Windows: type 'wf.msc' at cmd.
Linux Uncomplicated Firewall: 'ufw' or 'iptables'.
End users shouldn't be allowed to disable the firewall.
Monitor both incoming and outgoing network traffic.
Output depends on the FW applications and OS:
Windows Event Viewer
Linux logging: /var/log
Sensors on each host relay to a centralized management console.
Compiles data to identify distributed trends.
May be included with Host Firewall or AV solution.
False positives - legit traffic labelled as an attack.
False negatives - attacks labelled as legit traffic.
Matching traffic identified as an attack with the actual network traffic.
NIST SP 800-94 - Guide to Intrusion Detection and Prevention Systems (IDPS)
End-user pop-up warning.
Centralized management console warning.
Quarantine vs Removal.
AV not updated or has outdated signatures.
May be ignored or not seen.
Malware may still be present.
Auto-update (need network connectivity).
Detach system from the network.
Use multiple AV products.
Manual removal - hunting malware with SysInternals
Reimage the system.
Computers a cryptographic hash for all selected files and creates a database of the hashes.
Hashes are periodically recalculated and compared to the hashes in the database, to check for modification.
Output to a centralized server.
For alerts, determined what changed and why.
Organization approves software apps. All others are not allowed.
Example: Windows AppLocker
Based on conditions:
Publisher, for digitally signed files.
Path, which identifies an application by its location.
File hash, which uses a system-computed cryptographic hash.
Prevent sensitive info from physically or logically leaving corporate systems.
Designed to detect and prevent unauthorized use and transmission of confidential info.
Should include corporate data stored in the cloud.
Network: Content-filtering (proxy).
System: Application white-listing.
Hardware: USB blocking.
Detects or prevents the use of removable media.
Local or network.
Set by corporate policy.
Use only corporate owned / secured devices.
Scan removable media on each use.
Automate updates when possible.
Alerting on failed patches.
Patching all apps / systems.
Microsoft System Center Configuration Manager (SCCM) formerly Systems Management Server (SMS)
Linux RPM (Red Hat Package Manager)
Hardware or Software.
Prevents malware from executing in memory space that is reserved for operating system processes.
Both Advanced Micro Devices (AMD) and Intel platforms have DEP hardware capabilities.
Available on Windows 10.