By Oren Koren, Idan Sharabi, Shay Hibah and Dan Zada, Threat Prevention R&D
The analyst holy grail
Analyzing system logs and efficiently identifying top threats to investigate and remediate is a security analyst’s biggest challenges. Most organizations receive malicious files every day. Without advanced protection technology and analytics, the malware will likely breach the organization’s systems and spread through the corporate networks.
Check Point SandBlast Network uses the MITRE ATT&CK framework in multiple ways in the detection and prevention of malware. SandBlast Network shows the techniques used when a malicious file is discovered.
In addition, Check Point inspects each malicious file to determine the relationship between the malware family, its MITRE ATT&CK matrix, and known adversaries.
The figure above shows the three methods Check Point provides to investigate and respond to threats and attacks based on the MITRE ATT&CK framework.
Once the malicious file has been found, Check Point’s engines enrich the logs with details of the attack. Check Point exposes the tactic and techniques used. Customers are also able to search based on specific techniques or tactics.
Check Point SmartView provides a comprehensive view of events logs. In the MITRE ATT&CK dashboard, SmartView displays incidents based on the tactics and techniques used. This enables security analysts to better understand the most common techniques and tactics used to attack their organizations.
Check Point Log Exporter
Check Point Log Exporter provides an easy and secure method to export Check Point logs into SIEM applications. Check Point Log Exporter integrates with Splunk, providing full visibility to live attack statistics using the MITRE ATT&CK framework.
Maximizing your logs
Check Point’s advanced prevention technologies use the MITRE ATT&CK framework in the complete workflow of detection, prevention and response, from file inspection to SOC tools that expose the attack techniques.
Check Point’s soon-to-be-released solution for security operations centers will provide additional tools to enable customers to prevent zero-day attacks and understand the cyberthreat landscape.
We recommend all customers to take the following actions in order to take advantage of the latest Check Point technology:
- Ensure that you are using the latest versions of Check Point SmartLog and SmartView
- Verify that you are on the latest version of the Check Point Security Management suite
- Update your Check Point App for Splunk to receive the latest version and use the new dashboards
Stay tuned for Part 3 of this blog series, where we will discuss how Check Point prevents zero-day attacks using the MITRE ATT&CK framework.