Continuously tracking threats

Being in the crosshairs of an attacker whose modus operandi is unknown increases our vulnerability.

Being in the crosshairs of an attacker whose modus operandi is unknown increases our vulnerability.

In cyberspace, there are more and more attackers. They show ingenuity to deploy sophisticated attacks that often escape conventional defense strategies. Prevention, awareness and the application of computer hygiene rules are no longer enough. Protecting oneself now requires perpetual intelligence around threats in order to follow their technical, tactical and strategic developments as closely as possible.

 

Treat yourself to a highly structured Rosetta stone to check threats before they arrive at your doorstep

 

Within our SOC platform, cyber threat hunting is one of the basic elements of our approach. It takes shape through a feature called “Operations center”. You will find a catalog of more than 560 rules specialized in the detection of cyber threats.

First, this catalog of rules (directly actionable for your defense strategy) is entirely produced and maintained daily by our CTI team (composed of cybersecurity researchers and analysts). Each threat detection rule is systematically associated with context. This can be both emerging threats and so-called advanced ones, names of malware, groups of attackers, operating modes or even attack techniques (carried out using the MITRE ATT@CK framework).

Then, this catalog applies to your entire information system, from your e-mails, network, endpoints… Whatever the control point, our detection engines will be able to leverage it.

To strengthen our ability to detect threats and above all to record an almost zero false-positive rate, we subject our detection engines to a strict evaluation process. Every rule is qualified with four levels of complexity required for its proper implementation. This classification is established based on the effort required to activate the rule (for example, the configuration of the log source) and the risk of false positives associated with the detection rule.

Depending on your needs, you can also customize the detection rules, apply exclusion cases, restrict their scope of use, or even create new ones adapted to your operational security strategy.

From your unified security console

 

Protect your organization in real time from attacks, intrusions and compromises

Unlike traditional approaches that carry out detection intermittently (every 15 minutes, for example), our SOC platform helps you apply detection within your IS in “ streaming”, i.e. continuous detection.
This is made possible thanks to the combined presence of our three detection engines:

• The Correlation engine is focused on the detection of malicious behavior, associated with bad IT practices. Here, it is a question of taking advantage of the SIGMA language to express the expected properties around the collected events. These rules can also be combined using temporal, statistical operators to perform multi-event detection (for example, the detection of five authentication failures on the same user name in five minutes).

• The CTI pattern engine is able to identify, thanks to an actionable knowledge base, the tracks of malicious activities on your Information System. This operational knowledge base is made up of more than 2,000,000 technical indicators fully contextualized and maintained by our teams. To extend your detection capabilities, you can add other CTI feeds of your choice, or your own (your intelligence, the one your team produces from A to Z).

• The Anomaly Detection engine can identify attacks carried out using techniques and tools legitimate enough to fly under the radars of the behavioral detection engine and unknown to the CTI knowledge base. To search for unusual and deviant behaviors, this anomaly detection engine relies on the continuous learning of behaviors and practices.

In the event of malicious activities, unexpected behavior, violation of standardized IT practices or malicious use of legitimate means, a contextualized alert is raised. At the same time, you can automate and through playbooks integrated directly into your console, adequate responses, in order to neutralize the threat before impact on your information system.

Graph Investigation

Improve the analyst experience of your SOC team

The 560 cyber threat detection rules, natively integrated into the SOC platform, are directly actionable, ready to use and customizable in a few clicks. Depending on operational needs, your analysts can readjust them to increase their efficiency or create new rules deemed closer to your realities.

All alerts produced within the SOC platform are fully contextualized based on the knowledge base produced and maintained by SEKOIA.IO. This is a real time saver for your analysts. Thanks to this contextual information, they can, in fact, assess the urgency to assign to the treatment of each alert. From these contextual elements, they can also take advantage of the knowledge associated with them, in this case: the operating modes and malware identified, the groups of threats and their campaigns but also their attack techniques…

According to their needs for investigations around alerts, your analysts can centralize (jointly) their observations, their analyses, comments and results within a functionality of the SOC platform, called “Case”. The information shared by collaborators in this feature can be used to reconcile, for example, certain alerts between them.

In addition, your SOC teams can – depending on the log retention period, i.e. 90 days – search the past for suspicions of compromise. They can combine one or more terms to narrow their searches. The results are displayed in the form of a table (whose columns can be modified) and a graph representing the volume of events over the chosen duration.