El Jefe from Immunity

No replies
RaT's picture
SX High Council
Joined: 2008/03/12

Has anybody followed the news on El Jefe from Immunity? It looks pretty useful and it's will be released under the GPL.

Here is an excerpt from dailydave:

dave wrote:

There are two issues with modern security monitoring solutions, in my opinion. One is
that they have a low noise to signal ratio. There's just only so much information
about intrusions you can derive from raw network data or random application logs!

The other side of the story is anti-virus, which becomes very keyholed into looking
at activity on a host, when intrusions are typically multi-host events. Likewise,
Anti-Virus and Anti-Malware products tend to be essentially managed services, with no
way for an enterprise to customize use of the infrastructure for intrusion
suppression. (i.e. right now you just have to wait for your AV vendor to get
signatures out the door for Stuxnet variants, even if you've found one on your
systems yourself!)

Immunity El Jefe is a GPLv3 product that we think addresses some of these issues. It
has two parts - a privilege management portion (aka, an ActiveDirectory-managed
SUDO), and an intrusion suppression portion.

The intrusion suppression portion works as follows:
El Jefe hooks CreateProcess() - and every process that is created on your Windows
system then goes through the El Jefe Service. This allows it to log extensive data
about the process, for example, what the data near the entry point of the executable
looks like, the arguments sent to the process, and the SHA1 hash of the executable,
and who the parent and child binaries are. In other words, El Jefe centrally logs
(into an SQL database) everything interesting about a new process being executed.

Processes don't get executed very often - this is very high signal to noise. And you
can develop interesting data mining algorithms to find intrusions on your
enterprise's network. For example:

- - Why is that box in Production executing things that were never executed in QA?

- - What processes were executed out of Acrobat Reader or Internet Explorer across my

- - Are there any cases of processes that started off as a normal domain user, but
spawned a process as Local\SYSTEM?

- - Why on earth did that user suddenly start using "netstat" commands only an advanced
system administrator should know?

- - Are there any unknown instances of a trojan with a given SHA1 hash that ever have
executed across my network?

This is a key difference to El Jefe - it maintains an enterprise-wide view of your
security situation, and it does so with a signal stream that is highly relevant.

If you're curious what this looks like in practice, there's a Prezi with screenshots
here: http://prezi.com/r3otdekwttdi/el-jefe-introduction/ . If you would like to be a
beta tester for El Jefe please email Justin Seitz at justin at immunityinc.com .

Additional information: