NetTrust

The fundamental limitation of traditional SIEM and big data analytics solutions, which must analyze a plurality of third party events through grammar customization, is that detecting advanced threats without relying on well-known (published) signatures and (standards based) expressions requires a strenuous and repetitive effort to develop policies with precision. The rules are not intuitive and require manual interpretation and assessments to define the decision logic. SIEM was primarily designed to analyze logs for compliance-centric reports that had deterministic join attributes to index into large datasets. Big data analytics solutions aggregate unstructured datasets for normalization and analysis, and require the user to define the policy grammar based on specific use cases and disparate data formats.

These solutions import logs from multiple standalone data sources where a join attribute is not explicit, and event correlation is a disjointed process. Landed malware that successfully evades perimeter network security controls does not generate self-incriminating logs, and therefore collecting log data for effective analytics is inadequate. What’s more, high volume data retention for long-tail forensic analysis (a months-long window of exposure) is a major cost-benefit trade off for many enterprises in the Cloud and BlockChain era. In contrast, NetTrust’s correlation and analytics engine maps rule-based network events to discrete stages in the life cycle of a threat, and generates infection profiles in real time, which over time are mapped to behavior-based threat patterns as an automated calculus to join the dots and amplify the signal as a precursor to deep-dive assessments. The NetTrust callback detection engine provides unique capabilities to assess signaling integrity and data exchange between systems for command and control beacons(dial-homes), attack preparation and data exfiltration.

The challenge when dealing with big data is the low signal to noise ratio. High profile publicized data breaches have clearly demonstrated that timely response is hindered until definitive conclusions are reached, the relevance of the threat is ascertained, and the degree of risk is determined to triage and prioritize remediation actions for counter measures. Security stakeholders have to process events associated with thousands of systems: this becomes an overwhelming task without any early means of isolating at-risk systems before investigations commence. NetTrust’s Active Risk Dashboard provides a heads- up display to provide a pivot (anchor)point for identifying at-risk systems with drill down views on the external risk indicators and forensic evidence to prime the analytics process. This empowers security professionals to ingest these system level behavior assessments contextually within the calculus associated with expert systems developed in-house, leveraging third party SIEM frameworks to apply counter measures quickly.

Sharing of external threat information is a key component for any comprehensive and strategic offensive against cyber threats. Daily threat intelligence, harvested through honeypots, technology partners, and security advisories published by standards based organizations (e.g. NIST, MITRE,US-CERT) are available through a plurality of reliable sources.Equally critical is the sharing of internal security assessments pertaining to the vulnerability, compliance, and patch metrics of networked systems harvested through periodic policy based scans by security controls.However, the confluence of an internal point-in-time security snapshot of measured configuration with external threat intelligence requires a higher degree of real time corroboration and attribution in threat intelligence by security products deployed within any enterprise. NetTrust provides full interoperability with other vendor products through connectors, inbound REST APIs, and industry-standard notation (grammar) for attribution-based threat information exchange within the security community. The threat grammar is transparent and extensible for customization. With just a few clicks,NetTrust provides capabilities to identify and define threat grammar for an episode to provide timely sharing of threat intelligence across the community, with full anonymization of private information for confidentiality.

Continuous audit of field-accessed controls provide closed-loop monitoring to verify the effectiveness of input-centric controls at the hard edge (e.g. network firewall, intrusion prevention systems),and within the soft core. Misconfiguration of systems, network elements and edge controls lead to “fire holes” that serve as conduits for malware to thrive. Internal network topology, implemented by use of VLANs and Layer 2 switch ACLs, also expose pathways for internal threats to propagate between web, application and database tiers. NetTrust provides the capability to annotate subnets granularly in rule grammar for early indicators of risk exposed between the user, network device and server silos to enhance resiliency within your network. The granularity reduces false positives and provides privilege-based assessments to qualify network dialogs between silos.