Threat hunting, suspicious activity monitoring, and malware family detection.
Qualys IOC expands the capabilities of the Qualys Cloud Platform to deliver threat hunting, detect suspicious activity, and confirm the presence of known and unknown malware for devices both on and off the network
Threat hunting relies on both advanced threat knowledge and deep knowledge of the organization's IT environment, which will also benefit the organization itself in learning more about its IT environment and finding the places where attackers can hide.Anton Chuvakin Research Vice President & Distinguished Analyst, Gartner
From Qualys IOC’s single console, you can monitor current and historical system activity for all on-premise servers, user endpoints, and cloud instances — even for assets that are currently offline or have been re-imaged by IT.
Qualys IOC utilizes the Cloud Agent to capture endpoint activity on files, processes, mutant handles (mutex), registries, and network connections, and uploads the data to the Qualys Cloud Platform for storage, processing, and query. Specific event details include:
Cloud Agent delta processing only sends changed events from the asset to the Qualys platform for storage, processing, and searching. Performance tuning for CPU resource and network utilization allows IOC to run on resource-constrained systems such as fixed function devices, user endpoints, cloud instances, and virtual machines.
Security analysts use the web interface for offline search, hunting, and investigations, and use the visual interfaces to easily find outliers, create dashboards, and perform ad hoc querying by pivot searching across billions of events.
Qualys IOC offers multiple pre-defined threat hunting widgets for critical Advanced Persistent Threats (APT), CERT security advisories, and identifying suspicious process usage that can be indicative of non-malware attacks, including:
Easily verify threat intelligence reports by quickly determining if file hashes, processes, mutexes, and registry keys exist in your network. Qualys IOC time-series data search results displays currently running indicators or those that were executing in the network previously but are no longer present.
Users can add their own indicators of compromises, including file hashes, process names, mutexs, IPs and domain names, as well as define comprehensive search logic for suspicious behaviors. Examples include:
Qualys Malware Labs continuously creates new behavior models using OpenIOC formats into the platform for detection against new and previous events to find enterprise-targeted malware family variants without using signatures.
Most malware innovation is focused on creating new variants of existing malware families to evade detection by signature-based systems, a detection capability standard in Qualys IOC application.
Automatically detect new malware family variants as new behavior models are published to the Qualys platform by the Malware Labs team.
Augment existing endpoint security by detecting malware family variants that traditional approaches have missed.
Identify first stage malware droppers that were prevented from executing compared to persistent, running malware that is actively communicating outside the network.
Pivot to display system events occurring just before the malware infection (process execution, new files, new registry keys) to identify new exploit vectors and new infection techniques.
Correlate malware infection with Qualys Threat Protection vulnerability exploit intelligence to determine if targeted attacks against your enterprises are succeeding.