Features

FlowControl XNS

Moduł Threat Intelligence w FlowControl XNS

DETECTION OF ATTACKS, TACTICS AND TECHNIQUES

The use of the ATT&CK MITRE methodology enables both detection of incidents and analysis of event sequences and tactics used by cybercriminals. The XNS module contains 65 proprietary rules which detect, among others:

  • Attacks that intend to circumvent security features.
  • Credential-based attacks, e.g. “brute force” type attacks and LLMNR/NetBIOS communication-based attacks.
  • Forbidden network activities, including port scanning, attempting to gain unauthorized access to specified services, and also anomalies in network traffic.
  • Remote access-based attacks, e.g. through Remote Desktop Protocol.
  • Activities which indicate C&C attacks, including, among others:
    • Activities on suspicious ports (based on blacklists and whitelists).
    • Non-encrypted connections to critical servers and services.
    • Connections with suspicious IP addresses, e.g. Botnet, Malware, C2, Ransomware.
    • Security policy breaches consisting of the use of TOR, Open DNS or Open Proxy, prohibited P2P activities.
    • Potential data leaks.

SECURITY OPERATING CENTER

The XNS module was equipped with diagrams, indicators and tables adapted to the specifics of SOC team operations, enabling, based on NetFlow protocol analysis:

  • Rapid detection of threats at the organisation level, taking into account various alert categories.
  • Analysis of dynamics of change of number and type of suspicious events in a minute-by-minute frame.
  • Conducting analysis by the type of attack, suspected source and target hosts, and applications.
  • Detailed analysis of the source and cause of a given security alert through detailed NetFlow statistics, available with a single click.
xns-security-operating-center.png
Kluczowe wskaźniki w ujęciu tygodniowym pozwalają ocenić trendy związane z bezpieczeństwem

RISK ANALYSIS

Key indicators referring to the risk level are presented in weekly summaries and enable the tracking of trends and assessment of effectiveness of undertaken preventive actions. Separate, dedicated dashboards present:

  • Information about the number of attacks, divided by techniques and tactics used by cybercriminals.
  • Risk assessment indicators generated taking into account the severity of alerts and hosts, to which the anomalies and threats apply.
  • Key Performance Indicators (KPI) prepared for managers, enabling the conducting of management analyses.
  • Data which enable the assessment of the degree to which the regulatory requirements, standards and rules (such as UoKSC, CIS) are met.

MINIMIZATION OF THE NUMBER OF FALSE POSITIVE ALERTS

The XNS module was equipped with multiple mechanisms, which enable the configuration of alerts, adapting them to the specifics and needs of the organisation and adopted security policy. They include, among others:

  • A configurator which enables the rapid activation and deactivation of individual security rules and of alerts which they activate.
  • A legible editor with a graphical interface, which enables the rapid and convenient change of parameters used in the rules.
  • Editable whitelists containing a set of trusted IP addresses, which may be used directly in the rules.
  • Ready-made interfaces which enable the connection of external feed databases and additional verification of risks related to a detected incident.
Możliwość predefiniowania danych wyświetlanych w FlowControl XNS
xns-access-to-the-knowledge-database.png

ACCESS TO THE KNOWLEDGE DATABASE DIRECTLY FROM THE APPLICATION

The interpretation of detected events is aided by both a built-in knowledge database and by links to specialised websites available with a right mouse button click.

  • An accessible description of a security alert supplemented with additional information and a link to a full description of the tactic or technique in question on the ATT&CK MITRE website facilitate the analysis of the given event in a wider context.
  • Suspected IP addresses may be verified in external sites (e.g. VirusTotal) directly from the XNS module

READY-MADE ANALYTICAL SCENARIOS

The scenarios implemented in the module facilitate the process of analysing and drawing of conclusions concerning the most important security-related aspects.

  • A hazard analysis scenario enables the identification of the most suspicious IP addresses, and then the analysis of correlations with other IP addresses or other network artifacts.
  • Scenarios used for the analysis of internal or external attacks enable multi-dimensional analysis of the suspected IP address (or group of addresses):
    • Presentation of tactics and techniques used during an attacks and generated alerts.
    • Analysis of the direction of attack and participating hosts, taking into account source and destination addresses.
Ready-made analytical scenarios
 Integration with other systems

INTEGRATION WITH OTHER SYSTEMS

The XNS module is fully integrated with the XN and XND modules and enables the exporting of data to SIEM class systems.

  • Transferring filters defined in the XNS module to the XN module facilitates a detailed analysis of the incident or source of the alert.
  • The possibility of exporting of alerts with their call parameters to SIEM systems, including, among others, QRadar, ArcSight and Splunk.

Poland Office:
Goraszewska 19
02-910 Warsaw
Poland


contact@sycope.com

Ireland Office:
Alexandra House
The Sweepstakes
Ballsbridge, Dublin
D04 C7H2

Copyright 2021 Sycope Ltd. All rights reserved. Privacy policy