Use of generic security event data for specific threat monitoring

Interconnected networks face a broad variety of threats, some - especially when targeting valuable enterprise networks - highly specialized and sophisticated. To counter those threats, enterprise network operators rely on security equipment to monitor network traffic for anomalies that may indicate attacks or other security violations. However, as new kinds of threats emerge continuously, keeping the network's line of defense up-to-date requires increasing amounts of both technical and human resources, as these new threats often defy existing monitoring capabilities. In this paper, we present our approach for distributed and cooperative threat monitoring based on monitoring equipment available in corporate networks, with detection capabilities far beyond the scopes of the utilized monitoring equipment. We discuss the suitability of our approach even for the detection of fast-evolving threats and how the seamless integration into and a more efficient use of existing security infrastructures helps increasing the protection level at low operational costs.