• ARPU – Average Revenue Per User
Bank managers face complex challenges in balancing security spending against evolving internet commerce risks. Criminals have managed to change the battlefield in the war on cyber-crime under the noses of the enterprise community. Highly intelligent exploit kits and trojans bypass layers of security with ease. To prepare for these new adversaries, new and advanced levels of protection are needed to facilitate current and future security objectives. Expert Security addresses the need to implement a more robust and cost effective level of expertise, and bridge the gap to Managed Security Services which are based on a cloud-based model. It’s no longer about adding never-ending layers of protection that fits within a security budget – it’s ensuring that the layers that exist are clever enough to mitigate against modern attacks. This is paramount in ensure asset protection. Network Behavior Analysis is a new building block in Expert Security, and offers a viable solution for state-of-the-art cyber-attacks. This presentation outlines some of these threats and how companies are protecting their clients from modern and sophisticated attacks.
Cognitive Security offers a suite of solutions focused on protecting clients against network attacks. This is achieved through a range of products and services called Cognitive Analyst, using Network Behavior Analysis (NBA) and Anomaly Detection (AD). Our goal is to close the vulnerability gap of today’s security limitations that only concentrate on identifying known threats. NBA can detect modern threats such as zero day attacks, advanced persistent threats, and polymorphic malware – all of which are not traditionally detected by signature based solutions. Modern attack vectors require a higher level of security expertise to provide the necessary information that mitigates threats before damages is caused. Cognitive Analyst is not a replacement solution to existing security devices. Instead, it complements existing protection strategies by enhancing the intelligence necessary for detecting future hackers. Our platform serves to discover unique threats that breach a company’s perimeter. Artificial intelligence and gaming theory methods are used to “catch criminals in the act”.
Cognitive1 is ideal for enterprise clients looking for a robust and cost effective network behavior analysis platform. This includes any finance sector client who needs to protect their environment from fraud. Cognitive1 is also suitable for vertical markets that need to protect their sensitive data from intellectual property (IP) theft. The design goal of Cognitive1 is to ensure that clients have an easy to deploy platform that self-configures and auto-tunes to any network environment. The features of Cognitive1 include:
Cognitive10 targets clients with high speed networks and traffic volumes. This includes telecom providers, mobile operators, network service providers (NSPs or ISPs), or data hosting providers. Cognitive10 is specifically designed to handle high-throughput networks, while maintaining accuracy in detecting modern sophisticated attacks. The features of Cognitive10 include those of Cognitive1 and expand with these additional capabilities:
CognitiveExpert focuses on clients who have requirements for high resolution and data analysis sensitivity. CognitiveExpert is offered to a select group of clients who require bespoke security, such as government organizations, non-governmental organizations (NGO), and critical infrastructure providers. These clients may have smaller data throughput requirements, but need a highly accurate platform for detecting attacks. CognitiveExpert requires a mandatory hardware probe and user-based Deep Packet Inspection (DPI) module for data provisioning. Capabilities of CognitiveExpert include:
Cognitive Analyst is a Network Behavior Analysis platform designed to identify a wide range of threats inside a client’s network. It differentiates itself through a low rate of false positives, a low overhead installation, and a unique self-adaptating feature that monitors and improves the system’s accuracy over time. Our competitive advantage is based on the use of advanced artificial intelligence and specialized anomaly detection technologies that ensures highly accurate detection. The intelligence collected by Cognitive Analyst results in an easy-to-integrate reliable system with long-term stability.
The system processes standard NetFlow v5/9/IPFIX data, available from a wide range of network devices. NetFlow does not contain the contents (ie. payload) of a communication, therefore data privacy is maintained. Simplicity and efficiency enables the analysis of high-speed links. NetFlow and IPFIX is provided by widely available Cisco, HP, and Juniper switches, routers, and dedicated hardware or software probes.
Data received by Cognitive Analyst establishes a baseline for network behavior, then analyzes any deviations that may occur against this baseline. Deviations may be potential security breaches. These anomalies are then processed in a self-organized, multi-stage process that is designed to reduce the number of false alarms, and retain a high level of threat sensitivity. Incidents discovered are categorized into a number of broad classes and is checked against established threat models and security policies. Any findings are reported to the user through a flexible array of data formats (such as via WEB, email, syslog, or to a Security Information and Event Management platform. Cognitive Analyst supports standard IDMEF reporting and a variety of other formats).
The initial stage of processing is with NetFlow or IPFIX data. This information goes through a “Core Processing” module, consisting of algorithms and agents. Individually these algorithms create a trustfulness score from the data, and output their results to ‘Knowledge Fusion’ to determine which score is the most accurate.
Then the “Self-Monitoring” module introduces various synthetic attacks back into the system to enhance the resiliency of the algorithms. The algorithms are not aware that this is is simulated data. This is analogous to airport security staff that need to detect false representations of guns or knives that are periodically displayed on monitors, to ensure the officer is paying attention.
The game-theoretical model provides an aspect of randomness to the system. It ensures that the attacker can never predict the behavior of Cognitive Analyst. The key to high performance is in the combined strengths of the individual detection algorithms, while at the same time eliminating any inherent weaknesses.
In addition ‘Policies and Models’ are introduced into the platform, to allow conformance to corporate security mandates, and to have the system focus on specific parameters, such as particular attacks, key assets, or custom challenges.
Finally, the ‘Reporting and Dashboard’ module collects results into a database and is parsed into an easy-to-understand user dashboard. Users can navigate to various screens and select an appropriate level of detail to analyze and diagnose threats. Data can also be written into various formats such as syslog, email, sms, and can also be sent to SIEM or Managed Security Service (MSS) correlation engines for further examination.
Cognitive Security’s product range offers an unprecedented level of visibility into an intruder’s activities. It is analogous to ‘turning on the light, and surprising the cat burglar’. With the use of artificial intelligence, and game theory, this platform provides administrators and security practitioners the ability to quickly assess and mitigate attacks that have traversed their perimeter. These core competencies are offered through a range of products and services called Cognitive Analyst.
Cognitive Analyst provides a highly-interactive web interface that allows an administrator to continuously monitor the status of their network. By using artificial intelligence, Cognitive Security accelerates the identification of zero day exploits, botnets, or modern malware attacks, that may be used to steal corporate assets, intellectual property, or commit fraud. The user interface supports an in-depth investigation of individual security incidents or network anomalies, allowing appropriate actions against attackers. Cognitive Analyst is based on a state-of-the-art anomaly detection methodology, and utilizing the Cooperative Adaptive Mechanism for Network Protection (CAMNEP) algorithm. CAMNEP is based on the latest advances in the field of trust modeling and reputation handling. The platform utilizes standard NetFlow/IPFIX data, and does not require the need for supplementary information (i.e. such as application data, user content, etc.). Data privacy and data protection is maintained throughout the security monitoring process.
Cognitive Analyst’s products and services utilize a multi-stage detection algorithm to generate a Cognitive Trust Score (CTS), that measures the overall ”Trustfulness’ of the data. Eight algorithms are used to increase the accuracy of threats, and these collectively generate CTS for the subsequently mitigate of an attack. A selection of these algorithms are summarized as follows:
Cognitive Analyst implements seven agents, summarized into the following groups:
From the moment that Cognitive Analyst connects to the network, it begins to capture traffic. Within the first five minutes the self-initialization step begins, and the system captures its first traffic samples and begins analyzing data using two agents. After ten minutes a third agent is live and after thirty minutes all agents are active and processing their own trustfulness score. At the thirty minute mark the system begins self-configuration, and ‘agent replacement’ begins. This is where the Knowledge Fusion function decides which agent data will be utilized in determining the final Cognitive Trust Score (CTS). After one hour Cognitive Analyst is fully operational, and begins self-optimization and improved accuracy as time progresses. Discovering threats increase in accuracy as the system optimizes throughout its lifetime.
The main dashboard depicts an overview of the flows categorized by overall trustfulness (the Cognitive Trust Score, or CTS). Green indicates the lowest risk (ie. highest trust). Red means high risk. Various grades of risk are displayed in between. The table also shows an overview of trustfulness based on a selected timeframe (this could span minutes, days or even weeks. as specified by the administrator). An events overview tab summarizes all of the categorized traffic and provides details such as source and destination IP addresses, the type of events associated with the traffic, and total bytes, flows and events linked to those events.
The main dashboard also allows the user to quickly select the top IP address of concern, or the top ten IP targets in the given timeframe. An events list provides further details into the top events that can be analyzed by the user.
An overview graph can be configured using filters selected by the user. This graphical representation of filtered events allows users to quickly retrieve detailed information, and to drill down to finer details associated with an attacker’s activities and their behavior.
The state of the Dashboard screen has now been integrated into the URL itself. This allows users to modify the URL in their browser to customize the dashboard and save this in their browser favorites for future access. Or it could be shared with another security administrator. The URL can be edited to include pre-set filters, displayed tab, and time period.
Cognitive Security offers the Analyst platform in the following configurations:
Cognitive Analyst can be deployed as an appliance, or in combination with a monitoring service. As a service offering, Cognitive Security’s expert analysts provide security monitoring to supplement to a client security team. Several service levels are offered to address the mosaic of needs of vertical and horizontal markets. Our analysts provide the needed flexibility to an existing security department, and help them to regulate the fine balance between budgets and the need for new security layers.
Deployment options for the Cognitive Analyst enjoys a high level of flexibility, in order to enhance a client’s threat detection capabilities:
Government, CERT, Education Institutions can benefit from specific terms and pricing. Contact us for details.
Cognitive Analyst detects modern attacks against corporations through intelligent, self-learning analysis of network traffic:
Cognitive Analyst has been actively developed with the support of the Department of Defense, in the USA.
The Cognitive Analyst is not only used to complement an existing intrusion detection deployment, but to also add a critical new layer in a security ecosystem. Below are some key differentiators of the Cognitive Analyst series:
Virtually every corporate, non-profit institution, or government organization in the world is dependent on network access and information services. Securing these networks and systems against automated and hacker-driven attacks is becoming critically important with the growing number of information and asset misuse. Current security solutions are surprisingly fragile when facing today’s sophisticated adversaries. Cognitive Security differentiates itself by providing clients with an advanced platform built on artificial intelligence, and sophisticated modules for auto-configuration and self-tuning.
The Cognitive Analyst has been actively developed with the support of the Department of Defense, in the USA.
Cognitive Security specializes in Network Behavior Analysis, allowing businesses to identify and protect themselves against sophisticated network attacks. Cognitive Security offers solutions designed to fill the security gaps left by the current generation of network security tools. Our expertise in Network Behavior Analysis allows us the ability to accurately exposes both known and unknown attacks. Our solution is ideally suited for the detection, prioritization and handling of modern-day attack patterns that would typically bypass or evade a client’s defenses.
Gabriel Dusil oversees the global sales & marketing strategies of Cognitive Security, with a mandate to expand the company’s presence across Europe, the USA, and beyond.
Before joining Cognitive Security, Gabriel was the Director of Alliances at SecureWorks, responsible for partnerships across Europe, Middle East, and Africa (EMEA). Previous to SecureWorks, Gabriel worked at VeriSign and Motorola in a combination of senior marketing and sales roles.
Over nearly two decades, Gabriel’s experience has encompassed the development and management of international partner programs, EMEA marketing & sales, and business development. Gabriel has also lectured in security, authentication, and data communications, as well as speaking in several prominent IT symposiums.
Gabriel obtained a Degree in Engineering Physics from the University of McMaster, in Canada and has advanced knowledge in Cloud Computing, SaaS (Security as a Service), Managed Security Services (MSS), Identity and Access Management (IAM), and Security Best Practices.
Network Behavior Analysis, NBA, Cyber Attacks, Forensics Analysis, Normal vs. Abnormal Behavior, Anomaly Detection, NetFlow, Incident Response, Security as a Service, SaaS, Managed Security Services, MSS, Monitoring & Management, Advanced Persistent Threats, APT, Zero-Day attacks, Zero Day attacks, polymorphic malware, Modern Sophisticated Attacks, MSA, Non-Signature Detection, Artificial Intelligence, A.I., AI, Security Innovation, Mobile security, Cognitive Security, Cognitive Analyst, Forensics analysis, Gabriel Dusil
“Advanced Persistent Threats”, or APTs, involve low-level reconnaissance and exploitation of security perimeters in order to collectively launch a targeted & prolonged attack. The goal is to gain maximum control into the target organization. APTs pose serious concerns to a security management team, especially as APT tool-kits become commercially and globally available. Today’s threats involve polymorphic malware and other techniques that are designed to evade traditional security measures. Best-in-class security solutions now require controls that do not rely on signature-based detection, since APTs are “signature-aware”, and designed to bypass traditional security layers. New methods are needed to combat these new threats such as Behavioral Analysis. Network Behavior Analysis proactively detects and blocks suspicious behavior before significant damage can be done by the perpetrator. This presentation provides some valuable statistics in the growing threat of APTs.