An expertise package  is loaded into the MaxPatrol SIEM to detect suspicious activity on the network, which is especially important in connection with the remote work of users. The package covers nine anomalies requiring a prompt investigation.
Due to the transition of companies to the remote mode of operation, attackers have new opportunities for penetrating the local network. In order to timely identify illegitimate connections due to the perimeter of the company, Positive Technologies experts released an examination package with a set of rules for quickly detecting signs of malicious activity.
Examples of anomalies that MaxPatrol SIEM now detects:
- Tunnels network connections
- Attempts to connect to critical network segments
- Duplicate remote sessions, repeated unsuccessful attempts to connect to the host with OpenVPN software, repeated unsuccessful attempts to connect to the Cisco ASA firewall,
- Enabling an access rule on the local firewall that allows you to establish an RDP connection,
- RDP connection from a network node with Unix family OS,
- Adding a user account to Windows groups that are significant for information security,
- VPN reconnection to a Windows host.
“ Since threats related to the remote mode of operation are relevant for most companies, we decided to help them strengthen the security of the network with the help of our expertise,” comments Mikhail Pomzov, Director of Knowledge Technologies and Expertise Department, Positive Technologies. “ An examination package to identify suspicious activity in the network related to the users’ remote work will be replenished weekly, covering more and more possible attacking techniques. ”
To select priorities in developing methods for detecting threats, Positive Technologies conducts a special survey of IT and information security specialists. First of all, experts will develop correlation rules for the most common remote access management systems. 17 Expertise Packs are available in MaxPatrol SIEM that contain 370 attack detection rules. The supply of expertise packages to MaxPatrol SIEM is a regular automated transfer of knowledge in the field of detection of information security incidents in the form of algorithms that can detect even complex atypical attacks. Corresponding sets of rules and recommendations are formed by Positive Technologies experts (R&D and PT Expert Security Center), who continuously analyze current threats, investigate the full cycle of attacks and develop ways to detect them. These kits are bundled and transferred to the Positive Technologies Knowledge Base (PT KB), which is part of MaxPatrol SIEM. Further, the user can select the packages of interest to the PT KB interface and apply them as part of his product installation.