In this section of the Lumu Portal, you have access to the dashboard and details on the activity and distribution of the Indicators of Compromise (IoC) that Lumu identified in your organization. IoCs are evidence that the system is compromised.
The Overview dashboard offers a general outline of the incidents (1) and two data visualizations: Activity (2) and Distribution (3). You can filter each view by predefined date ranges (4) or click to go to the report for more filtering options and details. The overview also shows the information on active Collectors, such as Virtual Appliances, Agents, and a summary of Lumu Email metadata collection (5).
In this area, Lumu provides comprehensive and detailed visibility into the various compromise activities (IoCs) detected in your network, along with all context information for in-depth analysis, which allows you to visualize how and when your network is being compromised.
Filter the threat activity by label (1) or by date. The default date range is the last 7 days. Click on each card (2) to remove or add that threat type from the graph. Hover over any point on the graph (3) to see the breakdown of the types of compromise detected during that day.
The Threat Summary shows the list of IoCs grouped by the adversary’s IoC. You can filter this dashboard by IoC or type (1). In this section, you find detailed adversary information such as their IoC and threat types (2), threat details (3), the last time Lumu found this threat in your network metadata (4), and the total contacts between the IoC and your infrastructure (5).
Compromise Context allows threat researchers and incident responders to enrich confirmed compromise information and understand how a particular compromise is spreading. Implement the proper response to the most critical compromise questions.
The Detail area of the Compromise Context includes links to external resources (1), threat triggers, related files (2), Compromise Radar (3), Attack Distribution(4), and Lum correlation (5).
The Compromise Radar unveils the nature of attacks and their behavior by analyzing how your assets are communicating with adversarial infrastructure, allowing security analysts to differentiate occasional contact from persistent and automated compromises.
Around the Compromise Radar, you have the hour of the day from 0h to 23h (1). The numbers inside the circle represent the total contacts during each hour. The colors (2) represent the day of the week, which you can click to hide or show on the radar to check for patterns. You also have context information (3) regarding the affected timestamp, labels, and endpoints.
The Attack Distribution is a dynamic visualization tool that enables Lumu Insights and Lumu Defender customers to track and measure critical environments such as SWIFT, PCI-DSS, IOTs devices to take immediate action. You can click on the zoomable chart (1) to drill deeper into your labeled threat activity, revealing how a specific compromise has spread inside an organization’s network. Use the zoomable timeline (2) of the attack to drill down and check when the attack affected each labeled asset.
The Email Intelligence section can help you understand who adversaries are attempting to compromise in your organization and how they are being targeted.
Within the Context tab, you can learn more about why Lumu classified the event as a compromise by reviewing the Threat Triggers and Related Files (1) and downloading these resources (2) to facilitate the configuration of policies that address these compromises using your current cybersecurity strategy.
This section also offers actionable steps for responding to each incident, with integrated links (3) to related articles by leading security researchers covering a particular threat. We also provide Lumu Incident Response Playbooks (4) based on the National Institute of Standards and Technology (NIST) Framework, which includes best practices for how to use Lumu to respond to specific attacks.
Lumu automates and operationalizes the MITRE ATT&CK® Matrix by presenting it for each compromise found on the portal, helping organizations spot gaps in defenses, identify priorities, and make more accurate decisions about impending risks. The automated ATT&CK Matrix is included with Lumu paid subscriptions.
A comprehensive view of your compromise level through the distribution of malicious activities detected in your organization according to the endpoints and assigned labels. Filter (1) the compromise information displayed by label or date and zoom (2) into the chart, which allows you to have visibility into how compromises spread among your assets, so you can focus efforts on what an organization considers critical for a successful cyberdefense strategy.
Distribution Summary shows details on the distribution of attacks grouped by endpoints. You can filter the compromise distribution by label and period (1) and endpoint or threat type such as malware, spam, phishing, etc. (2). This section includes information such as the endpoints affected (3), the labels (4), the collector that captured the metadata (5). You also have trend visualizations showing the IoCs’ distribution by each endpoint by threat type (6). Other information provided in this section includes the total contacts (7) between IoCs and your infrastructure.
Note that for Lumu Free customers, this distribution area will display limited information regarding the endpoints affected.
We recommend being familiar with Lumu’s Incident Response Playbooks based on the National Institute of Standards and Technology (NIST) Framework that include best practices for how to use Lumu to respond to specific attacks.