SECURITY SECURITY

Use Advanced Threat Detection to Find the Next Shamoon Attack Before It Finds You

Saudi Arabia was hit with a malware attack in 2012 that targeted business in the Kingdom and damaged more than 30,000 systems. Shamoon, as the attack came to be known, crippled computers by overwriting the master book record and making it so the systems could not boot up. Instead users were greeted with images of a burning US flag. The attack also resurfaced recently and Saudi Arabian authorities have warned that they expect the attacks to continue.

Former U.S. Defense Secretary Leon Panetta said the scale and speed of the attack was “unprecedented” and one of the most destructive on a private business.

So how did such a devastating attack take place? Experts believe Shamoon was initiated by accessing networks using stolen administrator credentials.

Then how can governments and companies defend themselves against malware attacks such as Shamoon and other advanced threats, targeted attacks and other constantly evolving IT security threats?

Security professionals need specialized tools to monitor, analyze and detect threats across the kill chain. Advanced threat detection give insights into what is happening across a network and how best to respond is vital.

These tools can live within an analytics-driven security information and event management (SIEM) solution. A SIEM solution that can adapt to new advanced threats by implementing network security monitoring, endpoint detection, using threat intelligence and behavior analytics in combination with each other to identify and help quarantine new potential threats. Most firewalls and intrusion protection systems can’t provide these capabilities on their own.

For organizations with a healthy security posture, the goal cannot be to only detect threats. They need to have the ability to determine the scope of those threats by identifying where a specific advanced threat may have moved to after being initially detected, how that threat should be contained, and how information should be shared. That type of advanced security analytics could have been a game-changer for the Saudi Arabian companies responding to the initial signs of the Shamoon attack.

Security practitioners can also use the power of data science and machine learning to make their organizations more secure. For example, machine learning can detect anomalies in data to optimize routine SIEM tasks, reduce complexity, speeding up the ability to detect, investigate and respond to real threats and attacks.

There are also threat indicators such as domain names, IPs and hashes that are derived from Facebook’s massive social platform. A modern SIEM should also be able to give organizations insights into the threat activities and threat indicators coming from Facebook.

An analytics-driven SIEM should be able to correlate across different styles of advanced persistent threat defenses.

Do you want to learn more about advanced threat detection and the other essential capabilites needed for a succesful analytics-driven SIEM? Read our white paper on the Six Essential Capabilities of an Analytics-Driven SIEM.

Thanks,

Girish

Girish Bhat
Posted by Girish Bhat

Girish Bhat is the director of security product marketing at Splunk with responsibility for key security solutions, the Splunk CISO customer advisory board and customer use cases.

Previously, Girish held various roles managing authentication, compliance, VPN, advanced threats, DLP, IDS/IPS, mobile, SaaS, IaaS, virtualization and network monitoring solutions.

With more than 15 years of experience with startups and global brands, Girish’s experience includes product marketing, business strategy, strategic analysis, solutions marketing, product management for security, mobile, networking, cloud and software products.

Join the Discussion