Positive Technologies: 100 percent of MaxPatrol SIEM pilot projects found actual security incident

Positive Technologies (PT) analyzed data from 23 projects involving MaxPatrol SIEM¹, and detected security events that indicate potential cyberattacks, malware infections, violations of security policies, and anomalous user behavior.

The new report includes results from pilot projects in the second half of 2019 and early 2020 at industrial and energy companies (31%), government entities (26%), and financial institutions (18%)². The most frequently detected incidents were attempts to bruteforce credentials (found in 61% of pilot projects), malware not deleted by other security software (26%), and authentication with a single account on multiple workstations (22%).

Positive Technologies frequently identifies traces of prior cyberattacks during penetration testing of client infrastructure. In these cases, one of two things are true: the attack went unnoticed entirely, or incident investigation did not result in detection of all compromised hosts and full remediation of the consequences. PT were able to detect and stop a targeted attack on one company that had lasted at least eight years. Based on analysis of SIEM event logs, PT found traces of attacker actions on 195 infrastructure hosts. As the investigation showed, the intruders had been active for that entire time, using malware for: communicating with the command and control (C2) server, remotely executing commands, probing the compromised infrastructure, extracting credentials from hosts, compressing data and sending and receiving files from the C2 server. Soon after, the attackers' C2 servers were blocked and the attacker presence was eliminated. Positive Technologies investigators attributed the attack to the TaskMasters group.

According to the research, one fifth of incidents identified during the pilot projects involved the detection of malware. The vast majority of such incidents (approximately 85%) were the result of phishing emails. According to PT’s report on APT threats to companies worldwide, 90% of groups start their attacks with such phishing. In one pilot project PT detected a large number of malicious messages, containing Trojan-Banker.RTM in particular, sent by company employees from 592 different IP addresses. Operators of this malware tend to be interested in corporate bank accounts and therefore target their mailings to accountants and financial staff. They imitate legitimate correspondence, with subject lines such as "Refund request," "Documents for last month," and "Employee passport details. 

Violations of security policies (non-compliance with guidelines or corporate standards) were detected in pilot projects at half of the companies investigated. For instance, the use of remote administration software was detected in 39 percent of pilot projects. As noted by the experts, these events may be legitimate: for example, technical support staff may need to remotely connect to a server and configure it. But they may also indicate use by attackers of Remote Access Software to access internal resources while remaining unnoticed. Companies are advised to restrict which computers are allowed to run remote access software.

Positive Technologies senior analyst Olga Zinenko said: "During pilot projects, we identified events that indicated potential cyberattacks. In particular, many of the events have to do with gathering information about a compromised system and the internal network. To catch an attack in the early stages, it's essential to know about everything going on within the corporate infrastructure. This requires collecting as much information as possible about security events. The sheer scale of data requires automated processing with a SIEM solution. The experience of the PT Expert Security Center shows that SIEM correlation rules are the starting point for detection of most cyberattacks³, including multistage APTs, and for incident investigation."

To obtain a copy of the report, please visit ptsecurity.com/ww-en/analytics/incidents-siem-2020/.


  1. The dataset consists of pilot deployments of MaxPatrol SIEM for which the designated project infrastructure and resulting data were sufficient for detecting actual incidents.
  2. Statistics do not include companies that declined to consent to use of anonymized results from the pilot project for research purposes.
  3. MaxPatrol SIEM uses built-in correlation rules to flag relevant tactics, techniques, and procedures (TTPs) without requiring additional configuration. The MITRE ATT&CK approach to TTP classification is supported for detecting attacks in the early stages.