EEI and automation

[Lockbits 10]

Hello guys,

We're in the final stage with this customer and EEI. They like the software but have the following questions:

1) They want to know if it's possible to automatically block certain malicious actions like Filecoder behavior or any behavior that EEI consider critical (the rules that are marked as critical in red color). The others not because they can generate a lot of FPs. They ask this because if an attack occurs at night and nobody is looking at the alerts in the console or via email no action will be taken in the right time. They prefer to have some FPs than an attack that was not stopped because at that time nobody realized it happened. 

2) We know that we can kill and also add MD5 to a black list in order to avoid the spread of the attack. It's possible to make this automatically? For example, if a critical rule is triggered the process is killed automatically and the MD5 blacklisted without user interaction.

If these features are not available, will those functions implemented in next versions? When?

We appreciate all the arguments you can give us in order to close the deal with the customer.

Thank you.

Edited August 28, 2019 by Lockbits

[itman 1,659]

1 hour ago, Lockbits said:

1) They want to know if it's possible to automatically block certain malicious actions like Filecoder behavior or any behavior that EEI consider critical (the rules that are marked as critical in red color). The others not because they can generate a lot of FPs. They ask this because if an attack occurs at night and nobody is looking at the alerts in the console or via email no action will be taken in the right time. They prefer to have some FPs than an attack that was not stopped because at that time nobody realized it happened. 

Based on what is posted in online help, the answer is no. Simply because EEI has no real-time interface as far as client to server communication goes:

Quote

Rules are matched on the server. They are matched asynchronously so there is some time interval when recent events are sent from client to server and then processed by rules. Therefore, a rule cannot block execution of a process or operation. A matched rule can only notify security engineers by raising an alarm. The alarm is displayed in Alarms view but it is also exported to ESMC (or SIEM) or an email can be automatically sent when the alarm is triggered.

https://help.eset.com/eei/1/en-US/?rules_only_in_pdf.html

Edited August 28, 2019 by itman

[Marcos 5,071]

I'd say that adding such automation would be risky at least at this point. Imagine that a backup was being performed by a freshly updated backup software and there were encrypted files being backed up. This could trigger an alarm and the backup process would be terminated automatically.

[Lockbits 10]

Hello guys,

Thank you for the input. 

The last question I've is the possibility to create a new template for a Dynamic Group and assign there the computers that have some type of activity that triggered certain rules and to assign a policy to block all traffic from ESET's firewall. Is this a viable approach?

I only found the possibility to sort and group computers that have some type of functionality error or issue in EEI's agent.

Thank you.

[MichalJ 434]

As the dynamic group evaluation is happening on the client, however EEI rules evaluation happen on the EEI server, such automation is currently not possible. We are however tracking future improvements to address the issue, and allow automated incident response workflows within the product.