Detecting cyber threats is usually the first critical step in the mitigation of cyber attacks. Common means to achieve this goal are rules or analytics that track network and system behaviors and raise alerts when potentially malicious attacks are identified. Once a potential threat is detected, the staff of the security operations center (SOC) investigates it and, if it is found to be a real risk, responds, contains and mitigates it. Threat detection is a growing challenge, and one that demands constant attention since attackers continuously gain expertise and sophistication and threats are ever-changing. The detection rules/analytics of today must therefore dynamically adapt to the threat landscape over time.
New attacks arise daily and most of their damage is achieved in the first few hours before organizations know they have been breached. Additionally, attackers are using sophisticated techniques to avoid existing detection mechanisms by altering their behaviors. With this challenging reality, pulling together the wisdom of the security community and sharing open-source tools, techniques and best practices is a powerful approach for protecting enterprises against cyber threats. This blog describes how IBM is contributing to this community effort.
We begin by describing the use of an event log rule format that’s an open-source standard and is applicable to any type of log file.
Sigma for Log Events Opens the Doorway
Sigma is a generic and open signature format for log events. It enables the development of shareable detection methods across various SIEMs. As stated on the project’s website: “Sigma is for log files what Snort is for network traffic and YARA ..
Support the originator by clicking the read the rest link below.
