Zerotect observes various system events (such as segmentation faults, core dumps, application crashes, etc.) and interprets them in a structured format and emits them to ArcSight for analysis. ArcSight’s powerful data analysis capabilities then enable detection of a live zero-day attack by correlating elements of Zerotect events.
Memory-based fileless attacks usually take a few attempts to get right. When some of these attempts fail, they produce side-effects in the form of crashes and faults. These “faults” logs are not structured and are usually split across multiple entries in the kernel log buffer. Zerotect reinterprets these unstructured and separate events into one unified entry in the Common Event Format (CEF).
Once ArcSight consumes these events, they reveal interesting patterns that can confirm a live zero-day attack in progress. ArcSight provides the analytics, graphing and monitoring tool at scale so that security teams are able to further drill deeper into what processes were attacked, what pattern the attacker is following and so forth. ArcSight and Zerotect enable a new class of zero-day detection by enterprises and SOCs improving their security posture and situational awareness.
Linux (any distribution, any kernel version)
Suggested for you are based on app category, product compatibility, popularity, rating and newness. Some apps may not show based on entitlements. Learn more about entitlements.
This guide provides information for configuring the Polyverse Zerotect integration for ArcSight ESM.
Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox