Assessing Impact and Responding to IOCs

After obtaining properly formatted IOC files from a trusted external source (a security forum or other Deep Discovery Virtual Analyzer product), import the file to Control Manager to determine if the threat exists within your network and take mitigation steps to prevent the spread of the threat to other endpoints.

Important:
  • Impact assessment of external IOC data requires that Endpoint Sensor 1.5 (or later) is registered to Control Manager and installed on the target endpoints.

  • Endpoint isolation requires that you install OfficeScan 11.0 SP1 (or later) agents with the OfficeScan firewall enabled on the target endpoints.

  1. Go to Administration > Indicators of Compromise.

    The Indicators of Compromise (IOCs) screen appears.

  2. Click Add.
  3. Select the IOC file you want to use as the source of your investigation.
  4. Click Upload.

    A screen appears listing the supported indicators contained within the file.

  5. To start an investigation, select the IOC file from the list and click Assess Impact.

    The Investigate Now screen appears.

  6. From the Target endpoints drop-down, select All, or Specific and type the endpoint names or IP addresses to investigate.

    Use a new line to add multiple endpoint names or IP addresses.

  7. Click Investigate Now.
    Note:

    Performing an investigation may take some time to complete. Monitor the investigation progress in the Progress column.

  8. After the assessment completes, click the number in the At Risk column to view more details or take action on affected endpoints.
    Note:

    The Pending/With Issues column displays the number of endpoints on which the assessment has not yet completed. For example, the assessment cannot start on an endpoint until the endpoint reconnects to the network.

    The Indicators of Compromise > At Risk Endpoints screen appears.

  9. To prevent the spread of suspicious objects across your network, click Isolate in the Action column to stop network traffic on the affected endpoints.
    Important:

    Endpoint isolation requires that you install OfficeScan 11.0 SP1 (or later) agents with the OfficeScan firewall enabled on the target endpoints.

  10. Click the Modify Allowed Traffic button to optionally configure allowed inbound and outbound traffic to all isolated endpoints.
    1. Select Control traffic on isolated endpoints.
    2. Expand the Inbound Traffic or Outbound Traffic sections.
    3. Specify the allowed traffic by specifying the Protocol, IP Address, and Destination Port.

      Separate multiple destination ports using commas.

    4. Add multiple inbound and outbound entries by clicking the - control to the right of the Destination Port information.
    Note:

    After modifying the allowed traffic settings, all previously isolated endpoints and any endpoints isolated later apply the inbound and outbound traffic settings.