Organizations still get hit with malware and ransomware in spite of that fact that antivirus and firewall solutions are in place. For this reason, a layered security approach will be more effective to catch malware infections before they start running. We will show you how SureLog SIEM can effectively identify and stop malware on the network.
Use Case: Malware on the Network
- ·Unusual network traffic spikes to and from sources
- ·Endpoints with about 8 malware threats
- ·Significant Network Slow down observed
- ·User complained INTERNET is too slow in hostels
For this use case, we will use:
- Firewall logs,
- Endpoint security logs
- Threat Intelligence Feeds
With SureLog SIEM, security admins have two detection options.
- Correlation
- Log investigation.
Correlation
Use Case steps:
- Collect endpoints with malware threats.
- Calculate the total traffic between devices.
- Check if one of those devices has eight malware threats within the last 24 hours.
Rule Description:
The first part of the rule collects log from endpoint security devices or Threat Intelligence Feeds and fill the “Malware Device List”
The second part of the rule checks if there is more than 300 MB upload and 8 malware threats
Log Investigation
The first part of the investigation is to find traffic peaks.
Within firewall logs, look for peak traffic.
