There is a multitude of attack scenarios using malicious software, making it virtually impossible to completely protect any company network from malware.
For example, since the Spectre and Meltdown vulnerabilities became public, attackers have been spreading emails with malware attachments that appear as if they were sent by authorities. The senders claim that the email attachments contained security patches for Spectre and Meltdown. These emails look deceptively real. So no matter how much effort your company puts into educating its employees, someone will open the attachment.
Also, malware scanners or intrusion detection systems may fail to identify newly developed malware. In short, you cannot forever prevent infecting your system.
So what can you do to keep malware from spreading in your network and transmitting sensitive data to the outside?
Using the cognitix Threat Defender, you can implement several strategies to protect your network from harm when individual clients were infected.
Detecting and isolating infected clients
Using the inline real-time correlation of the Threat Defender, you can quickly and automatically detect infected clients, e.g. by counting the IPS hits for all clients in the network. When a certain value is exceeded, the Threat Defender can automatically isolate these clients from the network. Thereby containing the infection and preventing it from spreading to the entire network.
The Threat Defender can also detect other types of suspicious behavior in the network. For example, if a client suddenly starts initiating connections to too many other clients or servers, this may also indicate that this client is infected. In this case, the Threat Defender can also automatically quarantine the client.
Preventing infected clients from distributing spam
Infected clients will try to spread the malware further – in case of spam by sending emails. Using static and dynamic network objects, you can configure the network to only permit a certain group of devices in the network, such as mail servers and dedicated clients, to send emails via mail protocols like SMTP. If any client outside this group tries to spread spam by sending emails via SMTP, the Threat Defender can automatically block these client’s transmissions and isolate it from the remaining network.
Preventing mail servers from spamming
Using inline real-time correlation, you can monitor any mail servers in your network. If a mail server was hijacked to dispense spam, the Threat Defender is able to detect that it is creating too many outgoing SMTP connections in a short time. It automatically blocks this mail server to prevent it from sending any more spam.
While it is technically impossible to keep your network completely free from infections, you can dramatically decrease the time it takes to contain them if you deploy the cognitix Threat Defender. Using inline real-time correlation, it can be configured to automatically detect suspicious behavior. Any affected clients can then be isolated using context and behavior-based rules, preventing the infection from spreading in the network. This means infections are contained in real time without human intervention.