SIEM Use Cases

Identifying and Detecting Zero-Day Attacks

A zero-day exploit is the attack that benefits from the security gaps of a program or an application. There is a natural problem in all threat detection models that depend on statistics and signatures. Although these methods are appropriate for the recognised security threats, they have been known to perform inadequately when it comes to zero- day attacks. As the traditional methods depend on the databases of the recognised threats, it was proven that they have had very limited abilities when it comes to the struggle against the changes within the attack methodologies. With zero-day attacks, the attackers can detect the weakness on the source code of the program or application software and develop malicious codes for a cyber attack by benefiting from the security gap.

How to detect and prevent zero-day attacks

Detecting the zero-day attacks is difficult and complicated. Logsign SIEM analyzes the zero-day attack indicators and attack vectors by means of pre-defined correlation rules and cyber TI, and shares with the IT managers the obtained data by creating dashboards, alerts, and reports.

01

Detecting process of the Zero-Day attacks begins with Logsign SIEM correlation techniques by means of TI, Web Proxy, AD Auth, DNS server, IPS, Process events, and Endpoint protection platform (EPP) source logs.

02

By means of correlation processes and Behavior Analysis, the user is tagged as Attacker, Victim, and Suspicious.

03

Following the first activity started by the attacker on the side of the user, the logs are enriched by means of a behavior analysis conducted with the logs coming from the sources. The log activities formed during the activities of the attacker, which are both from the insider to the external and vice versa, are shown on the relevant dashboard panels by being subjected to correlation.

04

The results are shared with relevant IT managers, and alert mechanisms as e-mail & SMS are formed.

05

In order to prevent the zero-day attacks from logging in the C&C serves on the Internet and the exploit process, Logsign SIEM writes the relevant deny rules by means of an API sharing on Palo Alto, Fortigate and Checkpoint firewall.

Other SIEM Use Cases

Increasing the Efficiency of Your IT Security Team

Improvement of digital threats oblige you to have qualified analysts in your security team. Threat detection needs human intuition to decrease the possibility of an unnoticed attack.

Learn more
Detecting and Preventing Malicious PowerShell Attacks

As a strong Windows command file language, PowerShell is used by both IT specialists and attackers. PowerShell is an on-board command line tool.

Learn more
How to Detect Unauthorized Access to the Shared Folders

Windows file server acts as a file and folder storage that can be accessed by many users. Even though a working environment based on cooperation has many benefits, it may be difficult to prevent unauthorized access by monitoring the authorizations to shared folders.

Learn more