DNS Intrusion Detection using Dnsflow

In the DNS Intrusion Detection in Office 365 post we introduced strategies implemented in Office 365 to detect anomalous DNS activity. Dnsflow is one of those strategies and involves aggregating DNS data processed by the DNS servers in Office 365. In this post, we discuss detailed benefits, challenges and implementation of Dnsflow. We also discuss how…


DNS Intrusion Detection in Office 365

In Office 365, we are committed to protecting our customer’s data. We implement and exercise industry leading security practices to ensure that customer’s data is safe. Intrusion detection is one such security practice which ensures that we are notified about any anomalous activity or behavior on our servers or in our network. We monitor and…

2

Hidden Treasure: Intrusion Detection with ETW (Part 1)

Today’s defenders face an increasing obstacle with information asymmetry. With the advent of in-memory attacks and targeted malware, defenders cannot simply rely on the default event logs provided by Windows. Attackers may make use of process hollowing to hide their code within a seemingly benign process as well as routing their Command & Control traffic…