One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 967056 |
| Date de publication | 2018-12-27 14:00:00 (vue: 2018-12-27 16:00:50) |
| Titre | How Malware Sandboxes and SIEMs Work in Tandem to Effectively Detect Malware |
| Texte |
Rohan Viegas of VMRay explains some of the key factors IT security teams should consider when evaluating a malware analysis sandbox and whether it’s a good fit for their existing SIEM environment. He then outlines how VMRay Analyzer complements and enhances the capabilities of AlienVault’s flagship platform, USM Anywhere.
For IT security organizations, malware threats and attacks continue to play a prominent role in the threat landscape. According to Verizon’s 2018 Data Breach Investigations Report:
Of the 2,216 data breaches that were studied by participating security vendors, 30% involved malware.
Six types of malware (ransomware, C2, RAM scraper, backdoor, etc.) were among the top 20 varieties of action used in the data breaches covered in the study.
Ransomware, used primarily to commit financial crimes, is now involved in more than 40% of malware attacks.
Malware attacks can be completed in minutes. However, due primarily to poor detection, an intrusion may not be discovered for weeks or months, potentially causing damage all the while.
“Full-featured SIEM, Looking for the Right Malware Sandbox”
When selecting an automated malware analysis sandbox to address these challenges, IT security teams should not only compare the side-by-side capabilities of different vendor products. They should also weigh how a particular sandbox will interact with their existing SIEM platform and the extent to which a product’s strengths (or its weaknesses) are utilized across the managed security ecosystem. Below are some key points to consider.
The sandbox’s detection efficacy. Malware today is designed to recognize when it is running inside an analysis environment and to stall or exit in the sandbox, thereby evading detection altogether or inhibiting the analysis by not fully revealing its behavior. This leaves blind spots in the analysis results, which can then be carried over to the SIEM. A key quality to look for in a sandbox is its ability to reliably conceal itself from the samples being analyzed so the malware can fully execute, giving you comprehensive visibility into the threat.
The quality of Threat Intelligence that can be shared. Another consideration is what types of threat information can be ingested by your SIEM and made available across your security environment. Important IOCs include severity scores, suspicious behaviors, network activity, dropped files etc. You also need to consider how complete that information is.
Full visibility into malware behavior is essential for generating quality threat intelligence. For instance, if you discover a malicious file, the analysis results should detail all the places it tried to reach out to, all the bad files it tried to create, and all the registry keys it tried to touch or modify.
How can the Threat Intelligence be used once your analysis results are handed off to your SIEM? Can the data be easily monitored? Correlated with other data sources? What actions can you take with this information? To build on the prior example, if your sandbox identifies a new malicious file that has reached out to an unfamiliar and presumably bad IP address, can you search your entire infrastructure for systems that have also accessed that address?
Rising to the Challenge
For organizations that have USM Anywhere or another comprehensive SIEM pla |
| Envoyé | Oui |
| Condensat | “full 2018 216 ability accessed according across acted action actionable actions activities activity adding addition address addresses adds adjusting alerts alienvault’s all allows also altogether among analysis analysts analyze analyzed analyzer analyzer’s another any anywhere api applications are aspects attacks auto automated automatically available backdoor bad behavior behaviors being below between bit blind box breach breaches build camera can capabilities carried causing centralized challenge challenges choosing commit compare complements complete completed completely comprehensive conceal consider consideration continually continue core correlated covered create crimes critical customizable damage data day delivering designed detail detailed details detect detection devices different discover discovered distinguish does don’t dropped due easily ecosystem effectively effectiveness efficacy efficient eliminates endpoint engine enhances ensure ensures ensuring entire environment environments essential etc evading evaluating evasion events example execute existing exit explains extent factors false featured file files financial find firewalls fit flagship format free from full fully gains generate generated generates generating giving good greater handed has have here how however hypervisor identifies important improves incident include including information infrastructure ingested inhibiting inside instance integration intelligence intelligent interact interface intrusion investigated investigations invisible involved iocs irrelevant it’s its itself key keys killing known landscape layer leaves legitimate lens level like look looking made makes malicious malware malware’s managed many matches may messages minimal minutes miss modify monitor monitored monitoring months more much need network new noise not now occur off once only operations optimal organizations other out outlines over participating particular performed place places platform play points polymorphic poor positives potentially precise presumably primarily prior product’s productivity products prominent propagates protection provide providing publishing pumped quality quickly ram ransomware reach reached recognize registry related reliably remains report: resistant respond responders rest result results revealing right rising rohan role rule running runs sample samples sandbox sandbox” sandbox’s sandboxes scores scraper search searched security selecting severity shared should side siem siem’s siems single six solely solutions some sources spots stall strengthening strengths studied study such suspicious syslog syslog/cef system systems take tandem teams techniques than then thereby these threat threats threats—and threats—as thwart timely today top touch traditional translates transparently tried triggering trusted turn types unfamiliar unlike unusual upon use used useful using usm utilized value varieties vendor vendors verizon’s viegas visibility vmray vmray’s vulnerabilities ways weaknesses weeks weigh well what when whether which wider will without work works yara your zero zoom |
| Tags | Data Breach Malware Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.