• Français
  • English

Article | SOC/CERT: which tool to deploy to automate malware detection?

With the recent boom in the digitalization of systems, cyber-attacks are becoming more and more common, much to the annoyance of organisations that need to protect themselves against them. Indeed, according to Cisco CEO John Chambers, a company has already been hacked, or it doesn’t know it yet. Fortunately, SOCs (Security Operations Centers) and CERTs (Computer Emergency Response Teams) are working together to keep the information systems infrastructure under control 24/7.

Despite their efficiency, many SOCs face a large volume of data. And sometimes, analysts can be forced to pause all their activities to deal with the detection of a cyber-attack manually, which takes time. This is where technology can be highly beneficial: what are the most effective tools on the market to automatically detect malware?

SOC/CERT: complementary roles in malware detection ​

What is the role of a SOC/CERT in the company?

A Security Operations Centre, or SOC, ensures information security through technical risk prevention, monitoring and analysis. In other words, in the event of a system intrusion (or any other cybersecurity incident), the SOC can identify the level of risk and anticipate possible incidents to clean up the threat. Typically, a SOC consists of specialised analysts and engineers.

As a complement to a SOC, a CERT brings together a team of information security experts who intervene in the event of an IT emergency. The CERT thus ensures the protection, detection, and response to cybersecurity incidents to resolve them as quickly as possible. CERTs also conduct ongoing public awareness campaigns and research to improve security systems.

Therefore, the role of a SOC is to anticipate and identify the threat, and that of a CERT is to react. Both centres work together to prevent, detect, and react to cyber-attacks.

Malware detection: how do SOC/CERTs respond?

As a first step, organizations (companies or regional centres) need to assemble a competent team of experts adapted to their business and risk level and equip themselves with the adequate technological tools to identify, analyze, and understand threats and incidents.

Then, in the event of a detected anomaly or proven cyber-attack, the procedure is generally as follows: the SOC may identify an ongoing incident by monitoring security-related events or any other technical or organizational means, collect all the relevant data and forward the information to the CERT, which does an in-depth technical investigation to assess the nature, root cause and extent of the problem and elaborate guidelines to resolve it. Internal or external data forensics and incident response teams may follow up the handling of the incident, and the SOC performs continued targeted monitoring.

In this context, systematic and continuous training of the teams on the use of tools and methodologies is essential to build and maintain an effective cybersecurity capability in the organization.

How to automatically detect malware in companies?

To prevent and detect cyber-attacks, various technological tools are available to organisations. Among the most used are:

  • Anti-virus software
  • Endpoint Detection and Response (EDR) software
  • Firewalls and application proxies
  • Security Information and Event Management (SIEM) systems
  • Threat Intelligence data feeds

Additionally, companies can have ad-hoc software and systems developed to address security threats specific to their business or market segment. These systems collect, analyze, and manage information in real-time. Intuitively, it is clear that the use of technological solutions can boost the data analysis capacity of a team. On the other hand, the following points should be kept in mind:

  • The processes must be tuned and the tools configured to analyze data in relation to specific use cases. For example, the level of depth and comprehensiveness to apply will not be the same for high volume email filtering than for in-depth malware hunting during a suspected targeted attack. Multiple trade-offs must be considered and re-evaluated periodically
  • When processing large amounts of data, the rate of false positives and false negatives can have an important impact in the overall effectiveness and efficiency of the security organization. Too many false positives (detecting a threat where there isn’t one) will erode the confidence of the team and overload it with meaningless work. While false negatives (not detecting a real threat) can escalate very quickly to data breaches and compromise the organization’s assets. Finding the right balance of sensitivity and specificity for the organization’s malware detection systems is key to success.

 

To limit the errors linked to the automation of malware detection, the SOC must be aware of the overall performance of the system and able to re-configure it and fine tune individual components to meet its specific needs and operational environment. It could, for example, adapt the overall detection threshold according to the perceived level of risk or a quantitative performance indicator.

SOC/CERT: what criteria should you consider when choosing your malware detection system?

When selecting a tool for detecting malware and other threats, consider the following:

  1. Effectiveness: what level of performance is expected? It‘s essential to identify the level of risk that the cyber-attack poses to your business to determine what level of detection you need.
  2. Scalability: Can the system grow with my company? Do I need a fixed or scalable system? To identify this need, it is necessary to carry out tests.
  3. Flexibility: is the solution on-premise or hosted in the cloud? Can it be accessed from multiple devices ubiquitously? For example, a tool on the cloud in SaaS mode can be more flexible and easily updated.

QFlow: a flexible and customizable malware detection solution

Using an efficient, scalable, and flexible solution is crucial to strengthen defense against malware and streamline the operations of a SOC/CERT. QFlow allows for in-depth analysis of each file to track down malware automatically. And in the event of a cyber-attack, it analyzes a substantial volume of suspicious data.

QFlow offers the following benefits:

  • Improved detection levels to identify any vulnerabilities and ease of analysis thanks to automation and pre-defined workflows;
  • Teams perform routine tasks efficiently and can focus on critical threats;
  • Diverse detection tools that can be further extended and customized by customers through an integrated repository;
  • Flexible deployment models be it public or private Cloud or an organization’s internal data center.

QFlow enables your SOC/CERT teams to reprioritize threats and alerts, optimize the level of malware detection and protect against a wide range of cyber-attacks.

Watch our webinar

Webinar replay :

Elevating Malware Detection: Key Use Cases for SOCs and CERTs

Follow us