing updates or reconfiguration. The second step, detection and analysis, is also covered, emphasizing the need for security and IT teams to stay alert and to continuously monitor and analyze events to identify threats, even when preventative measures are in place.

10:04

πŸ› οΈ Remediation and Response Strategies with Jamf Solutions

The third step of the IR cycle, remediation and response, is explored with a focus on how to handle threats once detected. Remediation can be automated immediately following an incident or done after a threat has been identified. The speaker provides examples of remediation using Jamf Pro and Jamf Protect, detailing the setup process in Jamf Protect and the creation of smart groups and scripts in Jamf Pro. Different threat levels are addressed, with workflows provided for low, medium, and high-level threats. These examples illustrate how to quarantine files, isolate devices, and inform end users of malicious activities, as well as how to automate responses for immediate threat containment.

15:04

🚨 Post-Incident Recovery and Continuous Improvement

The final step in the IR cycle, post-incident activity, is discussed, which the speaker refers to as 'century mode.' This phase involves readjusting and enhancing defenses after an attack has been addressed. The importance of maintaining vigilance and using tools like Jamf Protect for ongoing monitoring and reporting is highlighted. The speaker also suggests expanding security approaches to cover newly identified threats and ensuring that end users receive operational and information security training. This continuous improvement loop leads back to the beginning of the cycle, increasing overall preparedness for future incidents. The session concludes with a QR code for additional information on Mac OS security incident response.

Mindmap

Keywords

πŸ’‘Remediation

Remediation refers to the process of correcting or remedying a problem or issue that has occurred, particularly in the context of security incidents. In the video, remediation is a key aspect of the incident response cycle, where it involves actions taken to address and correct security breaches or cyber attacks. The script mentions remediation in the context of workflows with Jamf Protect, where it can be automated and immediate or follow identification and analysis of a threat.

πŸ’‘Incident Response (IR)

Incident response is the strategy and activities an organization undertakes to manage and mitigate the aftermath of a security breach or cyber attack. The video script defines incident response as the process by which an organization handles such events. It is closely tied to the theme of the video, as it outlines the steps involved in building a remediation plan and the cycle of incident response, which includes preparation, detection, analysis, containment, eradication, recovery, and post-incident activity.

πŸ’‘Security Incident

A security incident is any event that compromises the integrity, availability, or confidentiality of a system or network. The script discusses the importance of how fast and effectively an organization reacts to a security incident, as it directly correlates to the amount of damage inflicted and recovery time needed. The video aims to provide a better understanding of managing such incidents.

πŸ’‘Threat Landscape

The term 'threat landscape' describes the current state of threats that an organization or system faces, including potential attacks and vulnerabilities. In the script, it is mentioned that as Mac adoption rises, their threat landscape is changing, meaning Macs are becoming more of a target for potential attacks, thus requiring better protection methods.

πŸ’‘Mac Security

Mac security refers to the measures taken to protect Mac computers from security threats such as malware, viruses, and cyber attacks. The video script emphasizes that while Macs come with built-in security tools, they require additional methods to protect them and any organizational data as they become more prevalent in organizations.

πŸ’‘MDM (Mobile Device Management)

MDM is a type of software solution that allows administrators to manage, monitor, and configure devices, typically mobile devices, for security and functionality. In the script, Jamf Pro is mentioned as an MDM solution that helps keep Macs secure by providing monitoring and enforcement, ensuring devices are managed for the best security posture.

πŸ’‘Situational Awareness

Situational awareness is the understanding of what is happening around an individual or organization, which is crucial for making informed decisions. In the context of the video, developing situational awareness involves understanding the environment and infrastructure as well as the threats that could affect it, which is a key part of preparing for a security incident.

πŸ’‘Jamf Protect

Jamf Protect is an endpoint security solution specifically designed for Mac devices. The script discusses its role in enhancing Mac security by blocking known threats, gathering process and file information for forensic analysis, and monitoring for specific behavioral detections. It is highlighted as an additional security tool that works alongside MDM solutions like Jamf Pro.

πŸ’‘Threat Prevention

Threat prevention is the practice of blocking and mitigating potential threats before they can cause harm. The script mentions Jamf Protect's feature called 'threat prevention,' which allows for blocking and quarantining known Mac threats and creating custom lists to block processes from the binary level, enhancing the proactive security measures of an organization.

πŸ’‘Post-Incident

Post-incident refers to the activities and measures taken after a security incident has been addressed. The video script discusses the importance of the post-incident phase in the IR cycle, where organizations reassess and enhance their defenses, continue monitoring for any additional activity, and provide training to end users to better prepare for future incidents.

Highlights

Kelly Conlon, a security solution specialist at Jamf, presents on remediating a security incident on a Mac.

The importance of understanding and managing a security incident with inspiration for implementing workflows.

Incident response (IR) cycle and steps to build a remediation plan are discussed.

The correlation between an organization's reaction time to a cyber attack and the amount of damage inflicted.

Mac adoption rise leads to a changing threat landscape and the need for better protection methods.

Built-in security tools of Macs are suitable for individual consumers but not enough for organizational security.

Incident Response (IR) and Remediation are defined and their roles in a security plan are explained.

The National Institute of Standards and Technology (NIST) sets forth the four components of incident response.

Developing situational awareness is key to preparing for an incident response plan.

The necessity of secure devices managed, monitored, and configured for the best security posture.

Jamf Pro as an MDM solution for monitoring and enforcing Mac security.

Jamf Protect as an in-point security solution for Mac to block known threats and monitor behavioral detections.

The importance of constant analysis of events on devices to identify unknown threats.

Automated and immediate remediation response to threats using tools like Jamf Protect.

Quarantining files or processes and isolating devices until they are clean as part of the remediation process.

Examples of remediation workflows using Jamf Pro and Jamf Protect for different threat levels.

Threat prevention feature of Jamf Protect to block and quarantine known Mac threats.

Customized response methods for unique remediation workflows.

Post-incident activities include readjusting, enhancing defenses, and increasing preparation.

QR code provided for additional information on Mac OS security incident response.

Transcripts

play00:00

today i'm going to cover remediating a

play00:02

security incident on a mac

play00:05

and my hopes is that you will take away

play00:07

a better understanding

play00:09

on how to prepare and manage an incident

play00:12

and some inspiration

play00:13

for how you could implement different

play00:15

workflows in your environment

play00:20

i am kelly conlon i will be your

play00:22

presenter and i am

play00:24

a security solution specialist here at

play00:26

jamf

play00:29

for today's call we are going to cover

play00:31

the incident response or

play00:33

ir cycle and identifying the steps to

play00:35

get started with building your own

play00:37

remediation plan

play00:39

preparation needed for a security

play00:41

incident or threat

play00:43

detection and analysis of an incident

play00:46

remediation and response and some

play00:49

example workflows with jamf protect

play00:52

and finally what does life look like

play00:54

post-incident

play00:55

and starting the ir cycle all over again

play01:01

when a cyber attack or security breach

play01:03

occurs

play01:04

how fast and effectively an organization

play01:06

reacts

play01:07

is directly correlated to the amount of

play01:10

damage that can be inflicted

play01:12

the recovery time needed and even

play01:14

potential cost lost

play01:16

this process and planning is referred to

play01:19

as a security incident response plan

play01:22

and is a key factor to a successful

play01:24

security program

play01:26

at jamf we are seeing that as mac

play01:28

adoption rises

play01:30

their threat landscape is changing and

play01:32

they are becoming

play01:33

more and more of a target for potential

play01:36

attacks

play01:37

so the mac has always come with built-in

play01:40

security tools

play01:41

and they're great baseline protection

play01:44

but really

play01:45

it's well suited for an individual

play01:47

consumer

play01:48

and with new modes of attack and a

play01:51

larger presence in organizations

play01:54

macs require better methods to protect

play01:56

them

play01:57

and any organizational data that may be

play02:00

on them

play02:01

so regardless of your choice of a mac

play02:04

security

play02:05

solution your approach to incident

play02:07

response

play02:08

should be well planned and practiced

play02:12

throughout today's call i will be

play02:13

covering incident response and

play02:15

remediation

play02:16

almost interchangeably and to define

play02:19

them quickly

play02:20

incident response or simply ir is

play02:23

actually pretty self-defined in its name

play02:26

it is most commonly described as the

play02:28

process by which an organization

play02:30

handles a data breach or cyber attack

play02:33

and remediation is simply the act

play02:36

of remedying or correcting something

play02:39

that has been corrupted

play02:40

so ultimately most of the time the

play02:44

action

play02:45

in your incident response plan is

play02:47

remediation

play02:49

the incident response cycle you see here

play02:51

was set forth by the national

play02:53

institute of standards and technology or

play02:55

simply nist

play02:57

this covers the four components of

play02:59

incident response as preparation

play03:02

detection and analysis containment

play03:05

eradication and recovery or remediation

play03:10

post incident activity and then simply

play03:14

starts at the beginning all over again

play03:18

so let's start with the first step of

play03:20

building an ir plan

play03:24

to begin you need to prepare and the

play03:26

best preparation

play03:27

is to have a thorough understanding of

play03:29

your environment

play03:30

and infrastructure as well as the

play03:33

threats that could affect you

play03:35

so essentially you need to develop

play03:37

situational awareness

play03:38

and be aware of what is around you or

play03:42

just simply your surroundings

play03:44

now security has always been a top

play03:46

priority for almost every organization

play03:49

this covers operational and physical

play03:51

security

play03:52

to the information security and

play03:54

protection of data

play03:56

and with the current situations creating

play03:58

a shift to a larger

play04:00

remote workforce it will be even more

play04:02

important to have these plans in place

play04:06

it admins need to first ensure their

play04:08

devices

play04:09

are as secure as possible by having

play04:11

those devices be managed

play04:13

monitored and configured for the best

play04:16

security posture

play04:18

think getting fitted for armor before

play04:20

battle and to do this

play04:22

starting with an mdm is the best place

play04:25

to fire up the forges

play04:27

so jamf pro is such an mdm and this

play04:30

provides

play04:31

monitoring and enforcement that will

play04:33

help to keep you

play04:35

up to date on the state of your max and

play04:37

identify any devices that are not

play04:39

meeting the standard

play04:42

using smart groups in jamf pro it admins

play04:45

can actually

play04:45

hunt for devices that need to be updated

play04:48

have some reconfiguration done

play04:50

or even have restrictions enforced

play04:53

all of this can be done remotely and

play04:55

even be automated without an

play04:57

administrator needing to physically

play04:59

touch the devices

play05:01

now to ensure we are keeping a pulse of

play05:03

the activity on the devices and start to

play05:05

harden the device's defenses

play05:08

an organization may look to implement

play05:10

some security software like

play05:12

jamf protect which is simply an in-point

play05:14

security solution that is purpose-built

play05:16

for the mac

play05:18

adding in an additional security tool

play05:21

will help to block known threats to the

play05:23

mac

play05:24

gather process and file information for

play05:26

forensic analysis

play05:27

as well as monitoring for specific

play05:30

behavioral detections

play05:32

so just by using an mdm like jamf pro

play05:35

and adding in an additional security

play05:36

tool like jamf protect

play05:38

we will help you understand your

play05:40

environment better and identify those

play05:42

threats as they arrive

play05:47

so now for the second step in the ir

play05:48

cycle detection and analysis

play05:54

now that our security and it teams are

play05:56

in a position

play05:57

and on alert in the event of any

play05:59

potential attack

play06:00

we need to make sure that over time they

play06:03

don't become complacent

play06:04

or stagnant while waiting for an attack

play06:07

and to do this they can continue to do

play06:10

monitoring of those detections as well

play06:12

as deeper analysis of events

play06:16

former fbi director james comey was once

play06:18

quoted stating

play06:20

there are two kinds of big companies

play06:22

those who've been hacked

play06:24

and those who don't know they've been

play06:25

hacked

play06:27

so essentially despite our preparation

play06:31

and even preventative mechanisms we have

play06:33

in place

play06:34

security and i.t teams should assume

play06:37

that an attack will get past

play06:39

their best defenses because you really

play06:41

can't protect against something you

play06:43

don't

play06:43

know entirely so to ensure we are

play06:47

staying focused

play06:48

security teams need to do constant

play06:50

analysis of events occurring on these

play06:52

devices

play06:53

to increase their chances of identifying

play06:55

an unknown threat

play06:57

but we still need to detect and analyze

play07:00

known threats as well

play07:02

so let's imagine an end user

play07:04

accidentally downloads a trojan

play07:06

application

play07:07

it's time for your endpoint security

play07:09

solution like jff protect

play07:11

to get to work alert you on this

play07:13

compromised

play07:14

process and when that security incident

play07:18

occurs

play07:18

you need to know what that malware may

play07:20

do and how impactful its attack is

play07:24

this is when you need to collect all

play07:26

relevant information

play07:27

and use that to analyze the threat

play07:31

so security teams always need to have as

play07:34

much visibility as possible

play07:36

during an incident so they can make

play07:38

informed decisions

play07:40

also they may need to collect activity

play07:42

logs in reports and send that data into

play07:45

a sim

play07:45

or a security incident and event

play07:48

management tool

play07:50

this will help them to visualize the

play07:52

data and perform deeper analysis

play07:55

so when an investigation of a threat is

play07:58

occurring

play07:59

or simply an audit is being done an

play08:02

organization needs to have a complete

play08:04

picture of what activities are happening

play08:06

on their max

play08:08

now to step three the action

play08:12

all right i'm going to be honest this is

play08:14

my favorite section of the cycle

play08:16

now the preparation you have is in place

play08:19

and the results of your detections are

play08:21

arming you to respond

play08:23

remediation can typically be handled two

play08:26

ways

play08:27

it can be automated and immediately

play08:29

following

play08:30

an incident or a threat or it can be

play08:33

done

play08:33

after a threat has been identified and

play08:35

used to clean up the attack

play08:39

to dive into remediation as an automated

play08:41

response to a threat

play08:43

let's again say we have an attack that's

play08:45

active on a network

play08:47

first the attack has to be stopped and

play08:49

prevented from spreading to other

play08:51

devices

play08:52

because of your preparation and planning

play08:54

the relevant process will be

play08:56

likely stopped and blocked by a tool

play08:59

like jamf protect or similar solution

play09:02

but that does not mean the attack is

play09:04

completely finished and it didn't leave

play09:06

anything behind

play09:07

so we can start by providing a response

play09:09

to your end user that there was

play09:11

malicious activity on their device

play09:13

and to refrain from any further actions

play09:15

we then can quarantine any associated

play09:18

files or processes

play09:20

and isolate the device on the network

play09:22

until the device is clean and set back

play09:24

to a known good state

play09:27

so instead of just talking about

play09:30

examples of remediation

play09:31

let me actually show you just to go over

play09:35

all of these examples are going to be

play09:36

using

play09:37

jamf pro and jamf protect

play09:41

first let's start with setting up

play09:43

everything

play09:44

in jamf protect we need to choose what

play09:48

detection we want to respond to

play09:52

here you can see we have a number of

play09:54

behaviors that jamf protect is

play09:56

monitoring for

play09:57

with our analytics for today i'm going

play10:00

to choose a dns modification

play10:03

once you've chosen the desired analytic

play10:06

simply click

play10:07

update actions and add to jamf pro

play10:10

smart group this is where you're going

play10:13

to type out a value

play10:14

that will later become an extension

play10:16

attribute

play10:18

written to the device

play10:25

now in jamf pro we need to add a script

play10:28

to find the extension attribute created

play10:30

by jamf protect

play10:33

all you need to do is go into the

play10:34

settings for your jamf pro server

play10:37

and get to computer management and then

play10:40

extension attributes so

play10:46

to make it easier at jamf we've added a

play10:48

template

play10:49

under the jamf section for jamf protect

play10:52

smart groups

play10:54

once you've added the template script

play10:56

all you need to do is simply hit save

play11:04

next we need to build a smart group

play11:08

so going in and clicking new

play11:11

we can give the smart group a name

play11:16

i recommend using the extension

play11:18

attribute value in the name to stay

play11:20

organized

play11:22

and now we need to add the criteria

play11:24

which is just the extension attribute

play11:26

we've added from that template looking

play11:29

for the value that is written by jamf

play11:33

protect

play11:39

now that smart group can be scoped to

play11:42

configuration profiles

play11:43

to exclude that device from company

play11:46

resources

play11:47

or be scoped to a policy for some

play11:49

customization

play11:51

and for policy jamf protect

play11:55

actually runs a custom event trigger as

play11:58

soon as that detection happens

play12:00

so when creating a policy you can simply

play12:02

add

play12:03

protect all lowercase

play12:07

within a custom event trigger to allow

play12:09

for near real-time response

play12:15

okay now we have everything set up

play12:17

between jamf pro and jamf protect

play12:20

let's go through some actual examples of

play12:22

remediation and response

play12:25

so again i like to organize by threat

play12:27

level so this is an example of a

play12:29

low-level threat

play12:30

something not truly malicious and almost

play12:33

no

play12:33

impact in jff protect we have those

play12:37

behavioral

play12:38

alerts within our analytics that are

play12:40

looking for a variety of activities that

play12:42

are largely mapped to the miter attack

play12:44

framework

play12:46

in this example an end user does a dns

play12:49

modification

play12:50

which jamf protect is monitoring for

play12:53

once chance protect has been alerted

play12:57

that this user has done this

play12:58

modification

play13:00

it then will tell the jamf pro agent

play13:03

managing managing the device to run a

play13:06

script

play13:07

to simply launch stamp helper and notify

play13:10

the end user

play13:11

that there may have been malicious

play13:12

activity occurring on their device

play13:15

and they may need a contact i.t so this

play13:18

response is not doing anything

play13:20

automated or deleting or stopping but

play13:23

just

play13:23

telling the end user on what activities

play13:26

are happening

play13:26

on their device

play13:32

next we're going to cover responding to

play13:34

a medium level threat

play13:36

so something that is definitely unwanted

play13:38

but has minimal impact

play13:41

in this workflow the end user tries to

play13:44

open

play13:45

a downloaded media player this specific

play13:48

version

play13:49

has been infected with known malware so

play13:52

when the end user tries to launch it

play13:54

gatekeeper will actually stop the

play13:56

application

play13:57

and jamf protect is monitoring for

play13:59

activity from gatekeeper

play14:01

and all of those other native security

play14:02

tools to keep you informed on their

play14:05

activity

play14:06

because we know gatekeeper has stopped

play14:08

something unwanted

play14:09

we can again use jamf helper to further

play14:12

inform the end user

play14:13

of what's happened on their device and

play14:16

actually prompt them to do some cleanup

play14:18

themselves

play14:19

so using self-service this can all be

play14:21

automatically opened

play14:24

this can all automatically open a policy

play14:27

to have the end user delete

play14:28

all files that have been downloaded in

play14:30

the last 24 hours

play14:32

hopefully removing that compromised

play14:35

application

play14:39

now let's cover a high level threat this

play14:42

is where something malicious

play14:44

has definitely occurred but we have no

play14:46

idea what that impact may be

play14:49

in this example a user is going to open

play14:52

up their browser

play14:53

and they're immediately prompted with a

play14:55

pop-up telling their adobe flash player

play14:57

is out of date

play14:59

this is a very common delivery mechanism

play15:01

to get malware onto a mac

play15:04

so as soon as that installer has been

play15:06

downloaded

play15:07

this triggers jamf protect and this

play15:09

immediately pushes another jamf helper

play15:12

policy from jamf pro telling the end

play15:14

user

play15:15

what they've done and what actions have

play15:17

taken place

play15:18

what we've done is we've isolated this

play15:20

device by cutting off its access

play15:23

to the network this will hopefully limit

play15:25

the impact of any possible breach

play15:28

and keep the device quarantined and

play15:30

isolated

play15:31

until the threat can be analyzed

play15:36

okay for our last example i want to show

play15:39

you

play15:39

how using our methods of customized

play15:41

response

play15:42

can give you some really unique

play15:44

remediation workflows

play15:47

jamf protect has a feature called threat

play15:49

prevention

play15:50

that allows you to block and quarantine

play15:53

known mac

play15:54

threats as well as allowing you to

play15:56

create

play15:57

custom lists to block processes from the

play16:00

binary level

play16:02

so say there's a new zero day for mac

play16:04

malware

play16:06

as soon as the hashes are identified or

play16:09

even the developer

play16:10

team id you can create a custom prevent

play16:13

list

play16:14

to protect your devices from this new

play16:16

threat as soon as that information is

play16:18

available

play16:21

so to go over this a little bit deeper

play16:23

so here we have a shared directory

play16:25

that it or infosec would have access to

play16:29

on all your devices

play16:30

also i want to show you the directory

play16:32

that jamf protects threat prevention

play16:34

quarantines threats

play16:36

now the end user here is going to

play16:37

attempt to launch an executable that is

play16:40

in jamf protects threat prevention

play16:42

on launch jamf protect immediately

play16:45

blocks and removes the executable

play16:47

and as you can see here it has now been

play16:50

quarantined so now jamf pro is actually

play16:54

installing

play16:55

a response tool of dep notify

play16:58

which is just an open source program

play17:00

that's typically used to onboard users

play17:03

but what i've done is i've taken

play17:05

advantage of dep notify's

play17:07

full screen feature to lock the end user

play17:10

out

play17:11

while additional scripts are being run

play17:13

that are going to

play17:14

zip up that malware move it to that

play17:17

shared drive

play17:18

as well as cleaning up that quarantined

play17:20

location

play17:22

all while informing the end user of

play17:24

exactly what's happening

play17:25

and the progress as soon as remediation

play17:28

has been completed

play17:30

we can prompt the user again with some

play17:32

best practices

play17:33

and follow-up step recommendations

play17:37

and as you can see that malware has now

play17:40

been zipped and moved to that shared

play17:42

drive

play17:43

and that directory for quarantine has

play17:46

been cleaned

play17:50

okay so now that we've gone over some

play17:52

examples of remediation

play17:54

let's get back to the ir cycle and go

play17:56

over the final step

play18:00

i like to call this step century mode

play18:03

we've survived our attack

play18:05

and we've responded now we're going to

play18:07

readjust to get back to normal

play18:10

but we want to also enhance our defenses

play18:14

so we have this heightened awareness of

play18:16

what's just happened

play18:17

and we need to make sure we stay hyper

play18:19

vigilant so you can use

play18:21

jamf protect to continue to monitor and

play18:24

report on any additional activity or

play18:26

incidents

play18:27

or even monitor for indicators of a

play18:30

threat

play18:31

you can also expand your security

play18:33

approach to cover additional targeted

play18:35

threats

play18:36

that you were able to identify and

play18:39

lastly

play18:40

we can ensure that all end users and

play18:42

especially those affected by an attack

play18:45

are aware of provided operational and

play18:48

information security trainings

play18:50

and education courses and by doing this

play18:54

we actually send ourselves back to the

play18:56

start

play18:57

of the cycle by increasing our

play18:59

preparation

play19:02

okay let's quickly go over everything

play19:05

we've covered

play19:07

so we went over the incident response or

play19:10

ir

play19:10

cycle in building your own remediation

play19:13

plan

play19:14

the preparation needed for a security

play19:16

incident detection

play19:18

and analysis of an incident remediation

play19:21

and response in some example workflows

play19:24

with jamf protect

play19:25

and jamf pro and finally what does life

play19:28

look like

play19:29

post incident and starting that ir cycle

play19:32

all over

play19:34

if you'd like some more information i've

play19:35

included a qr code to a guide

play19:38

by jamf covering mac os security

play19:40

incident response

play19:45

thanks again everyone for listening we

play19:47

will share the recording as soon as it's

play19:49

ready

play19:50

but if you're in a hurry you can scan

play19:52

this qr code to get in touch with

play19:53

someone at jamf immediately

Browse More Related Video

Incident Response - CompTIA Security+ SY0-701 - 4.8

Complete Guide to SentinelOne EDR (Endpoint Detection and Response): Exploring the Console in Part 1

Security Mechanisms

Incident Planning - CompTIA Security+ SY0-701 - 4.8

I Passed the Security Blue Team Level 1 Exam

How Microsoft Copilot for Security works

Rate This
β˜…
β˜…
β˜…
β˜…
β˜…

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Related Tags
Incident ResponseMac SecurityThreat DetectionCyber AttackData BreachJamf ProtectRemediation PlanSecurity ToolsMDMEndpoint SecurityIT ManagementWorkforce SecurityThreat LandscapeSecurity TrainingCybersecurity