Seceon s Open Threat Management software Seceon s Open Threat Management software (OTM), is a cyber-security advanced threat management platform that visualizes, detects, and eliminates threats in real time. It provides a simple, comprehensive, fully automated approach to detecting and stopping the threats that matter, for both On-Premise and Cloud deployments from Internal & External attacks. Whatever security products you are currently using, OTM will most certainly increase the level of protection for your Data & IP, and will easily integrate with other security technologies such as Firewall and SIEM. Seceon s OTM solution utilizes the power of artificial intelligence combined with machine learning and dynamic threat models to deliver real-time security to you by protecting your business against dangerous threats and defending it against costly cyber attacks. It provides a comprehensive cyber security solution for the digital era. It uses power of Application, Machine & User Analytics to find and prevent attacks or attempted data theft for internal and external sources. Remediation in real-time is one of the key feature of the Seceon OTM platform. Because it has the comprehensive view of the organization s assets, networks infrastructure, active directory, LDAP, RAIDUS or other AAA servers and other important applications, it knows where to remediate the problem without causing a huge impact to the organization. Some of the examples disable the credentials, disable a VLAN or a VPN connection, disable a port interface, and push policies to prevent an external IP or isolate an internal IP/Server etc Seceon s OTM is a cyber-security advanced threat management platform that visualizes, detects, and eliminates threats in Real-time. It provides a simple, comprehensive, fully automated approach to detecting and stopping the threats that matter. 1
Automation at Its Best No rules or human intervention needed out-of-box solution starts working within seconds of installation. Unparalleled Visibility Advanced behavioral and machine learning technologies gives our customers full visibility of both internal and external adversary activity Multi-Layer Detection Detection of known as well as never-before-seen threats at the earliest phase of the chain. Supplements SIEMs Correlating the threat indicators and reducing the operational expenses in managing the SIEM generated threat logs. Automated Response Enabling rapid, surgical responses at scale to eradicate threats. Productivity Increase Advanced analytics over multiple stages eliminates false positives 25x threat surface reduction. Threat impact Analysis Comprehensive interactive visual interface to drill down threats and effected sources and targets. Seceon OTM addresses the enterprise need for a Security Operations, and to detect and stop threats in real time. Seceon OTM leverages unmatched combination of behavioral analysis, machine learning and dynamic threat intelligence to detect and contain known as well as unknown cyber security threats. The solution is completely agent-less, can work in any hybrid cloud architecture, and can scale to any enterprise size. Seceon OTM can install and be up and running within 4 hours, with minimal to no provisioning. There are no rules to import and customize no signatures to pull in, no complicated filters that need optimization. It just works out of the box. 2
So what does Seceon OTM solution deliver? 1. It provides a central gateway level protection without the use of endpoint agents or any other tool. 2. It makes extensive use of Machine Intelligence and Big Data Analytics to provide threat exposure, reporting and remediation options. 3. It works on servers, routers, switches, firewalls, all kinds of endpoints such as laptops, desktops, tablets and phones, which connect with the organizations network. 4. Solution has the capability to work in offline mode without using SPAN/ Mirror Traffic. The solution does not use SPAN and Mirror Mode as that increases network latency and also impacts network bandwidth. Instead the solution uses a scalable approach of taking network flows in netflow and sflow format to analyze all north-south as well as east-west traffic apart from the logs from all end-points, servers, and firewall. 5. It is not a single point of failure in the network should the solution suffer outage in any manner. 6. Solution shall can support multiple network segments including LAN, WAN, DMZ, WiFi Networks, MPLS Links simultaneously on the single instance. 7. It can automatically identify infection so as to reduce manual effort by going through logs and alerts. 8. Solution shall integrate with Firewalls, IPS, Enterprise AV, Mail Gateway and Web Gateway 9. Identification of infection by taking into account suspicious network traffic, behaviour, source and destination analysis and not requiring to interact directly with the affected device(s) / hosts. 10. Automated Risk Prioritization basis infected device(s) basis (data was transferred, AV Patching, Type of Malware, User Importance to the organization and whether communication was successful. 11. Solution shall identify malicious activity and infections on devices, which are outside perimeter defense, split VPN connections. Solution shall identify advanced threat infection irrespective of infection vector location(s) either inside or outside locations. 12. Solution shall be able to detect infection without the presence of any file analysis software. 13. Solution shall differentiate between confirmed infection and suspicious event. 3
4 14. It will be not be necessary condition to be able to detect an infection vector first if it is to occur outside of the network to determine subsequent or related infection. 15. Solution shall track all C&C communications negotiated by a threat and not just the initial call back of a dropper. 16. Solution shall monitor and detect all outbound and inbound command and control traffic. 17. Solution shall provide ability to view file download activity associated with infected endpoints for required duration to enable qualify the endpoint to be declared as infected. 18. Solution shall determine infection regardless the OS involved. 19. Determination of infection on http /https/ ssl/ sftp/ ftp/custom port / ability identify communication coming from proxy server aware malware. 20. Solutions shall identify infections using P2P malicious communication such as zero access, TDL4, ZEUS V3 and Sality. 21. Solution shall identify, Domain Generation Algorithm (DGA) based crimeware. 22. Solution shall detect TOR, DNS Tunneling to conceal their communications. 23. Solution shall support DNS query for malicious domains. 24. Solution should be capable to perform DNS re-direction for malicious DNS queries so as to prevent exposure of infection to cyber criminals. 25. Solution shall be able to discover suspicious internet domains. 26. Machine intelligence and big data analytics capability to aggregate evidence and identify threats. 27. Solution shall have the capability of providing independent threat intelligence for local and external threats. 28. IPV4 and IPV6 discovery of threats. 29. Detect RANSOMWARE. 30. Detect BOTNETS. 31. Detect Compromised Credentials or Insider Threat. 32. Detection of Dormant Threat Detection. 33. Work with SMTP, POP3, and IMAP traffic. 34. Work with UDP Traffic. 35. Work with non-standard TCP Port traffic. 36. Capability to detect persistent threats, which are communicated through executable files, pdf files, flash files, RTF files amongst other file formats. 37. Shall have the ability to identify suspicious embedded objects in files such as OLE and MACRO extraction, Shell Code and exploit matching this is a muddled statement
38. Solution should be able to detect Zero Day Analysis based on the behavioral analysis using machine intelligence and big data analytics. 39. Solution shall detect if the malware downloaded has been executed effectively without the use of endpoint agents. 40. Solution shall provide real-time intelligence updates. 41. Solution shall provide incident tracking along with ticketing and remediation. 42. Capability to track incident investigation at an asset level / device level through notes, comments, provide auto expiration if no further evidence has been collected. 43. Solution shall track infection history for a device and provide forensic capability. 44. Solution shall provide details on the forensics so as to enable, validation of findings, violation of security policies vide connection attempt(s) count, connection attempt(s) success, bytes in, bytes out, forensic metadata 45. Solution should provide 3 rd party integration by way of transferring forensic information to prevention systems such as IDS/IPS/Web Gateway. 46. Solution should facilitate in the conducting simple investigation to validate the findings. 47. Solution should allow Whitelisting and Black Listing of devices 48. Risk rating capability basis, number of attempts made, data transferred, asset criticality, provide details on recorded threat, threat intent, researcher notes, crimeware used and local communication activity. 49. Categorization of assets basis HIGH, MEDIUM and LOW 50. Intuitive and self-explanatory dashboards for Incident Tracking and Management. 51. Manage and retain remediation history along with all evidence. 52. Solution shall have the feature to detect an asset using either NetBios Look Up or reverse DNS. 53. Provide connection termination to protect against loss of data through individual TCP RSTs for individual connection sessions through C&C. 54. Solution shall integrate with CISCO, Palo Alto, SonicWALL and Checkpoint Firewalls for asset quarantine process, through the implementation of policies looking at (suspected or infected ) status and also prevent these assets from communicating through internet or with critical assets in the network. 55. Solution shall have the ability to integrate with web proxies so that web access policies can be implemented taking into account (suspected or infected) status and also prevent these assets from communicating through internet or with critical assets in the network. 56. Shall integrate with AV. 57. Shall support logging using SYSLOG 58. Shall integrate with SIEM solutions 59. Shall provide e-mail and text alerts notification 5
6 60. Provide out of the box reports for Executive Summary Reports, Infection Lifecycle Management, System Health Reports, Incident Response Reports and other custom reports through Professional Services intervention. 61. Supports 10GB supported to 1 GB Copper Giga Bit Ethernet and 410 Gigabit fibre interfaces. 62. The platform is scalable and can handle large networks with network throughputs measuring 10GBps. 63. The solution has RAID redundancy. 64. Secure communication for management access and inter system communication. 65. Has capability to assign role based access. 66. Is an appliance based and stand-alone server based solution with secure OS deployed. 67. The solution has an intuitive GUI. 68. The typical deployment times are 2 to 3 hours. 69. The solution becomes fully functional in less than15 days from going live. 70. The solution improves productivity by highlighting only those incidents, which have a risk impact and higher confidence. 71. The solution should filter out most of the white noise, false positives and shouldn t ignore any negatives.
Sample Dashboards 7
8 Awards