SIEM Use Cases

Detecting Lateral Movements

Network attacks are getting more complicated in today’s security environment. To obtain basic access information, attackers use various methods such as Phishing attacks or Malware infections. After they enter the relevant IT system, they disguise themselves as user with wide access authorization while trying to increase their privileges. Many institutions do not have the staff, tools, or bandwidth that will detect any extraordinary activities. After the attacker leaks into the network, it may take them days or weeks to discover the weaknesses in the systems. It is necessary for the lateral movements in this time period to be detected. Lateral movement refers to the gradual movements of cyber attackers and the techniques they use to search for important targeted data and assets. It is necessary for the lateral movements in this time period to be detected. Lateral movement refers to the gradual movements of cyber attackers and the techniques they use to search for important targeted data and assets.

How to Detect Lateral Movements

Lateral movement activities can be analyzed and detected by Logsign USO Platform via pre- defined correlations and Cyber Threat Intelligence (TI) service. Audit logs, process formation logs, Firewall, IDS/IPS, and EDR logs are used during the detection process. Lateral movements that can be detected as pre-defined by Logsign USO Platform: - Unsuccessful log-in attempts on disabled accounts, - Extraordinary activities based on the time of day or day of week, - Extraordinary access to servers, file shares, applications, or other sources. Too much extraordinary access to some sources, - Abnormal application use and abnormal access to data storage.
1.

Logsign USO Platform utilizes correlation to detect abnormal behavior exhibited by users to identify users whose security information has been compromised. For example, during unusual hours or while accessing uncommon data or systems, Logsign USO Platform generates alarms to alert relevant IT administrators.

2.

Through multiple correlation processes, behavior analysis is conducted, and users are labeled as Attacker, Victim, or Suspicious.

3.

Detection of Suspicious Access Privilege Elevation is a top priority, focusing on privileged user account access detections. Logsign USO Platform promptly identifies users elevating privileges for critical systems.

4.

It can associate network traffic with the Cyber Intelligence Module to discover malicious software that communicates with Command and Control (C&C) servers, indicating a compromised user account.

5.

Logsign employs Correlation and Cyber Threat Intelligence (TI) services to analyze seemingly unrelated events, such as adding a USB disk drive, process information, personal email services, cloud storage services, or high data traffic over the Internet and local network.

6.

It collects and analyzes security events from various sources like security systems, unauthorized entry detection systems, and endpoints. Advanced analytics and correlation techniques are used to identify potential security threats and generate real-time alerts. Security analysts can then investigate these threats and respond instantly, reducing the risk of data breaches and unauthorized access.

7.

By centralizing and correlating security event data, it streamlines efficient incident response workflows. It integrates with ticketing systems and other incident response tools, enabling security teams to automate the incident response process. Logsign can trigger automated actions such as quarantining a compromised host or blocking malicious IP, Username, URL, Domain, Hash, or User information, reducing response times and minimizing the impact of security incidents.

Other SIEM Use Cases