Built-in functionality of CYBERQUEST

Transcription

1 CYBERQUEST Knows everything Built-in functionality of CYBERQUEST Summary Demonstration of CyberQuest functionality

2 Content Intro... 3 Built-in functionality of CYBERQUEST... 4 Correlations... 4 Create correlation and evidence lists with the following key-value pairs of information... 3 Use cases... 4 Irregular activities... 4 General network activity... 4 Attacks... 4 Database manipulation... 5 Compromised Users Detection... 5 Connections Details... 5 Abnormal Administrative Behavior... 5 Intrusion Detection and Infections... 5 Compliance... 5 Statistical Analysis... 5 System Change Activities... 5 Anti-Fraud... 6 Malicious Insider Identification... 6 Information Theft... 6 Malicious Intruders Identification... 6 IT Security... 6 Authentication Activities... 6 Sensitive Data Access Investigation... 6 Shared Accounts... 6 Security Events Verification... 6

3 3/6 Intro Nowadays, companies are fighting against a torrent of data from their own networks. In such a complex technology environment, they need to reduce the security risk while handling disparate data sources that generate huge volumes of data. Light comes along with the adoption of new security technologies that can manage the information overload and unify all existing data sources across the organization. CyberQuest is a Big Data Analytics Platform that gathers valuable data from multiple technology sources and empowers users to take actionable, critical decisions in real-time. It is a fast and efficient platform for IT security investigation, with advanced capabilities for monitoring and investigating IT incidents in a highly intuitive graphic environment, with run-time analytics and fast returning reports, essential in real-time combating of fraudulent activities on National Critical Infrastructure and enterprise environments, across industries varying from cyber defense to telecommunications, healthcare, banking or insurance. CyberQuest proves that breaking the data silo barrier of today s enterprise infrastructures is possible. AUTOMATION One single view over all events Data corellation OPERATIONAL INTELLIGENCE Powerful Analytics CQ MACHINE LEARNING Multiple Technology Data Collection Fast Deployment & Custom Development

4 4/6 Built-in functionality of CYBERQUEST Correlations Create correlation and evidence lists with the following key-value pairs of information: UserName - SrcIP - for all technologies and applications to know which user has what IP at the exact moment in time that an event is collected by CyberQuest Computer - SrcIP (for computer) - will create a list of what computer has what IP at the exact moment in time that an event is collected by CyberQuest Computer - UserName - will create a list with all the computers that send data to CyberQuest and last/currently logged on user on the specific workstation Unapproved web domains - the users can define domains that employees can access (are not blocked by firewall) but are not to be used during business hours: social, gabling, recruitment etc. Use Cases Irregular activities See what activities take place during non-business hours Alert on logins for critical machines with special permissions Creation and deletion of an user (usually done for illicit activities) in a short time period Change of permission and access rights General network activity General overview of visited websites per user Alert in case an individual user accesses a blacklisted domain or potentially harmful website Attacks Brute force - Alert on more than X failed logins on a machine in a 10 minutes time interval Ransom ware - Alert on more than X file modifications done by the same user in 1 minute time interval Integration with ProofPoint/MISP -> Crosscheck firewall/proxy logs to see if employees access domains/sites flagged as malicious by cybersecurity solutions.

5 5/6 Database manipulation Creation and deletion of an user (usually done for illicit activities) in a short time period Change of permission and access rights Database/table deletes Data manipulation through insert or update Compromised Users Detection Pinpointing all suspicious users accounts, based on its sophisticated Anomaly Analyzer self-learning mechanism, without the use of predefined rules or heuristics. Connections Details Connections can be genuine or bogus. Suspicious behavior may include connection attempts on closed ports, blocked internal connections, a connection made to bad destinations etc., using data from firewalls, network devices or flow data. External sources can be further enriched to discover the domain name, country and geographical details. Abnormal Administrative Behavior Monitoring inactive accounts, accounts with unchanged passwords, abnormal account management activities etc., using data from AD account management related activities. Intrusion Detection and Infections This can be done by using data from IDS/IPS, antivirus, anti-malware applications, firewall logs, NIPS alerts and Web proxy logs, as well as internal connectivity logs, network flows, etc. Compliance Statistical Analysis Statistical analysis can be done to study the nature of data. Functions like average, median, quartile etc. can be used for this purpose. Numerical data from all kind of sources can be used to monitor relations like the ratio of inbound to outbound bandwidth usage, data usage per application, response time comparison etc. System Change Activities Using collected data for quickly identifying the changes in configurations, audit configuration changes, policy changes, policy violations and the like.

6 6/6 Anti-Fraud Malicious Insider Identification Edward Snowden is the most famous example of a legitimate contractor who accessed, collected and made use of highly sensitive data from the NSA, the company he was serving. This proves that no organization is immune to inside threats of this kind. CyberQuest is able to identify users and contractors having a high-risk activity or access sensitive data, by investigating their behavior history log by log, second after second. Information Theft Data exfiltration attempts, information leakage through s etc., using data from mail servers, file sharing applications etc. Malicious Intruders Identification There is a person within the company s structure who was monitored, investigated and recognized for security information leak/stealing. The company s security team would like to be alerted as soon as he sets foot in the building. The native integration with physical security module NEC NeoFace allows CyberQuest to alert security admins immediately when a blacklisted/whitelisted person passes in front of a registered camera within the CCTV network. The application automatically sends an /message alert in real time. IT Security Authentication Activities Abnormal authentication attempts, off-hour authentication attempts etc., using data from Windows, UNIX and any other business application that requires authentication. Sensitive Data Access Investigation The access of enterprise users to databases, file share systems and applications may have hidden, high-risk patterns. While some actions may be considered more suspicious than others, access becomes riskier when it s in the hands of certain high-risk users. CyberQuest uses its dedicated set of innovative modules to analyze users access to databases, file share systems, and applications, and to automatically pinpoint suspicious access activities. Shared Accounts Multiple sources (internal/external) making session requests for a particular user account during a given time frame, using login data from sources like Windows, Unix etc. Security Events Verification Information Security needs second prioritization of events for monitoring, by enriching SIEM/FW/IDS/DLP systems with big data machine learning-based analytics on users. SIEM systems manage rule-based events that are correlated and prioritized in real-time. CyberQuest ensures a better prioritization of events, based on non-rule-based big data and historical data analysis.