Detect Cyber Threats with Securonix Proxy Traffic Analyzer

Similar documents
Behavioral Analytics A Closer Look

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

Seceon s Open Threat Management software

RSA NetWitness Suite Respond in Minutes, Not Months

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

Compare Security Analytics Solutions

Technical Brochure F-SECURE THREAT SHIELD

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Intelligent and Secure Network

RSA Security Analytics

RSA INCIDENT RESPONSE SERVICES

Cisco Security. Advanced Malware Protection. Guillermo González Security Systems Engineer Octubre 2017

THE ACCENTURE CYBER DEFENSE SOLUTION

Cognitive Threat Analytics Tech update

HOW TO ANALYZE AND UNDERSTAND YOUR NETWORK

Symantec Ransomware Protection

Advanced Threat Intelligence to Detect Advanced Malware Jim Deerman

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

RSA INCIDENT RESPONSE SERVICES

Deception: Deceiving the Attackers Step by Step

10x Increase Your Team s Effectiveness by Automating the Boring Stuff

SIEM Solutions from McAfee

RULES VERSUS MODELS IN YOUR SIEM

Improved C&C Traffic Detection Using Multidimensional Model and Network Timeline Analysis

Analyzing Huge Data for Suspicious Traffic. Christian Landström, Airbus DS

SentinelOne Technical Brief

NETWORK FORENSIC ANALYSIS IN THE AGE OF CLOUD COMPUTING.

Smart Protection Network. Raimund Genes, CTO

Avoiding Information Overload: Automated Data Processing with n6

How to build a multi-layer Security Architecture to detect and remediate threats in real time

User and Entity Behavior Analytics

Automated Context and Incident Response

STAY ONE STEP AHEAD OF THE CRIMINAL MIND. F-Secure Rapid Detection & Response

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

Un SOC avanzato per una efficace risposta al cybercrime

SentinelOne Technical Brief

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

The Future of Threat Prevention

Kaspersky Security Network

BUILDING A NEXT-GENERATION FIREWALL

Innovative Cisco Security- Lösungen für den Endpoint Das Alpha und Omega unsere Next Gen Security

HUAWEI TECHNOLOGIES CO., LTD. Huawei FireHunter6000 series

RSA. The security division of EMC. Visibilidad total en el entorno de seguridad. Javier Galvan Systems Engineer Mexico & NOLA

SIEM: Five Requirements that Solve the Bigger Business Issues

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

DoS Cyber Attack on a Government Agency in South America- February 2012 Anonymous Mobile LOIC in Action

Automated Threat Management - in Real Time. Vectra Networks

Qualys Indication of Compromise

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Cisco Encrypted Traffic Analytics Security Performance Validation

External Supplier Control Obligations. Cyber Security

Forensic Network Analysis in the Time of APTs

Security analytics: From data to action Visual and analytical approaches to detecting modern adversaries

QuickSpecs. Aruba IntroSpect User and Entity Behavior Analytics. Overview. Aruba IntroSpect User and Entity Behavior Analytics Product overview

Encrypted Traffic Security (ETS) White Paper

CyberArk Privileged Threat Analytics

Threat Detection and Mitigation for IoT Systems using Self Learning Networks (SLN)

<Partner Name> RSA NETWITNESS Intel Feeds Implementation Guide. Kaspersky Threat Feed Service. <Partner Product>

BREACHES HAPPEN: BE PREPARED. Endpoint Detection & Response

Synchronized Security

The Interactive Guide to Protecting Your Election Website

How to Predict, Detect & Stop threats at the Edge and Behind the Perimeter even in encrypted traffic without decryption

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

Reducing the Cost of Incident Response

2018 Cyber Security Predictions

WHITE PAPER HIGH-FIDELITY THREAT INTELLIGENCE: UNDERSTANDING FALSE POSITIVES IN A MULTI-LAYER SECURITY STRATEGY

Machine-Powered Learning for People-Centered Security

LA RELEVANCIA DEL ANALISIS POST- BRECHA

Agile Security Solutions

APT Protection.

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

BUFFERZONE Advanced Endpoint Security

Security in AI. Alex Healing Senior Research Manager BT Applied Research. British Telecommunications plc 2019

Cisco Advanced Malware Protection against WannaCry

THE PIONEER IN REAL-TIME CYBER SITUATIONAL AWARENESS

Information Security Specialist. IPS effectiveness

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Integrating Okta and Preempt Detecting and Preventing Threats With Greater Visibility and Proactive Enforcement

Big Data Analytics for Host Misbehavior Detection

Qualys Cloud Platform

Power of the Threat Detection Trinity

Consumerization. Copyright 2014 Trend Micro Inc. IT Work Load

SOLUTION BRIEF RSA NETWITNESS PLATFORM ACCELERATED THREAT DETECTION & AUTOMATED RESPONSE FROM THE ENDPOINT TO THE CLOUD

The Next Generation Security Platform. Domenico Stranieri Pre- Sales Engineer Palo Alto Networks EMEA Italy

Getting over Ransomware - Plan your Strategy for more Advanced Threats

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

Protecting Against Application DDoS A acks with BIG-IP ASM: A Three- Step Solution

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

Are we breached? Deloitte's Cyber Threat Hunting

INTRODUCTION. We would like to thank HelpSystems for supporting this unique research. We hope you will enjoy the report.

FP7 NEMESYS Project: Advances on Mobile Network Security

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Symantec & Blue Coat Technical Update Webinar 29. Juni 2017

Panda Security. Corporate Presentation. Gianluca Busco Arré Country Manager

Transcription:

Detect Cyber Threats with Securonix Proxy Traffic Analyzer

Introduction Many organizations encounter an extremely high volume of proxy data on a daily basis. The volume of proxy data can range from 100 GB to over 1 TB an hour. Legacy security information and event management (SIEM) solutions struggle to handle this flow of data and still identify high-fidelity threats. As part of its next-generation SIEM platform, Securonix uses several propriety machine learning-based algorithms in its proxy analyzer to analyze billions of events daily and identify high-fidelity threat actors or compromised endpoints. Proxy Logs Alexa s 1 Million Safe Domains Domain Rarity Scores Threat Intelligence (malicious IP, domains, requests, user agents) Multi-Language Dictionary User Agent Robotic Behavior Algorithm Algorithmically Generated Domain Entropy Estimation Principal Component Failed Redirected Requests Request URL File Type Logistic Regression Malware Persistence Beaconing Exploit Kits (Angler) APT Detection Fewer High-Fidelity Results, Context Enriched Events 2 Security Analytics. Delivered.

Proxy Analyzer Techniques Securonix proxy analyzer combines multiple behavior based algorithms in real time to detect anomalies and highlight potential threat actors. Securonix Domain Visit Score The proxy analyzer detects the presence or ranking of a domain as seen in your organization s proxy behavior. The proxy analyzer assigns a score to a domain based on the following factors: the number of distinct users, IPs, and endpoints visiting the domain the amount of bytes transmitted or received from the domain http response codes associated with the domain the reputation of the top-level domain (TLD) for the domain After taking all the above indicators into consideration, the proxy analyzer assigns a score between 0 and 1 for the domain. A score close to 1 indicates a rarer domain, while a score closer to 0 indicates a more common domain. The domain visit score (DVS) is used as a basis for all additional analysis. Domain Generated Algorithm The domain generated algorithm (DGA) attempts to detect domains that are created by malicious algorithms or actors in an attempt to communicate externally. The Securonix DGA is a proprietary algorithm developed to detect malicious domains in over 80 languages. The DGA utilizes principal component analysis and natural language processing to identify normal dictionary words and thereby detect domains that are algorithmically generated. The DGA also utilizes the DVS in order to ensure high-fidelity results and identify DGA domains that are rarely seen in the organization. Domains that are visited by a small population (using the DVS score) could indicate a possible outbreak of malware due to multiple infected endpoints contacting the same domain. This is also helpful in detecting targeted attacks. 3

Robotic Beaconing Detection Proxy analyzer detects persistent communication from a source to a destination which could be an indicator of a compromised system communicating to a command and control (C&C) site. It analyzes the following characteristics to filter out false positives and bring out true threats: Detect the frequency of communication patterns between source and destination. Develop clusters based on the different harmonics of frequencies and number of occurrences of each harmonic. Detect bytes transmitted and received between source and destination to detect robotic packets or instructions. Differentiate user browsing behavior such as streams, videos, tickers, etc. and malicious robotic beaconing by analyzing referrer URLs, http response, and destination IPs to determine nature of request transmitted. Based on the above characteristics, combined with the DVS, the Securonix proxy analyzer can detect malicious robotic beaconing. Angler EK Detection Securonix proxy analyzer analyzes URLs to detect patterns that could be similar to domains known to host angler root kits. It detects changes in the nature of requests, bytes transmitted, and URL referrers in order to detect angler hosts containing angler exploit kits. URL : Proxy Avoidance Securonix proxy analyzer analyzes URLs to detect possible proxy avoidance to malicious domains. This can include embedded URLs or domains within search engine queries or utilizing a change in the URL request protocol such as between TCP and FTP in an attempt to avoid static black lists. This is correlated with the DVS to highlight true threats. User Agent Securonix proxy analyzer analyzes user agents to detect the number of user agents utilized across the organization. It develops a user agent rating again based on the number of users using a user agent based on the domain that is visited. 4 Security Analytics. Delivered.

User agent analysis is based on the following factors: user agent used domain visited (DVS score) known vulnerabilities based on user agent string email client-based user agents to detect domain visits based on email clicks Other Indicators and Techniques In addition to the above techniques Securonix proxy analyzer also adds other enriched data segments during real-time analysis including the following: detected content delivery networks (CDN) and other cloud based providers detected ad tracking domains detected embedded files within GET requests detected threat intelligence collisions (only used as risk boosters) Proxy Analyzer Threat Models Once all the above algorithms kick in during real time proxy ingestion, the resulting output consists of super-enriched high-fidelity threats. Using Securonix tiered analytics, the proxy analyzer maximizes the number of true positives and increases the yield-to-hit ratio. In most engagements, we notice that from billions of events and thousands of endpoints the analyzer picks out a few 10-20 endpoints and a few hundred associated events that are all high fidelity threats. A sample threat model that is included as part of the analyzer is as follows: Domain Anomalies Domain presence using DVS DGA detection Angler EK detection User agent analysis Network Persistence Robotic beaconing Abnormal Packet Downloads Detect suspiciously high byte levels associated with malicious domains. This is associated with a command and control server. The above threat model is a sample that combines different layers of the proxy analyzer. When it detects anomalies from the above categories, it associates them with an endpoint or an entity in order to find high-fidelity threats. 5

ABOUT SECURONIX Securonix is redefining the next generation of security monitoring using the power of machine learning and big data. Built on Hadoop, the Securonix solution provides unlimited scalability and log management, behavior analytics-based advanced threat detection, and intelligent incident response on a single platform. Globally, customers use Securonix to address their insider threat, cyber threat, cloud security, fraud, and application security monitoring requirements. CONTACT SECURONIX info@securonix.com (310) 641-1000 1118 6 Security Analytics. Delivered.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback