Sycope is a network monitoring system designed to detect network anomalies and security threats based on Netflow and pcaps
Each NDR class system should encompass functionalities that facilitate the incident handling process - from detection to mitigation and collection of evidence. Sycope was designed to cover all stages of security incident handling process.
Sycope's network anomaly analysis can be done in a number of ways:
• Analysis based on defined dashboards (power of dashboards)
• Analysis based on a threat’s category (ATT&CK MITRE)
• Data context analysis
• Alert table analysis.
This type of analysis begins by focusing on the standout indicators (spikes, high values, high deviations, unusual combinations, etc.)
Based on the Threats Analysis dashboard, we are able to analyse correlations among IP addresses related to detected anomalies or threats.
This allows us to focus on hosts that are the source or target of many anomalies, so the analytical triggers in this case revolve around deviations of the data in the charts.
Another example are dashboards that highlight correlations among IP addresses, groups, or countries, where we can focus on unusual traffic characteristics in the context of these parameters.
Quick and effective analysis is possible due to the capability for quick navigation between dashboards (1), the ability to filter based on critical fields (2) or jumping to the table with events (3).
The most expressive case of top-down analysis are dashboards dedicated to managers, e.g. SOC & KPIs. Within these views it is possible to perform drill down analysis after clicking on specific values, which facilitates data analysis.
Sycope’s alerts are matched with the ATT&CK (knowledge base of tactics and techniques), which makes the wide range of threats detected in Sycope consistent with the nomenclature of the most popular threat dictionary, and reduces the risk of a misinterpretation of threats.
This type of analysis allows you to focus on specific tactics or techniques, e.g. exfiltration. By doing so, analysts can filter out all other threats, resulting in a more comprehensible data analysis
Data context analysis is possible thanks to the data filtering functions, including favourite filters and tags.
Favourites filters allows you to quickly analyse threats by context, but also helps in the threat hunting process. For example, among many threats, external or internal threats may be prioritized.
.png)
Another example of contextual analysis can be searching for threats tagged as CTI (Cyber Threat Intelligence). These types of events correlate with threats detected using the IoCs (Indicators of Compromises), such as IPs, Hostnames or Hashes from Malware, Spam, Scanner, Phishng, TOR, Proxy and Cryptomining categories.
Threat Intelligence is a very important element of the architecture of threat detection mechanism in Sycope’s security monitoring system.
.png)
Filtering alerts by tags empowers security analysts and threat hunters to quickly locate specific events.
The analysis of events in the alert table, in addition to handling alerts through the ACK or False Positive flags, allows you to view all original data (raw) that triggered a particular alert.
The ability to track suspected activity using flexible dashboards with a multitude of data analytics supporting functions, makes working with the system effective, fast, and pleasant for every system user, regardless of whether they are an experienced security engineer or a novice SOC analyst.
Thanks to the well-thought-out architecture of the Sycope system, incident handling is simple, yet the possibilities of deep analysis are extensive, which makes it a key system for every SOC.
.jpg)
