1

Seceon.com

“Most companies miss the mark when

defending against the “insider” threat, which

in many cases is not a rogue employee seeking

personal gain, but a case of compromised

credentials. In fact, 25 percent of all data

breaches are caused by compromised-

credentials (Verizon Data Breach Report

2017) and 65 percent of companies expect to

suffer a breach due to compromised

credentials in the future, according to a survey

conducted by the Cloud Security Alliance and

sponsored by Centrify."

g

c

g

c

g

“

M

o

s

t

c

Solving today’s Threat Challenges with a fully Automated Threat Detection and Real-

Time Remediation Solution

The threats faced in today’s

organizations come from all angles. In

the past a strong perimeter was

thought to be enough, however, that is

not the case today. Today’s threats are

coming from insiders even though they

are often unintentional. It has become

one of the most pressing cyber security

concerns. In 2016, the Insider Threat

Report Spotlight found 74 percent of

organizations feel vulnerable to insider

threats- “Privileged users, such as

managers with access to sensitive

information, pose the biggest insider

threat to organizations (60 percent).

This is followed by contractors and

consultants (57 percent), and regular

employees (51 percent)”

2

Evergrowing Threats: Origin and

Growth/Propagation

In many cases, the threats are coming in from BYOD and other devices that

bypass perimeter defenses, but have become infected with malware,

crimeware such as ransomware and/or other means in which an outside

entity can take control of such devices and go undetected as they connect east-

west to devices within the organization.

According to the Insider Threat Report Spotlight, 27 percent of organizations

feel they can detect a threat within hours, and only 24 percent can remediate

the problem within hours of detection. The small percentages of organizations

that do feel capable are often too late. According to Verizon’s 2016 Data

Breach Investigation Report, 81.9 percent of organizations surveyed reported

that a compromise took only minutes to infiltrate company systems, with a

majority of respondents showing that associated data was exfiltrated within

hours of the initial compromise. If a breach were to occur to organizations

with their current threat preventing techniques, there is a minimal chance

they can stop data loss.

In the end, the cost of such threats is greater than all others.

“The Insider Threat Report goes on to say that more than 75 percent of

enterprise organizations estimate breach remediation costs reach $500,000.

Twenty-five percent believe the cost exceeds $500,000 and can reach into the

millions. The challenge with today’s threats is to detect and stop the threat

before data is accessed, altered or stolen”

Organizations are slow to identify threats because they are unable to see

them. The risk builds when combined with a lack of technologies, policies and

staff. What’s needed is a better approach, one that detects and remediates in

minutes, not hours and days. Recently, there’s been a lot of buzz about using

behavioral analytics to help detect the threat. Can technologies in behavioral

3

1.

Seceon.com

analytics and machine learning detect threats quickly? Will this help to

address staff and policy limitations?

Let’s take a look at the problem more closely. For example, it is difficult for

traditional security tools to discern and detect the use of an insider’s own lost

credentials, or the use of new ones created with elevated privileges by a

knowledgeable insider. The use of “legitimate” credentials does not trigger a

threat response from the system. Considering the case where an insider loses

his/her credentials to the outside world through phishing or other means,

current defenses don’t detect if it’s an imposter accessing assets. The same can

happen when an employee or contractor is given opportunity and decides to

use his or some other created credentials to steal data. In both cases, a

behavioral approach lends itself to clearer detection.

A behavioral approach: Is it enough?

A behavioral approach alone is not enough to ensure defense against

attackers. User and Entity Behavior Analytics (UEBA) behavioral threat

detection models attempted during the course of the last 24 months tend to

only flag behavioral indicators that may be dangerous. This can raise

hundreds of false-positives on a weekly basis, which require the review of

well-trained analysts. This process is cumbersome because the analysts have

to wade through alerts and logs in order to correlate and analyze the

information. Then they have to decide if the behavior translates into a

meaningful threat, if it does the analysts determine what action to take next.

However, this approach is not feasible for 95% of organizations because they

don’t have the analysts.

Analysts at 451 Research estimate that less than 4 percent of enterprises and

government organizations have dedicated security staff in a security

operations center (SoC) to monitor all these products for possible breaches.

The small percent of organizations that do have trained analysts are too

overwhelmed with the volume of alerts and are unable to act in a timely

manner.

4

“Today’s conditions demand a

behavioral system that

automates the analysis for

teams responsible for security

and detects and prioritizes

legitimate threats as they are

happening. They also demand

immediate response to stop the

threat once detected rather

than accepting best practice in

response to be “less than one

day.”

“Most companies miss the

mark when defending against

the “insider” threat, which in

many cases is not a rogue

employee seeking personal

gain, but a case of

compromised credentials. In

fact, 22 percent of all data

breaches are caused by

compromised-credentials and

65 percent of companies

expect to suffer a breach due

to compromised credentials in

the future, according to a

survey conducted by the

Cloud Security Alliance and

sponsored by Centrify."

A March 2016 report by Enterprise Strategy

Group stated that despite having invested

significantly in information security solutions

that 75% of security professionals from the

125 surveyed ignore security incidents and

alerts, because they cannot keep up with the

suffocating volumes. A better approach is to

correlate lots of data sources and analyze those

filtered outputs. Modern SIEM solutions

attempt to do this. However, most if not all of

these solutions have not been properly

architected to deal with real-time threat

detection when there can be many (thousands

to millions) sources of data that must be

analyzed in real time. Taking a look at

traditional SIEM architectures reveals why:

Figure 1: Traditional Linear processing architecture

Figure 1: demonstrates a timely process that correlates enough data to detect

a threat before data is compromised. And in the end, it still relies on a human

to do the analysis to determine if it is an actual threat.

5

1.

Seceon.com

“Seceon is the first company to design an

advanced solution that leverages advanced

technologies such as user behavioral

analytics, machine learning and in-memory

processing for this type of data collection,

analysis and automated remediation in real-

time”

iance and sponsored by Centrify."

Machine learning demands context Some organizations have tried to use approaches solely dependent on

machine learning to accomplish behavioral protection. Initially, machine

learning provided a good way to identify patterns and relationships, but in

practical terms machine learning generates a great deal of false-positives.

Hence creating the same problem behavioral approaches do the demand of a

human analyst.

A better approach would be to use an intelligent system with rule sets and

thresholds, which are aided by machine learning. The known threat behaviors

can be tailored to appropriate behavior for the system. Correlating this allows

the system to maintain a high degree of confidence in the results before

presenting a threat, allowing analysts to see all sources of correlation before

enacting steps to remediation.

Combine behavioral analytics and machine

learning with real-time remediation

We solved the problem by architecting the platform with a patented process

to break the serial data collection and analysis-processing logjam.

Seceon’s Open Threat

Management platform(OTM)

is based on a advanced micro

services architecture. Data is

ingested and reduced down

to only the information

required to identify the type

and scope of a threat. This

information is then passed to

a second application known

as the Analytics and Policy

Engine, APE.

6

APE uses fast parallel processing architecture and ingests the

information and runs it through thousands of threat detection processes

in parallel. This allows a variety of threat detection techniques to be applied.

Output analytics generated by each process can be correlated together in many

different ways. This approach allows user, entity or organization-wide threats

such as DDoS to be detected. The advanced correlation techniques also allow

threats to be validated from multiple techniques.

Figure 2: SECEON OTM Scalable Fast Processing Architecture

This minimizes the odds of generating false-positives while providing a full scope

of an attack or threat. Best of all, this entire set of actions happens in seconds.

Utilizing another patented process the threats are evaluated by level of risk

and the system also can determine the progression of an attack. This

process also makes recommendations –depending on the type and

progress of an attack – on how to stop the threat. The system then

allows the user to perform that action by pushing a button, or opting

to have the system take automatic remediation of such threats -

useful for assuring 24x7x365 protection.

7

1.

Seceon.com

It’s like having a SoC Virtual Analyst Assistant in the box!

Benefits of Seceon’s OTM as a Fully Automated

Threat Detection and Remediation System

Easy to understand, prioritized alerts:

By automatically connecting multiple threat indicators and correlating

them in context to surface genuine threats, the OTM can help security

teams address attacks as they happen with plain English alerts. A single-

line threat alert with drill-down context enables security teams to

understand the severity of the threat easily and quickly and take action to

fix it automatically.

Fully automated threat detection for all forms of attacks:

The need for automated threat detection applies to organizations of any

size or cyber security skill level. For the Fortune 500 with significant

resources and staff already in place, automation of threat detection can

eliminate threat alert overload and enable greater efficiency for security

teams addressing attacks as they occur and ensuring the correct

remediation and reporting of the threat. For small to medium-sized

businesses with limited and/or no security analyst staff, automated

technology enables the equivalent of a virtual SoC team, giving skill- and

resource-constrained teams a chance to protect from of these threats.

Automatic threat remediation in real-time:

With faster detection must also come faster remediation! Analysts must

react quickly to stop the threat actor in his tracks. Once the threat is

revealed, the system must be intuitive and provide immediate

recommended actions to stop the threat. The OTM will allow such actions

to be taken directly from the same screen that detected the threat, allowing

for “push button,” or if desired, fully automated threat remediation. This

minimizes the effort and can easily cut the amount of time for human

response, literally down to seconds of elapsed time from the moment the

threat was detected and verified. The OTM enables a single analyst to

recognize a threat and immediately disable user credentials, or if

progressed further, isolate a user from the network before data is

8

exfiltrated from the organization. For many large organizations this will

require changes in current procedures. The reality is modern organizations

are rapidly adapting their policies and procedures to react faster,

leveraging the OTM to automatically halt the use of compromised

credentials and allow the reissue new ones to minimize the risk of data loss

and business disruption.

Policy driven:

Security and policy go hand in hand. Seceon’s OTM not only detects threats,

but can also be used to set policies, for example, providing only certain

people or groups with access to certain assets within the organization –

such as those with the most valuable data. A good system should also

recognize who accesses these resources and the typical patterns of what

they do with them, and then allow staff members to determine what

policies should be created, in essence, creating a white list that creates

protected groups and provides alerts if anyone outside the group tries to

access protected data. The Seceon OTM does this and makes suggestions

on white lists based on what it learns. In this way the OTM can address

vexing challenges—determining the right course of action to protect

information without causing undue side effects by blocking productivity of

users that regularly use these data sources.

Look to Seceon for the most effective solution on the market –

that fits any budget…….

Seceon’s OTM with its innovative approach, architecture and techniques to

detect threats and automate remediation is one of the industry’s most award-

winning platforms. Seceon’s solution is not only effective; it provides most

organizations an immediate ROI. The solution costs no more than a good

enterprise-class antivirus application, deploys in a few hours by any IT staff

member, and can detect, remediate and report threats 24x7x365 without

requiring any dedicated security analysts. The solution typically pays for itself

by reducing the number of security tools within an organization, or upon the

first threat being detected … and stopped.

Find out more at www.seceon.com