Harness the Power of SIEM

Having problems with Conficker worm? The security community has witnessed firsthand a worm which, at the height of its reach, could have assimilated around 9+ million hosts across the internet (F-Secure, 2009a). This is a staggering amount which, when published, indicated the seriousness of the situation and stimulated security teams to verify activity in their environment. This whitepaper is designed as a guide through the process of defining metrics needed to accurately detect the Conficker worm. In addition, this paper will demonstrate how to use those metrics in Siem architecture for detection purposes. Security researchers and vendors have released guidelines and articles covering the Conficker worm and how it is infecting machines in various ways. Here the goal is to show how it is possible to take those individual security updates and, in Siem architecture combine them with other metrics to enhance and tune detection capabilities. This provides a powerful tool to defend an environment against the Conficker and other fast-spreading worms.