A computer program product for detecting malicious lateral movement in a network that when executed on a firewall for a plurality of endpoints, performs the steps of collecting notifications from each of the plurality of endpoints relating activities such as failed login attempts with other ones of the plurality of endpoints in the network. The notifications are analysed to identify, based on a pattern in the notifications, a compromised endpoint among the plurality of endpoints. When the pattern indicates a presence of malware on the compromised endpoint engaging in attempts at malicious lateral movement from the compromised endpoint, remediating the compromised endpoint by isolating the compromised endpoint from other ones of the plurality of endpoints. Remediating the compromised endpoint may also include removing a malware component associated with the malware, killing a process associated with a malware component or terminating a user session associated with a malware component.
展开▼
