Cyber Attack View formal release for R80.10 & R80....

Oren_Koren · ‎2018-09-06

Hey,

Few months ago, we started to work the new dashboard for Threat Prevention Investigation methods.

You can find the first post in here: https://community.checkpoint.com/community/management/visibility-monitoring/blog/2018/04/04/threat-p...

I am happy to announce that we formally released the version for R80.10 & R80.20 under the following SK - sk134634

This dashboard is allowing you to locate the cyber threat you need to address to based on attack vector and in a very fast way. our EA customers were able to locate threats on/in their network in a very fast way and without the need to query on their logs as the first action.

we improved the queries also based on the community inputs and we are looking for more improvements and inputs from the community. if you have any inputs related to the dashboard please contact me directly - Orenkor@checkpoint.com

Thanks,

Oren

examples for all of the pages in the dashboard.

Main page

Infected Hosts

Reconnaissance action on your network

Different delivery methods

Host exploit

Malicious Websites

Evgeniy_Olkov · ‎2018-09-07

Hello. You did great job!

I have one suggestion. It will be really cool if you add one more widget - The Map of Attackers. Something like this^

It will help to create a Geo Pollicy.

Oren_Koren · ‎2018-09-07

created basic one - something like that?

what should be the order and data that needed to be presented from you POV?

if you have use-cases, it will be the best (something like 'as an admin, i want to find/someone called me with a problem or need and i want to ********** and based on that do *******'

jpuerta · ‎2020-07-31

Could you please send me the template?

Evgeniy_Olkov · ‎2018-09-07

Yes, this screenshot looks good. The main goal is to find what countries is attacking you. Maybe from this screen you will see a lot of attacks from Bangladesh or Kongo. After that you can create Geo pollicy and block all malicious traffic.

Oren_Koren · ‎2018-09-07

is that a view that related to threat prevention only? based on my work in SOC operations, they are working on top sources and destination and asking more questions:

Top sources for traffic usage
Top destinations (my organization) connection rate
Top source Attack countries (where the attacker is located)
Top attacked countries (where the customer is located)

based on your experience, we should connect it to Threat Prevention events or have a higher look on it? (access, Threat, VPN, etc...)?

Thanks,

Oren

Evgeniy_Olkov · ‎2018-09-07

I can't speak for everyone. But I think if we talk about 'cyber threat view', the only information we need is the map between security events and the country of its originate. After that we can start our investigation.
But it's only my opinion.

Oren_Koren · ‎2018-09-07

so something more like that?

focus on threat but also presents the amount of logs and bandwidth

Evgeniy_Olkov · ‎2018-09-07

I like more your first screenshot. It's about security events

Oren_Koren · ‎2018-09-07

o.k

i will see how we can integrate the GEO view.

Thanks for the feedback!

Oren

D_W · ‎2018-11-26

Very useful this new View!

One question about the "Hosts accessed malicious websites" that is stated in the field "Attacks Allowed By Policy".

I see there always our internal DNS servers that tries name resolutions for phishing/infected websites. The protection "DNS Reputation" successfully blocks this -> OK. Why is that in this field "Attacks Allowed By Policy" when the DNS Reputation blocks it?

Yonathan_Grunew · ‎2019-02-05

great job!

we've been using it for a long time and it's nice to see this becoming official GA!

keep up the good work!

Are you a member of CheckMates?

Cyber Attack View formal release for R80.10 & R80.20