One of the biggest challenges in cyber security is dealing with the staggering volume of information that comes from activity on systems and making sense of it in order to turn raw data into intelligence – to derive warning signs of attacks, understand the nature of faults or provide evidenced reports to stakeholders.
Back in 2005, Gartner coined the term ‘security information event management’ (SIEM). They used it to describe a traditional security monitoring system that meets audit and compliance needs. However, as information security has evolved so too have the demands of the SIEM. In addition to streamlining your compliance reporting, you need to have:
Behaviour Anomaly Detection, also known as User Entity Behaviour Analytics (UEBA), gives your organisation the ability to detect ‘never seen before’ activity; the widest range of misuse, breaches and anomalous behaviour across your network, systems, users and application environments.
This means your security team can investigate and take action on outliers, advanced persistent threats, insider attacks, and command and control activity that indicate a breach has occurred – while there is still time to make a difference.
Huntsman Security’s UEBA automatically creates a dynamic baseline of normal behaviour and activity that allows the monitoring of data sources for unusual events, trends and patterns. Next Gen SIEM monitors netflow data and traffic patterns (including DNS logs and external connections) to track normal patterns of traffic flow between systems. Most commonly this would be between user systems or clients and servers, so the presence of malware or an attacker that was moving/connecting between systems within the workstation address ranges would be a detectable anomaly – especially if combined with other indicators of compromise such as user account/privilege abuse activity, external “phone home” traffic from proxies etc.
Where malware detections have come from dedicated malware detection/sandbox systems, the solution will take details of the malware detonation directly from the gateway and examine target hosts for signs of suspicious or predicted activity/traffic as well as registry key and file system changes. This, along with proxy or gateway logs, is then used to detect the spread of malware or an active attack in the environment where the “patient zero” had connected or infected other hosts that exhibit similar host compromise modifications and/or other cases that were apparent through similar patterns of activity.
Security threat detection;
Timely alerting & reporting, and;
Incident response capabilities.
When it comes to reducing cyber threat monitoring risk, time is absolutely critical. The longer your business is exposed to threats the greater the potential for damage. Consequently the more information that can be processed quickly, the greater the context for threat validation and resolution.
Huntsman Security’s Nex Gen SIEM provides real-time collection, management, processing and analysis of log, system, transaction, network, intelligence and activity data at very high speed (100,000 EPS). It continually monitors security controls and enterprise environments, and flags incidents immediately so analysts can investigate and respond.
Where attacks or malware detections have come from dedicated security defences or detection/sandbox systems, the SIEM takes details of the attack or malware directly and examines target hosts for signs of suspicious or predicted activity/traffic and system changes.
Our technology automatically gathers diagnostic data to enable your security team to rapidly understand the surrounding context of an alert, allowing them to clear benign alerts and false positives with complete confidence. Along with proxy or gateway logs and network traffic captures this identifies the spread of an active attack or infection in the environment where a “patient zero” or vulnerable system leads to the infection of other hosts as the attacker moves laterally.