Compare Incidents between Seculert and your SWG
Seculert has always been designed to detect malicious incidents triggered by malware that has bypassed the Secure Web Gateway (SWG) and/or firewall. Now, you can learn more about these incidents by reviewing the SWG Action Value in the SWG Log, which displays what the SWG has decided to do. In the SWG log of an HTTP request you might find several different values that represent a decision to allow or to block. The values vary depending on which product you use, i.e. Blue Coat, Websense, Cisco WSA, et al.
There are three types of incidents:
- Allowed: Incidents where the SWG has allowed callbacks from the infected device to a command and control host (C&C).
- Detected and Blocked: Incidents where the SWG detected and blocked all callbacks. Note: There is no label for these in the Grid View.
- Blocked after X days: Incidents that were blocked by the SWG only after malicious communication had already taken place. Ultimately, this information allows you to compare what Seculert is reporting, to what the SWG “knows” and is doing based on that information.
Figure 1: Grid View of “Allowed” Incidents
In the Grid View, you can filter incidents by the type of breach using a drop down menu. If you would like to filter the incidents by a specific value as reported in the SWG log action field, use “Custom” in the “Type” drop down menu.
The SWG action is also provided in the “Forensics” tab of Incident Details.
Figure 2: Incident Details View of “Allowed” Incident
New Information in the API
Seculert now adds information to the “ResultIncidents” and “ResultRecords” API methods to indicate the SWG Log Action.
Figure 3: New Fields in API
The post Compare Incidents, New Information in the API [Product Update] appeared first on Seculert Blog on Breach Detection.
