Tag: polymorphic malware

Cognitive Security – Positioning Network Behavior Analysis in the Security Ecosystem

Portfolio - Cognitive Security, Cognitive Analyst (title)

Cognitive Positioning

Modern Internet security practice has been traditionally formed by building security layers. These layers are analogous to multiple concentric walls, to which more of them serves to providing additional layers of protection.  Individually each wall has its limitations, but collectively they create a strong defensive perimeter. The challenge CTOs or CISOs face is in balancing security spending against an acceptable level of protection needed to facilitate corporate objectives. This balance is formed by establishing a corporate strategy, and mapping security spending to protect these goals.

The first layer of defense; Baseline security (as shown in the figure) is considered ubiquitous and necessary for even the smallest of enterprises. Namely, the installation of;

  • Firewalls to reduce the number of accessible ports, and provide basic packet filtering functionality
  • Anti-virus solutions to protect desktop and servers from known malware, viruses, and Trojans
  • Email security to prevent malicious code from infiltrating the perimeter hidden in the communication stream, and
  • VPN solutions (such as SSL, IPsec, or point-to-point tunnels) to impede man-in-the-middle attacks, and encrypt sensitive traffic.

Until recently these devices have enjoyed an install-and-forget approach, based on the notation that they have the means to protect through technology alone. Through tried and true product updates, Baseline Security devices have been relatively successful in keep up with new malware instances such as worms, Trojans or viruses. But this security layer struggles with its own limitations due to the timeliness of signature updates, the reactiveness of vendors to write them, and the reliance on end-users to immediately deploy software patches.

Figure i – Security Eco-System

Figure i – The Security Eco-System


As threats have become more complex, the need for
Advanced Security has evolved to meet these growing needs. Devices at this security layer focus on a cross-device, multi-layer, and multi-department view of security.Criminals are well aware of the latency that software vendor face to write a signature. This delay allows perpetrators to maximize the damage that their malware can reap during their window of opportunity. Ultimately this opportunity closes when the end user finally deploys an associated patch. Attack detection is further complicated by viruses that can morph to avert detection – referred to as ‘polymorphic malware’. Signature databases for known viruses are typically not up-to-date with the latest variants. For these reasons it has become increasingly challenging for Baseline Security devices to keep up with criminals that are continually evolving their craft to circumvent detection. Automatic signature updates and patching relies on administrators to deploy them. But patching does not always happen because it may lead to application instability and compatibility issues for mission critical applications. As a result this opens additional opportunities for criminal hackers to breach the perimeter of a company.

  • An Intrusion Detection and Prevention system (IDS and IPS respectively) greatly enhances the administrator’s visibility into complex threats to their environment, and overcomes some of the detection limitations of Baseline Security devices. For example, an IDS in stealth mode stretches it’s visibility to all traffic on a LAN segment, or spam port, thus increasing its security monitoring capabilities across multiple devices, compared to firewalls that only see what passing through it.
  • Likewise, Vulnerability Management and Scanning Services (VMS) provide visibility into the exposed ‘holes’ from which criminals could exploit and compromise the enterprise. VMS solutions are initially deployed to detect vulnerabilities of critical web-facing applications such as online banking, and are also very effective in identifying enterprise-wide weaknesses. Once identified these vulnerabilities require prioritization due to human resource constraints and the cost to patch every single vulnerability. As a result, prioritization is required, so that only gaping holes are filled. Most of the remaining vulnerabilities classified as ‘low risk’ are left exposed.
  • A further layer of defense in this category is the implementation of web security which provides the necessary protection of content filtering. Since many firewalls only have port 80 (http), and 443 (https) open, this has redirected most threats through these ports. Enter Web Security which mitigates some attacks by filtering browser-level communications, as well as significantly reducing spam traffic.
  • Web Application firewalls on the other hand, provide a different level of protection at the application level, by mitigating attacks undetectable by network security appliances, such as SQL injections or cross site scripting (XXS).
  • Identity and Access Management (IAM) further diverts focus from the device level over to one of the most vulnerable corporate resources – employees.  By extending security to include people, the mantra becomes, “Let the good guys in“, not, “Keep the bad guys out”, and encompasses fairly complex deployments of Authentication, Authorization, & Accounting (AAA) solutions. These solutions have their own challenges in modifying the corporate culture and providing security awareness education.
Figure ii – Modern Threats Require Higher Walls

Figure ii – Modern Threats Require Higher Walls

Implementing some or all of these security layers results in escalating complexity. Advanced Security requires a level of security expertise that does not exist in a typical SME (Small to Medium sized Enterprise). They don’t have the in-house expertise to configure, tune and efficiently operate these platforms and outsourcing options are also considered cost-prohibitive.

Even though Advanced Security devices answer the need to protect against an exponential increase in attack complexity, is it enough? Even Advanced Security devices have their limits since they focus on known attack patterns. Current and future attacks now focus on unknown attack patterns.

Ideally, an operating system (OS) vendor, software company, or device manufacturer, would like to discover their own vulnerabilities, and patch them at their leisure.  Currently most patches are available in days, but some patches takes weeks or months to write.  Regardless, there are 37% of vulnerabilities which are never patched[1].  At the very least, vendors would prefer to be informed by the internet experts that vulnerability exists in their product before it is made public, and allow them time to create a patch. The hope is that a patch will precede any exploit before the criminal eMarketplace could take advantage of it (Shown in the figure as “Ideal”). Unfortunately, in some cases the criminals win the race, and deploy an exploit before a patch is available, as shown in the figure as a “Threat“. Although, what has become common practice today for modern cyber-threats, are exploits that are deployed before the actual vulnerability is known, thus labeled as a “zero-day” attack. Once the exploit is deployed in cyberspace, the industry is caught unaware of the source vulnerability.  In this scenario, since the vulnerability isn’t known, the industry must scramble to reverse engineer the exploit and utilize sophisticated forensics, and reverse engineering techniques to determine what is the source vulnerability. Once a reverse engineer identifies the vulnerability they can create a patch to protect against the attack. To minimize exposure some vendors focus on creating signatures against the actual exploit itself (of which there may be thousands). In other words, they want to be able to detect when a zero day attack is occuring even if they don’t yet know the vulnerability. It’s similar to monitoring a thief entering your home before you have installed a lock on the door – at least you can catch them in the act. The next phase in this reverse engineering process is to replace the exploit signatures with the vulnerability signature. Zero-day exploit criminals enjoying looting of identities, committing fraud, or stealing corporate secrets. They also avert detection by morphing their attack. The company must increase resources to thwart the attack, and defend against each variant. Modern sophisticated attacks require a combination of intelligence, self-learning, and the ability to analyze a longer timeline of data in order to distinguish between normal and anomalous network behavior.

Expert Security evolves defense strategies to the next level, and offers a cost effective approach to solving complex security threats. As mentioned above, zero-day attacks do not have signatures or “blueprints”. This is intentional from the criminal’s perspective because their vulnerability database is a valuable asset in the lucrative acquisition of corporate secrets, leading to a huge pay-cheque. Therefore it’s beneficial for the criminal to keep their portfolio of vulnerabilities a secret, so that they can spend their unhindered timeframe to write their exploits.  Enter Network Behavior Analysis and Anomaly Detection (NBA & AD) which uses a series of algorithms and artificial intelligence (A.I.) to learn the normal behavior of a network and segment the bad traffic from the good.  NBA & AD identifies attacks that have no known signature or patterns, and provide the necessary protection against any state-of-the-art attack. This approach effectively builds a higher wall for cyber criminals, making it even more difficult for them to compromise valuable client resources. Ideally the goal is to create a scenario where it is financially impractical for the criminal to deploy their attack, and to conclude that there is a poor return on investment (ROI) in their efforts. NBA increases the operational costs for a criminal, deterring their interest in the corporate asset.

Figure iii – Vulnerability vs. Exploit vs. Patch

Figure iii – Vulnerability vs. Exploit vs. Patch


Although some enterprises view
Security as a Service as costly alternative in their security spending – and have perceived concerns of losing control of their critical assets to the cloud – this solution is often a necessary evil to keep-up with the battle being fought in cyberspace.Expert Security addresses the need to implement more robust and cost effective levels of expertise, and also helps to bridge the gap to higher, and more expensive enterprise security solutions, such as Security as a Service. As companies grow, their need for additional layers of protection is paramount to ensure asset protection. Network Behavior Analysis and Anomaly detection are the building blocks of Expert Security.  Security as a Service supplied by Managed Security Service Provides (MSSP) is currently the definitive layer in the security eco-system. This layer adds assets such as people, process and expertise, to provide 24×7 security monitoring, and addressing the need to protect companies during off-hours – A time when employees are asleep but the criminals are not.  Expert Security helps to ease the transition for companies considering Security as a Service, and provides a cost effective approach in such a transition.  Network Behavior Analysis solutions utilizes a sophisticated product based approach which assists in the diagnosis of modern attack vectors, and provides a new level of viaibility in MSSP diagnostics.

Synopsis

Corporate leaders face complex challenges in balancing security spending against the evolving risks that internet commerce presents. This has resulted in new and advanced levels of protection. Expert Security addresses the need to implement more robust and cost effective levels of expertise and helps to bridge the gap to higher – culturally adverse – outsourced solutions. As companies expand, their need for additional layers of protection it is paramount to ensure asset protection. Network Behavior Analysis are the building blocks of Expert Security, and offers a viable solution to modern sophisticated cyber-attacks.

About Cognitive Security

Cognitive Security specializes in Network Behavior Analysis, allowing businesses to identify and protect themselves against sophisticated network attacks.

Cognitive Security offers solutions designed to fill the security gaps left by the current generation of network security tools. Our expertise in Network Behavior Analysis allows us the ability to accurately expose both known and unknown attacks. Our solution is ideally suited for the detection, prioritization and handling of modern-day attack patterns that would typically evade a client’s defenses.

Please contact us at www.Cognitive-Security.com, or info@cognitive-security.com for more details.

About the Author

Gabriel Dusil oversees the global sales & marketing strategies of Cognitive Security, with a mandate to expand the company’s presence across Europe, the USA, and beyond.

Before joining Cognitive Security, Gabriel was the Director of Alliances at SecureWorks, responsible for partnerships across Europe, Middle East, and Africa (EMEA).  Previous to SecureWorks, Gabriel worked at VeriSign and Motorola in a combination of senior marketing and sales roles.

Over nearly two decades, Gabriel’s experience has encompassed the development and management of international partner programs, EMEA marketing & sales, and business development.  Gabriel has also lectured in security, authentication, and data communications, as well as speaking in several prominent IT symposiums.

Gabriel obtained a Degree in Engineering Physics from the University of McMaster, in Canada and has advanced knowledge in Cloud Computing, SaaS (Security as a Service), Managed Security Services (MSS), Identity and Access Management (IAM), and Security Best Practices.

Tags

Network Behavior Analysis, NBA, Cyber Attacks, Forensics Analysis, Normal vs. Abnormal Behavior, Anomaly Detection, NetFlow, Incident Response, Security as a Service, SaaS, Managed Security Services, MSS, Monitoring & Management, Advanced Persistent Threats, APT, Zero-Day attacks, Zero Day attacks, polymorphic malware, Modern Sophisticated Attacks, MSA, Non-Signature Detection, Artificial Intelligence, A.I., AI, Security Innovation, Mobile security, Cognitive Security, Cognitive Analyst, Forensics analysis, Gabriel Dusil


[1] IBM X-Force® 2011 Mid-year Trend and Risk Report, Figure. 33: Vendor Patch Timeline 11.H1

Cognitive Security • Corporate Introduction

Portfolio - Cognitive Security, Corporate Introduction (title)

Synopsis

Corporate leaders face complex challenges in balancing security spending against evolving Internet risks.  This has resulted in advanced levels of protection needed to facilitate future strategic objectives. Expert Security addresses the need to implement a more robust and cost-effective level of expertise, and help bridge the gap to culturally adverse corporate solutions such as Managed Security Services (MSS). As companies expand, their need for additional layers of protection is paramount to ensure asset protection. Network Behavior Analysis (NBA) offers a new building block to Expert Security. NBA offers a viable solution to modern sophisticated cyber-attacks.  This presentation outlines our corporate overview and market positioning for Network Behaviour Analysis and their products and services.

Download the Original Presentation here:

Portfolio – Cognitive Security, Corporate Introduction (’12).pptx.

View the PDF version here:

[slideshare id=17315511&w=476&h=400&sc=no]

Cognitive Security • Telco & Mobile Security

Portfolio - Cognitive Security, Telco & Mobile Security (title)

Synopsis

As mobile data is expected to grow 16 fold over the next four years*, mobile providers are facing new challenges in balancing subscriber ease-of-use and cyber-protection. The explosion in cellular usage and mobile commerce will require advanced levels of protection for mobile users, as hackers continue to find new vulnerabilities. A dual strategy including end-point and infrastructure security will provide robust and cost-effective levels of protection. It will expand provider revenue streams to enhanced services, and increase their ARPU through value-added security. Network Behavior Analysis is a viable building block to infrastructure security, and helps protects a collective subscriber base against sophisticated mobile cyber-attacks.
•  *Cisco – Visual Networking Index Global Mobile Data ’11
•  ARPU – Average Revenue Per User


Download the Original Presentation here:

 Portfolio – Cognitive Security, Telco & Mobile Security (’12).pptx

Or view the PDF version on Slideshare:

[slideshare id=17315515&w=476&h=400&sc=no]

Cognitive Security • Finance & Banking Security

Portfolio - Cognitive Security, Finance & Banking Security (title)

Synopsis

Bank managers face complex challenges in balancing security spending against evolving internet commerce risks.  Criminals have managed to change the battlefield in the war on cyber-crime under the noses of the enterprise community. Highly intelligent exploit kits and trojans bypass layers of security with ease. To prepare for these new adversaries, new and advanced levels of protection are needed to facilitate current and future security objectives. Expert Security addresses the need to implement a more robust and cost effective level of expertise, and bridge the gap to Managed Security Services which are based on a cloud-based model.  It’s no longer about adding never-ending layers of protection that fits within a security budget – it’s ensuring that the layers that exist are clever enough to mitigate against modern attacks. This is paramount in ensure asset protection. Network Behavior Analysis is a new building block in Expert Security, and offers a viable solution for state-of-the-art cyber-attacks.  This presentation outlines some of these threats and how companies are protecting their clients from modern and sophisticated attacks.

Download the Original Presentation here:

Portfolio – Cognitive Security, Finance & Banking Security (’12).pptx

Or view the PDF version on Slideshare:

[slideshare id=17315500&w=476&h=400&sc=no]

Cognitive Security – Introducing Cognitive Analyst

Portfolio - Cognitive Security, Cognitive Analyst (title)

Introduction

Cognitive Security offers a suite of solutions focused on protecting clients against network attacks. This is achieved through a range of products and services called Cognitive Analyst, using Network Behavior Analysis (NBA) and Anomaly Detection (AD). Our goal is to close the vulnerability gap of today’s security limitations that only concentrate on identifying known threats. NBA can detect modern threats such as zero day attacks, advanced persistent threats, and polymorphic malware – all of which are not traditionally detected by signature based solutions. Modern attack vectors require a higher level of security expertise to provide the necessary information that mitigates threats before damages is caused. Cognitive Analyst is not a replacement solution to existing security devices. Instead, it complements existing protection strategies by enhancing the intelligence necessary for detecting future hackers. Our platform serves to discover unique threats that breach a company’s perimeter. Artificial intelligence and gaming theory methods are used to “catch criminals in the act”.

Figure i. Introducing the Cognitive Analyst Platform

Figure i. Introducing the Cognitive Analyst Platform

Cognitive1 is ideal for enterprise clients looking for a robust and cost effective network behavior analysis platform. This includes any finance sector client who needs to protect their environment from fraud. Cognitive1 is also suitable for vertical markets that need to protect their sensitive data from intellectual property (IP) theft.  The design goal of Cognitive1 is to ensure that clients have an easy to deploy platform that self-configures and auto-tunes to any network environment. The features of Cognitive1 include:

  • Software Support & Maintenance – The Cognitive Security support team is proactive in helping clients receive the maximum benefit from Cognitive Analyst.
  • Regular Software Updates – Cognitive Security provides clients with software development expertise, with updates issued quarterly. Cognitive Analyst updates maintain a much higher level of protection from threats – and over a longer timeframe – compared to signature based solutions like antivirus or firewalls. Our mission in is to stay ahead of threats, whereby signature based solutions continually play catchup with attackers.
  • Cognitive1 is designed for Networks up to 2.5 Gbps

Cognitive10 targets clients with high speed networks and traffic volumes. This includes telecom providers, mobile operators, network service providers (NSPs or ISPs), or data hosting providers. Cognitive10 is specifically designed to handle high-throughput networks, while maintaining accuracy in detecting modern sophisticated attacks.  The features of Cognitive10 include those of Cognitive1 and expand with these additional capabilities:

  • Cognitive10 is designed for networks up to 10 Gbps – This ensures compatibility with clients that have a higher demand in data throughput.
  • Adaptive sampling for high-speed networks – This feature ensures that data classification remains accurate as higher volumes of data are processed and analyzed.
  • Adaptive sensitivity – Cognitive10 has the ability to adapt to the severity of data classification over a longer period of time, based on the type and volume of data flow. This provide administrators with higher accuracy in threat classification across their client base.

CognitiveExpert focuses on clients who have requirements for high resolution and data analysis sensitivity.  CognitiveExpert is offered to a select group of clients who require bespoke security, such as government organizations, non-governmental organizations (NGO), and critical infrastructure providers. These clients may have smaller data throughput requirements, but need a highly accurate platform for detecting attacks.  CognitiveExpert requires a mandatory hardware probe and user-based Deep Packet Inspection (DPI) module for data provisioning. Capabilities of CognitiveExpert include:

  • User Data analysis – Using deep packet inspection (DPI), user data greatly enhances accuracy in threat detection and in understanding the attacker’s methods.
  • MAC address analysis – By analyzing details at OSI layer 2, further levels of granularity can be analyzed in specific attack vectors that utilize these methods to penetrate a company’s network.
  • Dedicated Account Management – As an option for CognitiveExpert clients, Cognitive Security offers expertise and analyst resources to help clients understand the severity of events at a granular level.

Experts in Network Behavior Analysis

Cognitive Analyst is a Network Behavior Analysis platform designed to identify a wide range of threats inside a client’s network. It differentiates itself through a low rate of false positives, a low overhead installation, and a unique self-adaptating feature that monitors and improves the system’s accuracy over time. Our competitive advantage is based on the use of advanced artificial intelligence and specialized anomaly detection technologies that ensures highly accurate detection. The intelligence collected by Cognitive Analyst results in an easy-to-integrate reliable system with long-term stability.

The system processes standard NetFlow v5/9/IPFIX data, available from a wide range of network devices. NetFlow does not contain the contents (ie. payload) of a communication, therefore data privacy is maintained.  Simplicity and efficiency enables the analysis of high-speed links. NetFlow and IPFIX is provided by widely available Cisco, HP, and Juniper switches, routers, and dedicated hardware or software probes.

Cognitive Technology

Figure ii. Cognitive Architecture

Figure ii. Cognitive Analyst Architecture

Data received by Cognitive Analyst establishes a baseline for network behavior, then analyzes any deviations that may occur against this baseline. Deviations may be potential security breaches. These anomalies are then processed in a self-organized, multi-stage process that is designed to reduce the number of false alarms, and retain a high level of threat sensitivity. Incidents discovered are categorized into a number of broad classes and is checked against established threat models and security policies. Any findings are reported to the user through a flexible array of data formats (such as via WEB, email, syslog, or to a Security Information and Event Management platform. Cognitive Analyst supports standard IDMEF reporting and a variety of other formats).

The initial stage of processing is with NetFlow or IPFIX data[1].  This information goes through a “Core Processing” module, consisting of algorithms and agents. Individually these algorithms create a trustfulness score from the data, and output their results to ‘Knowledge Fusion’ to determine which score is the most accurate.

Then the “Self-Monitoring” module introduces various synthetic attacks back into the system to enhance the resiliency of the algorithms. The algorithms are not aware that this is is simulated data. This is analogous to airport security staff that need to detect false representations of guns or knives that are periodically displayed on monitors, to ensure the officer is paying attention.

The game-theoretical model provides an aspect of randomness to the system. It ensures that the attacker can never predict the behavior of Cognitive Analyst. The key to high performance is in the combined strengths of the individual detection algorithms, while at the same time eliminating any inherent weaknesses.

In addition ‘Policies and Models’ are introduced into the platform, to allow conformance to corporate security mandates, and to have the system focus on specific parameters, such as particular attacks, key assets, or custom challenges.

Finally, the ‘Reporting and Dashboard’ module collects results into a database and is parsed into an easy-to-understand user dashboard.  Users can navigate to various screens and select an appropriate level of detail to analyze and diagnose threats. Data can also be written into various formats such as syslog, email, sms, and can also be sent to SIEM or Managed Security Service (MSS) correlation engines for further examination.

Cognitive Architecture

Cognitive Security’s product range offers an unprecedented level of visibility into an intruder’s activities. It is analogous to ‘turning on the light, and surprising the cat burglar’.  With the use of artificial intelligence, and game theory, this platform provides administrators and security practitioners the ability to quickly assess and mitigate attacks that have traversed their perimeter. These core competencies are offered through a range of products and services called Cognitive Analyst.

Cognitive Analyst provides a highly-interactive web interface that allows an administrator to continuously monitor the status of their network. By using artificial intelligence, Cognitive Security accelerates the identification of zero day exploits, botnets, or modern malware attacks, that may be used to steal corporate assets, intellectual property, or commit fraud. The user interface supports an in-depth investigation of individual security incidents or network anomalies, allowing appropriate actions against attackers. Cognitive Analyst is based on a state-of-the-art anomaly detection methodology, and utilizing the Cooperative Adaptive Mechanism for Network Protection (CAMNEP) algorithm. CAMNEP is based on the latest advances in the field of trust modeling and reputation handling. The platform utilizes standard NetFlow/IPFIX data, and does not require the need for supplementary information (i.e. such as application data, user content, etc.). Data privacy and data protection is maintained throughout the security monitoring process.

Cognitive Analyst’s products and services utilize a multi-stage detection algorithm to generate a Cognitive Trust Score (CTS), that measures the overall ”Trustfulness’ of the data. Eight algorithms are used to increase the accuracy of threats, and these collectively generate CTS for the subsequently mitigate of an attack. A selection of these algorithms are summarized as follows:

  • MINDS algorithm [Ertoz et al, 2004] The Minnesota Intrusion Detection System (MINDS) processes data from a number of flows: 1. Data from a single source IP to multiple destinations, 2. Flows from multiple sources to a single destination, or 3. A series of flows between a single source to a single destination.
  • Xu et al. algorithm [Xu, Zhang et al, 2005] This algorithm serves to classify traffic sources. A normalized entropy is assessed (i.e. establishing meaning to the apparent randomness of the data), determined by applying static classification rules to the established normalized states.
  • Volume prediction algorithm [Lakhina et al, 2004] This uses a methodology called Principal Components Analysis (PCA). It is a a mathematical procedure used to formulate predictive models. In order to build a model of traffic volumes from individual sources, values are determined based on the number of flows, bytes, and packets generated from each source. The PCA method then identifies the complex relationships between traffic originating from distinct sources.
  • Entropy prediction algorithm [Lakhina et al, 2005]  This algorithm is similar to the PCA model, but uses different features than just predicting volume. Entropy prediction aggregates traffic from source IPs, but instead of processing traffic volume, it predicts the entropy of source and destination ports, and destination IPs.
  • TAPS algorithm [Sridharan et al, 2006] This targets a specific class of attacks by classifying a subset of suspicious sources and characterizing them by three features: 1. The number of destination IP addresses, 2. The number of ports in the set of flows from the source, and 3. The entropy of the flow size. The anomaly of the source is based on the ratio between these values.

Cognitive Analyst implements seven agents, summarized into the following groups:

  • Detection agents encapsulate the above listed detection algorithms by process all flows from the local probe and use all of the anomaly and trust models to assign a trustfulness score to all flows. This score establishes flow legitimacy from a given agent.
  • Theses scores are then processed by Aggregation Agents that integrate the opinions of all local detection agents, thus building a consolidated trustfulness value. Each aggregation agent embodies one or more averaging functions (such as arithmetic average or best ordered weighted average). The Reporting and Interface Agents export the CTS in an external industry-standard alert formats (IETF IDMEF/TEXT) such as email, ticket reporting, file logs, or syslog.

Cognitive Features

Figure iii. The First Hour of Operation

Figure iii. The First Hour of Operation

Self-Adaptive & Self-Tuning

From the moment that Cognitive Analyst connects to the network, it begins to capture traffic. Within the first five minutes the self-initialization step begins, and the system captures its first traffic samples and begins analyzing data using two agents. After ten minutes a third agent is live and after thirty minutes all agents are active and processing their own trustfulness score. At the thirty minute mark the system begins self-configuration, and ‘agent replacement’ begins. This is where the Knowledge Fusion function decides which agent data will be utilized in determining the final Cognitive Trust Score (CTS). After one hour Cognitive Analyst is fully operational, and begins self-optimization and improved accuracy as time progresses. Discovering threats increase in accuracy as the system optimizes throughout its lifetime.

Management Dashboard

Figure iv. Cognitive Analyst – Main Dashboard

Figure iv. Cognitive Analyst – Main Dashboard

The main dashboard depicts an overview of the flows categorized by overall trustfulness (the Cognitive Trust Score, or CTS). Green indicates the lowest risk (ie. highest trust). Red means high risk. Various grades of risk are displayed in between. The table also shows an overview of trustfulness based on a selected timeframe (this could span minutes, days or even weeks. as specified by the administrator). An events overview tab summarizes all of the categorized traffic and provides details such as source and destination IP addresses, the type of events associated with the traffic, and total bytes, flows and events linked to those events.

The main dashboard also allows the user to quickly select the top IP address of concern, or the top ten IP targets in the given timeframe.  An events list provides further details into the top events that can be analyzed by the user.

Figure v – Cognitive Analyst – Filters

Figure v – Cognitive Analyst – Filters

Applying Filters

An overview graph can be configured using filters selected by the user. This graphical representation of filtered events allows users to quickly retrieve detailed information, and to drill down to finer details associated with an attacker’s activities and their behavior.

URL Customization

The state of the Dashboard screen has now been integrated into the URL itself.  This allows users to modify the URL in their browser to customize the dashboard and save this in their browser favorites for future access. Or it could be shared with another security administrator. The URL can be edited to include pre-set filters, displayed tab, and time period.

Cognitive Deployment

Cognitive Security offers the Analyst platform in the following configurations:

  • Delivered as a pre-installed virtual appliance
  • Corporate appliance with traffic capture and analysis including a NetFlow probe
  • OEM software module – Our development capabilities offer custom solutions for OEM or third-party product vendors.

Cognitive Analyst can be deployed as an appliance, or in combination with a monitoring service. As a service offering, Cognitive Security’s expert analysts provide security monitoring to supplement to a client security team. Several service levels are offered to address the mosaic of needs of vertical and horizontal markets. Our analysts provide the needed flexibility to an existing security department, and help them to regulate the fine balance between budgets and the need for new security layers.

Deployment options for the Cognitive Analyst enjoys a high level of flexibility, in order to enhance a client’s threat detection capabilities:

  • Corporate Extranet – To detect firewall breaches, polymorphic malware, custom attacks, botnet command & control, or unauthorized access.
  • Corporate Intranet – To monitor malicious behavior such as malware that is trying to circumvent the perimeter, insider attacks. Or to protect against disgruntled employees who are misusing assets, or violating security or corporate policies.
  • Critical Assets – Advanced persistent threats, sophisticated multi-stage attacks, & unauthorized access.

Government, CERT, Education Institutions can benefit from specific terms and pricing. Contact us for details.

Figure vi. Cognitive Analyst – Installation Options

Figure vi. Cognitive Analyst – Installation Options

Cognitive Differentiation

Cognitive Analyst detects modern attacks against corporations through intelligent, self-learning analysis of network traffic:

Figure vii. Cognitive Dashboard - Top Targets

Figure vii. Cognitive Dashboard – Top Targets

  • Strength of Eight Anomaly Detection Algorithms – This achieves a High sensitivity rate in detecting attacks at the granular level, and  Low false alarms, by using artificial intelligence in the core processing engine
  • Peer-Reviewed Detection Algorithms – Cognitive Analyst is based on tried-and-tested algorithms that have been continually recognized and researched by the scientific community.
  • Self-Monitoring & Self-Adaptation – Cognitive Analyst automatically configures itself without human intervention, and is able to begin detecting attacks in less than an hour once it has been turned on.
  • Low integration and management cost – Cognitive Analyst complements an existing security infrastructures and provides the necessary intelligence to address the growing complexity of future threats.
  • Seamless Integration – To minimize client overhead for integration and deployment, Cognitive Analyst has been architected as a passive self-monitoring and self-adaptive system and provides the necessary intelligence to address the growing complexity of future threats.
  • Resistance to Hacker Circumvention – Cognitive Analyst uses solid Game Theory Principles, to ensure that hackers cannot predict or manipulate the system’s outcome.
  • Long-Duration Trust Modeling – Cognitive Analyst compares current data with past assessments (called trust models) to maintain a high level of sensitively.

Cognitive Analyst has been actively developed with the support of the Department of Defense, in the USA.

Cognitive Highlights

The Cognitive Analyst is not only used to complement an existing intrusion detection deployment, but to also add a critical new layer in a security ecosystem.  Below are some key differentiators of the Cognitive Analyst series:

Figure viii. Cognitive Dashboard – Netflow Categorized by Threat Severity

Figure viii. Cognitive Dashboard – Netflow Categorized by Threat Severity

  • Artificial intelligence – Cognitive Analyst is a self-learning and self-adapting platform, to ensure that the normal behavior of a network can be distinguished from attacks. Our solution overcomes the challenge of detecting these anomalies amongst the chaos of network traffic. A.I. also frees the administrator from manually managing network security on a 24×7 basis, and relying on human resources to find ‘needles in the haystack’.  The moment that Cognitive Analyst is installed it begins a continuous tuning processes, resulting in increased accuracy of threat detection as time progresses.
  • Cognitive Analyst does not use signatures!  Our product uses a dynamically created set of adaptive anomaly detection models to provide the best performance in a client’s network environment. It is not subject to the limitations and timeliness of signatures updates that may negatively affect other security devices. Namely, hackers will exploit the timeliness of a company’s delay in implementing signature updates. They will “sneak in under the radar” before a system is patched with new signatures. For this very reason, Zero Day attacks have continued to proliferate in modern exploits. When taken from the perspective of criminal logic – why tell a supplier that they discovered a vulnerability and give them time to patch it, when the criminal could spend that time to create an exploit, and enjoy a window to deploy their attack?  Such criminality can result in the theft of millions of dollars.  Suppliers then panic and try to patch their vulnerabilities in the midst of an attack.
  • Eight independent anomaly detection algorithms are used for optimal coverage of the full threat spectrum. Key algorithms have been peer reviewed and independently validated.
  • Multiple levels of decision-making agents are deployed to ensure that the system can automatically adapt to the dynamics of a deployed network, and its organically changing environment. This reduces operational and integration costs.
  • Game Theory methods – As some of the implemented algorithms are available to public research communities and are peer-reviewed, the game theory approach is necessary to ensures that the system always stays one step ahead of the attackers, and never allows them to predict the behavior of Cognitive Analyst.
  • Low Costs Integration – Cognitive Analyst uses readily available NetFlow data and does not require integration with any other data sources, or neighboring security products.  The Cognitive Analyst allows for easy system integration, and management through an easy-to-use dashboard.
  • Maintaining Privacy – Since only NetFlow data is used, a client’s private data traversing the network is protected.  Cognitive Analyst does not perform content analysis thus addressing client concerns regarding data protection or privacy, corporate policy, or regulatory compliance
  • Data availability – Network flow, or NetFlow data specification is a de-facto standard and has been extended and codified as IPFIX by RFC 5101. NetFlow is available from a wide range of network appliances from all major vendors. It is provided by most enterprise grade Cisco routers, network switches (Enterasys, HP ProCurve) and by dedicated hardware and software probes provided by independent vendors. NetFlow is aggregated over the period of several minutes, before being transferred to the Cognitive Analyst system for investigation.
  • Mode of operation – The Cognitive Analyst processes NetFlow data in an on-line mode, with a small delay due to the network flow aggregation process. Each batch of data is processed immediately and the suspected malicious activity is then discovered and reported to the network administrators via e-mail, alert reporting protocols, logged, and/or displayed in the web interface. Alerts are available in a standard IDMEF format, text format, or a rich web format for easy analysis and quick mitigation.
  • Self-management – Cognitive Analyst minimizes operational costs by using a self-managing paradigm. This allows the system to perform run-time estimate of its expected sensitivity and false positive rate and to optimize its configuration to ensure peak performance. This process can be optionally coupled with network security policies and threat models, in order to maximize system effectiveness against the latest attack methodologies.
  • Development Expertise & Flexibility – Cognitive Security’s team of developers are now in their fourth generation of Cognitive Analyst. This is a culmination of four years of product advancement and solidity. We have built a self-repair mechanism that transparently restores individual components in case of any failure, protecting the rest of the system from degradation. Our relative size allows us to be flexible to client needs, and quickly turn-around tailored software features.

Synopsis

Virtually every corporate, non-profit institution, or government organization in the world is dependent on network access and information services. Securing these networks and systems against automated and hacker-driven attacks is becoming critically important with the growing number of information and asset misuse. Current security solutions are surprisingly fragile when facing today’s sophisticated adversaries.  Cognitive Security differentiates itself by providing clients with an advanced platform built on artificial intelligence, and sophisticated modules for auto-configuration and self-tuning.

The Cognitive Analyst has been actively developed with the support of the Department of Defense, in the USA.

About Cognitive Security

Cognitive Security specializes in Network Behavior Analysis, allowing businesses to identify and protect themselves against sophisticated network attacks. Cognitive Security offers solutions designed to fill the security gaps left by the current generation of network security tools.  Our expertise in Network Behavior Analysis allows us the ability to accurately exposes both known and unknown attacks.  Our solution is ideally suited for the detection, prioritization and handling of modern-day attack patterns that would typically bypass or evade a client’s defenses.

Contact us at www.Cognitive-Security.com, or info@cognitive-security.com for more details.

About the co-Author

Gabriel Dusil oversees the global sales & marketing strategies of Cognitive Security, with a mandate to expand the company’s presence across Europe, the USA, and beyond.

Before joining Cognitive Security, Gabriel was the Director of Alliances at SecureWorks, responsible for partnerships across Europe, Middle East, and Africa (EMEA).  Previous to SecureWorks, Gabriel worked at VeriSign and Motorola in a combination of senior marketing and sales roles.

Over nearly two decades, Gabriel’s experience has encompassed the development and management of international partner programs, EMEA marketing & sales, and business development.  Gabriel has also lectured in security, authentication, and data communications, as well as speaking in several prominent IT symposiums.

Gabriel obtained a Degree in Engineering Physics from the University of McMaster, in Canada and has advanced knowledge in Cloud Computing, SaaS (Security as a Service), Managed Security Services (MSS), Identity and Access Management (IAM), and Security Best Practices.

Tags

Network Behavior Analysis, NBA, Cyber Attacks, Forensics Analysis, Normal vs. Abnormal Behavior, Anomaly Detection, NetFlow, Incident Response, Security as a Service, SaaS, Managed Security Services, MSS, Monitoring & Management, Advanced Persistent Threats, APT, Zero-Day attacks, Zero Day attacks, polymorphic malware, Modern Sophisticated Attacks, MSA, Non-Signature Detection, Artificial Intelligence, A.I., AI, Security Innovation, Mobile security, Cognitive Security, Cognitive Analyst, Forensics analysis, Gabriel Dusil


[1] Internet Protocol Flow Information Export, IPFIX RFC 5101 and RFC 5102 are derived from the NetFlow version 9 RFC, were created due to the need for a universal standard of exporting for IP flow information from routers, and other network connected devices.

Cognitive Security – Anatomy of Advanced Persistent Threats

Graphic - Cognitive Security, Anatomy of Advanced Persistent Threats (title)

Synopsis

“Advanced Persistent Threats”, or APTs, involve low-level reconnaissance and exploitation of security perimeters in order to collectively launch a targeted & prolonged attack. The goal is to gain maximum control into the target organization. APTs pose serious concerns to a security management team, especially as APT tool-kits become commercially and globally available. Today’s threats involve polymorphic malware and other techniques that are designed to evade traditional security measures. Best-in-class security solutions now require controls that do not rely on signature-based detection, since APTs are “signature-aware”, and designed to bypass traditional security layers.  New methods are needed to combat these new threats such as Behavioral Analysis. Network Behavior Analysis proactively detects and blocks suspicious behavior before significant damage can be done by the perpetrator. This presentation provides some valuable statistics in the growing threat of APTs.

Download the Original Presentation here:

Portfolio – Cognitive Security, Anatomy of Advanced Persistent Threats (’12).pptx

View the PDF version here:

[slideshare id=22478702&sc=no]