What is the potential impact of CVE-2020-1472?

The successful exploitation of CVE-2020-1472 allows an attacker to impersonate any computer on the network, disable security features that protect the Netlogon process, and change a computer’s password associated with its Active Directory account.

What does an attacker need to exploit Zerologon?

In order to exploit Zerologon an attacker needs to be on the network. The attacker can gain access to networks by multiple means such as phishing, drive-by exploits, or additional means.

What event ids are enabled once the August 2020 patch is installed on a domain controller?

The following event ids are enabled once the August 2020 patch is installed on a Domain Controller: Log event IDs 5827 and 5828 log when a connection has been denied to the domain controller once enforcement mode has been enabled. , Log event IDs 5830 and 5831 log when a connection is allowed by the “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy. , Log event IDs 5829 logs whenever a vulnerable Netlogon secure channel connection is allowed for both Windows and Non-Windows devices.

What actions can I take to protect my devices from the Zerologon Vulnerability?

deepwatch recommends taking the following actions in vulnerable environments to assist in further protecting devices: Action 1: Patch all systems with Microsoft’s August 2020 security updates and verify the successful installation with a vulnerability scanning tool, such as those from Qualys or Tenable, and your organization’s patch management tools. , Action 2: Enabling forwarding to SIEM devices or monitoring event id 5829 and monitoring for devices that are not utilizing a secure Netlogon. If a device is detected with event id 5829 recommended steps by Microsoft are as follows: Windows Systems , – Confirm the device(s) are running supported versions of Windows , – Ensure the system is fully updated. , – Check to ensure that Domain member: digitally encrypt or sign secure channel data (always) is set to enabled. , For non-windows systems acting as a Domain Controller and an event is logged , – Ensure the non-compliant DC supports secure RPC with Netlogon secure channel then enable secure RPC on the DC. , – If the non-compliant DC does not support RPC then the device manufacturer (OEM) or software vendor will need to update in order to support secure RPC with Netlogon secure channel. , – Remove the non-compliant DC. , If a non-compliant DC cannot support the RPC with Netlogon secure channel before the DCs are in enforcement mode, add the DC using the “Domain controller: allow vulnerable Netlogon secure channel connections” group policy. Further information on this action can be found at the following location on Microsoft’s site: , https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc , Action 3: Enable DC enforcement mode after confirming all devices are compliant and will not break as a result of enabling. It should be noted the patch to be released February 9th, 2021 will automatically enable enforcement mode on Domain Controllers.

Why it's Time to Move from On-Prem to Splunk Cloud

The cloud can be a scary thing, and can be uncomfortable, just like porcupines when held. But, unlike porcupines, you should embrace the cloud… it’s less painful.

…And Here’s Why

If you outsource your SOC, you should seriously consider outsourcing the environment it’s hosted in as well. Free up your teams to work on impactful and meaningful things, like protecting your brand and focusing on the most important security outcomes.

We’re a firm believer in the cloud at Deepwatch. Our tech stack was built out with a cloud approach, first and foremost, and we’ve never looked back. We’ve helped numerous customers make that scary move from on-prem to the cloud. Overwhelmingly the feedback we get is: “Thank you, that was less painful than we expected, and we’re excited to have a partner manage Splunk moving forward.”

We make it easy for a Splunk migration from on-prem to cloud. Our large team of Splunk engineers have the highest Splunk certifications and the experience and expertise to make this transition seamless and easy for your team. We’ve done this many times – for numerous Fortune 500 and mid-sized enterprises. You can read about the amazing results from our customers here.

Our standard approach: You get a Certified Project Manager, Certified Splunk Engineer and white glove handling from start to finish. We partner with our customers to plan and architect world class SIEM solutions. We then tailor each solution based on our intrinsic knowledge and experience with Splunk. And we do it quickly and efficiently due to a high degree of automation as well as our best practices for cloud migrations.

How Do We Do It?

It’s the core of our offering . . . so we’ve become very good at it.

We’ll start with our patent pending Maturity Model and help guide you through what logs and technologies will improve your security posture.

We’ve automated the deployment, spin up and configuration of Splunk in the cloud. With a few clicks we’re up and running in hours. The longest part of any accurate or worthy Splunk engagement is care, feeding and data collection. This is often the most overlooked part of Splunk. What you put in, is what you get out of Splunk. We’ve automated what should be automated, and hired the best talent to take care of the rest.

Deepwatch also takes care of data logging QA for you. The burden of analyzing log collection to confirm it’s parsed accurately, mapped to corresponding data models and Splunk Common Information Model (CIM) compliant will no longer fall on you and your team. As your partner, that’s on us – we want our customers to be successful so it’s a standard part of our offering.

We parallel process the entire ramp-up and deployment of Splunk and the SIEM. While your solution is getting built, we activate monitoring and alerting in tandem. This allows us to test, QA and deploy simultaneously in rapid time. You see the results in real-time and with full transparency.

Verify and Check

Trust but check and verify. We’re fully transparent in everything we do. We raise the bar by being completely open. Out of the box, you have dashboards to monitor logging health, Splunk, and data model mapping. We give you full visibility into Splunk and the alerts deployed in your environment. No blackbox or mystery in what we do, and we wouldn’t have it any other way. A partnership is built on trust, and it’s for us to earn through hard work and service excellence.

So What Does This Mean for You?

Deepwatch customers receive automated updates and 24/7 patching. This requires minimal infrastructure support and Deepwatch automatically pushes new security content and alerts to your environment.

We’ve turned common concerns into stress free solutions:

The latest emerging threat? Don’t sweat, that’s covered through an update.
New detection capability for the latest major cyber event? That’s taken care of.
Zerologon? Zero problem. In less than 24 hours, we have detection capabilities in place across our customer base. All due to automation in the cloud.
Need to scale CPU, memory or add processing power for Splunk? That’s a few clicks and done in no time.
Need to be GDPR compliant with data sovereignty? No problem. We’ve done that too and can host globally.

The burden of managing and trying to get the most out of Splunk is no longer yours to bear (or porcupine). You now have a best in class partner that supports you, knows Splunk cold, and has your best interests in mind. We love our customers and it shows in everything we do. That’s why we’re one of the Top MDR’s as identified by Forrester, CISO Choice Awards — MSSP Winner 2020 and the #1 MDR Splunk Managed SIEM by volume.

Ready to make the move from on-prem to Splunk cloud? We’ll prove ourselves to you and we promise it won’t hurt.

Learn why our customers choose Deepwatch

The Managed Security Platform For The Cyber Resilient Enterprise

Cultivating Cyber Resilience Experts

Get access to all the critical information you need to be successful

Deepwatch ATI Annual Threat Report 2024

Splunk

Why it’s Time to Move from On-Prem to Splunk Cloud

By Jason Thatcher

…And Here’s Why

How Do We Do It?

Verify and Check

So What Does This Mean for You?

Subscribe to the Deepwatch Insights Blog