Everyday we hear news about cyber espionage, insider breaches, hackers sabotaging networks with denial of service attacks, malwares/viruses stealing personal information, hackers asking for ransoms to unlock systems and many more.
Companies, governments and individuals loose lot of money, reputation, face legal actions etc. Protection against cyber threats are no longer optional.
Most of the time cyber crimes are not detected because companies or governments haven't installed appropriate security solutions, which should detect and protect from these threats.
Insight Lake's Cyber Security Solution provides necessary solution to protect companies and governments from both internal and external threats.
Cyber security solution allows security admins to discover network and data assets easily. To perform network or host discovery it uses Nmap, which could be automated on weekly basis. For data discovery it does data profiling to identify sensitive data elements.
Any user or application flow goes through many network elements and generate security events like packet flows, login, database access etc. Cyber Security solution's SIEM enables security admins to collect security events at a central place and provide a holistic view of an enterprise's security. This holistic view allows admin to detect normal and anomalous patterns.
SIEM collects data from network elements in following forms:
SIEM feature allows easy modeling and handling of events in real time and storage of events in Big Data based store like Elastic Search/SOLR. Intuitive UI allows easy rule creation and exploration of events as well real time security operations dashboard. It also provides automated compliance reporting. Pre-packaged customizable machine learning models allow detection of anomalies and co-relation between various events from different sources.
Intrusion detection involves gathering network or host events to detect internal or external threats. There are three types of security agents used by Cyber Security solution.
Host intrusion detection agents are applications, which get installed on network hosts to detect threat activities like malware running and changing windows registry etc.
Cyber security solution integrates with OSSEC agents to easily deploy and manage HIDS agents. HIDS agent monitors Windows registry, performs rootkit (clandestine programs to provide privileged access like trojans, viruses etc) detection, integrity checking and alerting.
To detect threat from network network intrusion detection software is installed on firewalls, gateways etc. These agents monitor network traffic and detect threat.
Cyber security solution integrates with Snort, which is a very popular open source network based intrusion detection system. It does protocol analysis, packet capture, matching rules to perform triggers. It also detects port scans and probes.
netFlow is a network protocol which collects IP traffic information and monitors traffic.
sFlow, is short for sampled flow, which provides layer 2 packet information. Collectively these flows when captured provides holistic network view in real time.
Malware is a computer program like virus, Trojan, spyware or worm, which infects a user's computer to steal personal information, damage system, attack other computers etc.
Ransomware is a special type of malware, which blocks user's access to his own programs and files. Hacker demands ransom to provide password to unlock those.
DDoS is short for Distributed Denial of Service. DDoS is a type of denial attack where multiple compromised systems, which are often infected with a Trojan, are used to target a single system causing a Denial of Service (DoS) attack.
Cyber Security solution provides prebuilt models for threat detection and management. It provides simple models for black, white and watch lists. It also provides complex models, which use both supervised and un-supervised machine learning to do security event co-relation, scoring and classification of data. It also leverages scenario analysis to optimize threat models.
Threat actors like hackers or insiders profile is created and used in these threat models as well.
Cyber security solution leverages Spark MLib and integrated R or Python based models to do scoring. UI allows creation of custom scores based on event elements and management of parallel execution of multiple paths.
Using intuitive UI security admins can easily provision threat detection rules. They can simply select enriched event source or models and apply simple filter based rules or complex script/class driven rules. Threshold can be provisioned to allow alerting or invocation of remediation action for a group of similar events.
Cyber Security solution allow security admins to create remediation actions for provisioned threat types. Remediation rules are highly customizable and could be chained together as a workflow. Rules could be one or more of the following.
Cyber security solution allows security administrators to integrate and provision incidence management or case management solutions like Atlassian JIRA, Remedy, Appian etc.
Security admins can automate incidence creation from threat detection rules. Using interactive UI they can view created incidents with status. See incident dashboards like how many incidents created, daily, weekly distributions, type of incidents etc.
Enterprise assets should be protected from internal threats. Few examples of internal threats are:
To detect internal threats Cyber Security solution captures user events and activities and detect anomalies. User behavior analytics (UBA) feature does following:
1 Track AD activities like login attempts, time, duration etc
2 Track what systems users are accessing and what data they are exploring, including data volumes, what time and from where they are accessing.
3 Use machine learning models to detect anomalies.