Outbreak Monitoring Dashboard

Version 2

    Monitoring the Outbreak Dashboard

    pic1.png

    The Outbreak Monitoring dashboard provides a means to identify infected machines and virus that are not being detected.  It is broken into two rows, threats along the top, systems along the bottom.  Both these rows provide insight into outbreaks. First, review the list of threats detected within the past 4 hours along the top row.  Then compare those threat names with the threats detected in the last 4-8 hours, and 8-24 hours.  If the same threat name appears in all three categories, it can be identified as a threat your organization is currently facing.  The larger the detection counts, the larger the outbreak. 

     

    In the following screenshot, Generic!atr needs to be investigated as the counts are over 300 and it is an ongoing detection.  Figure out what this threat is, how it spreads, and whether or not measures need to be taken to stop it.

    pic2.png

    However, we are missing how many and what systems are being affected.  This is where the bottom portion of the Outbreak Monitor comes into play.  First review the list of infected systems detected within the past 4 hours.  Then compare those system names with the ones infected in the last 4-8 hours, and 8-24 hours.  If the same system name appears in all three categories, it can be identified as a threat your organization.  Again, the larger the detection counts, the larger the threat. 

     

    The following screenshot show the same detections as above, but listed per system.  Here, we can see that four different systems are detecting Generic!atr and the large detection counts are caused by one system in particular.  As a result from this data, the threat is lessened, but not to be ignored.  Addressing this system would be the best action.

    pic3.png

    If threats are being detected on the same system, it indicates that the system may be compromised, or running an undetected threat, especially if the same threat is repeatedly cleaned.  These systems should be disconnected from the network and investigated.  They may need to be completely rebuilt.