Continuously tracking threats
Being in the crosshairs of an attacker whose modus operandi is unknown increases our vulnerability.
In cyberspace, there are more and more attackers. They show ingenuity to deploy sophisticated attacks that often escape conventional defense strategies. Prevention, awareness and the application of computer hygiene rules are no longer enough. Protecting oneself now requires perpetual intelligence around threats in order to follow their technical, tactical and strategic developments as closely as possible.
Protect your organization in real time from attacks, intrusions and compromises
Unlike traditional approaches that carry out detection intermittently (every 15 minutes, for example), our SOC platform helps you apply detection within your IS in “ streaming”, i.e. continuous detection.
This is made possible thanks to the combined presence of our three detection engines:
• The Correlation engine is focused on the detection of malicious behavior, associated with bad IT practices. Here, it is a question of taking advantage of the SIGMA language to express the expected properties around the collected events. These rules can also be combined using temporal, statistical operators to perform multi-event detection (for example, the detection of five authentication failures on the same user name in five minutes).
• The CTI pattern engine is able to identify, thanks to an actionable knowledge base, the tracks of malicious activities on your Information System. This operational knowledge base is made up of more than 2,000,000 technical indicators fully contextualized and maintained by our teams. To extend your detection capabilities, you can add other CTI feeds of your choice, or your own (your intelligence, the one your team produces from A to Z).
• The Anomaly Detection engine can identify attacks carried out using techniques and tools legitimate enough to fly under the radars of the behavioral detection engine and unknown to the CTI knowledge base. To search for unusual and deviant behaviors, this anomaly detection engine relies on the continuous learning of behaviors and practices.
In the event of malicious activities, unexpected behavior, violation of standardized IT practices or malicious use of legitimate means, a contextualized alert is raised. At the same time, you can automate and through playbooks integrated directly into your console, adequate responses, in order to neutralize the threat before impact on your information system.
Improve the analyst experience of your SOC team
The 560 cyber threat detection rules, natively integrated into the SOC platform, are directly actionable, ready to use and customizable in a few clicks. Depending on operational needs, your analysts can readjust them to increase their efficiency or create new rules deemed closer to your realities.
All alerts produced within the SOC platform are fully contextualized based on the knowledge base produced and maintained by SEKOIA.IO. This is a real time saver for your analysts. Thanks to this contextual information, they can, in fact, assess the urgency to assign to the treatment of each alert. From these contextual elements, they can also take advantage of the knowledge associated with them, in this case: the operating modes and malware identified, the groups of threats and their campaigns but also their attack techniques…
According to their needs for investigations around alerts, your analysts can centralize (jointly) their observations, their analyses, comments and results within a functionality of the SOC platform, called “Case”. The information shared by collaborators in this feature can be used to reconcile, for example, certain alerts between them.
In addition, your SOC teams can – depending on the log retention period, i.e. 90 days – search the past for suspicions of compromise. They can combine one or more terms to narrow their searches. The results are displayed in the form of a table (whose columns can be modified) and a graph representing the volume of events over the chosen duration.