Cyber Security

Everyday we hear news about cyber espionage, insider breaches, hackers sabotaging networks with denial of service attacks, malwares/viruses stealing personal information, hackers asking for ransoms to unlock systems and many more.

Companies, governments and individuals loose lot of money, reputation, face legal actions etc. Protection against cyber threats are no longer optional.

Most of the time cyber crimes are not detected because companies or governments haven't installed appropriate security solutions, which should detect and protect from these threats.

Insight Lake's Cyber Security Solution provides necessary solution to protect companies and governments from both internal and external threats.


  • Discovery of network and data assets

Integration with Intrusion Detection Systems/Agents

  • Integration with HIDS agents - Snort
  • Integration with NIDS agents


  • Monitoring of data assets and tracking access patterns

Incident Management

  • Creation of threat incidence/case and workflow management

User Behavior Analytics

  • Lets review topics in detail


  • SIEM - collect all security events at central repository for easier exploration and co-relation
  • Collection and enrichment of network flows like netflow, sflow etc
  • Collection of AD, Database change logs
  • Collection of Firewall logs, windows events etc.

Threat Detection & Exploration

  • Threat modeling & co-relation
  • Detection rules
  • Threat user profile
  • Threat remediation
  • Threat exploration


Cyber security solution allows security admins to discover network and data assets easily. To perform network or host discovery it uses Nmap, which could be automated on weekly basis. For data discovery it does data profiling to identify sensitive data elements.

SIEM - Security information and event management

Any user or application flow goes through many network elements and generate security events like packet flows, login, database access etc. Cyber Security solution's SIEM enables security admins to collect security events at a central place and provide a holistic view of an enterprise's security. This holistic view allows admin to detect normal and anomalous patterns.

SIEM collects data from network elements in following forms:

  • Firewall logs
  • Packet flows
  • Syslog
  • HIDS, NIDS and other security agent's events
  • AD events
  • Windows events
  • DB change logs
  • Audit logs from security manager

SIEM feature allows easy modeling and handling of events in real time and storage of events in Big Data based store like Elastic Search/SOLR. Intuitive UI allows easy rule creation and exploration of events as well real time security operations dashboard. It also provides automated compliance reporting. Pre-packaged customizable machine learning models allow detection of anomalies and co-relation between various events from different sources.

Intrusion Detection

Intrusion detection involves gathering network or host events to detect internal or external threats. There are three types of security agents used by Cyber Security solution.

  • HIDS - Host based intrusion detection
  • NIDS - Network based intrusion detection
  • Custom agent to collect security events

HIDS - Host Intrusion Detection System

Host intrusion detection agents are applications, which get installed on network hosts to detect threat activities like malware running and changing windows registry etc.

Cyber security solution integrates with OSSEC agents to easily deploy and manage HIDS agents. HIDS agent monitors Windows registry, performs rootkit (clandestine programs to provide privileged access like trojans, viruses etc) detection, integrity checking and alerting.

NIDS - Network Intrusion Detection System

To detect threat from network network intrusion detection software is installed on firewalls, gateways etc. These agents monitor network traffic and detect threat.

Cyber security solution integrates with Snort, which is a very popular open source network based intrusion detection system. It does protocol analysis, packet capture, matching rules to perform triggers. It also detects port scans and probes.

Packet Flows

netFlow is a network protocol which collects IP traffic information and monitors traffic.

sFlow, is short for sampled flow, which provides layer 2 packet information. Collectively these flows when captured provides holistic network view in real time.

Types of Threats


Malware is a computer program like virus, Trojan, spyware or worm, which infects a user's computer to steal personal information, damage system, attack other computers etc.


Ransomware is a special type of malware, which blocks user's access to his own programs and files. Hacker demands ransom to provide password to unlock those.


DDoS is short for Distributed Denial of Service. DDoS is a type of denial attack where multiple compromised systems, which are often infected with a Trojan, are used to target a single system causing a Denial of Service (DoS) attack.

Threat Models

Cyber Security solution provides prebuilt models for threat detection and management. It provides simple models for black, white and watch lists. It also provides complex models, which use both supervised and un-supervised machine learning to do security event co-relation, scoring and classification of data. It also leverages scenario analysis to optimize threat models.

Threat actors like hackers or insiders profile is created and used in these threat models as well.

Threat Scoring

Cyber security solution leverages Spark MLib and integrated R or Python based models to do scoring. UI allows creation of custom scores based on event elements and management of parallel execution of multiple paths.

Threat Triggers

Using intuitive UI security admins can easily provision threat detection rules. They can simply select enriched event source or models and apply simple filter based rules or complex script/class driven rules. Threshold can be provisioned to allow alerting or invocation of remediation action for a group of similar events.

Remediation Actions

Cyber Security solution allow security admins to create remediation actions for provisioned threat types. Remediation rules are highly customizable and could be chained together as a workflow. Rules could be one or more of the following.

  • Scripts - running scripts with commands on a remote host. This could be provisioning firewall rules etc.
  • Creating data access policies in Security Manager. This will block or deny data access, mask sensitive information etc.
  • Invocation of REST APIs to create case, trigger actions from external products in the network
  • Custom java script execution, which allows flexible logic to handle threat.

Incident Management

Cyber security solution allows security administrators to integrate and provision incidence management or case management solutions like Atlassian JIRA, Remedy, Appian etc.

Security admins can automate incidence creation from threat detection rules. Using interactive UI they can view created incidents with status. See incident dashboards like how many incidents created, daily, weekly distributions, type of incidents etc.

User Behavior Analytics

Enterprise assets should be protected from internal threats. Few examples of internal threats are:

  • Unauthorized system/data access
  • Unusual data access pattern like access from unknown location points to someone's username, password got stolen. Someone downloading lot of data could indicate unauthorized collection.
  • Login attempts and failures

To detect internal threats Cyber Security solution captures user events and activities and detect anomalies. User behavior analytics (UBA) feature does following:

1 Track AD activities like login attempts, time, duration etc
2 Track what systems users are accessing and what data they are exploring, including data volumes, what time and from where they are accessing.
3 Use machine learning models to detect anomalies.