CYBER SECURITY - Vehere · external sources of threats. The system leverages Machine Learning and human knowledge to detect cyber risks. Accelerated results: PacketWorker provides

CYBER SECURITY

N E T W O R K S I T U A T I O N A L A W A R E N E S S

� The global median dwell time from compromise to discovery in 2018 was 78 days.

� 38% of the organisations surveyed were not aware that they had been compromised.

� >50% of breaches are carried out by well-funded and organised crime groups.

� Insider threats increased from 20% in 2014 to ~30% in 2018

� Motives are not just financial in nature. It includes espionage, grudge, fun and, shaming.

Sources: Industry analysts and market data, March 2019

Buyers want better threat detection - cutting hacker dwell time once they get inside. data science techniques such as Machine Learning allows use of predictive models for network and application traffic analysis enabling prompt threat detection to improve business confidence.

Every connected asset is a potential target.

Vehere PacketWorker is an effective cyber threat detection and response solution that helps organisations minimise risk by accurately detecting cyber threats and enabling swift response. It facilitates efficient resolution of identified security incidents with relevant context, concrete evidence, actionable intelligence and response work-flow integrations.

PacketWorker for Network Situational Awareness offers meaningful insights from comprehensive monitoring of networks, enabling security practitioners implement efficient, cost-effective and predictive threat-detection technologies besides permitting time-travel to effectively respond to security incidents.

We are able to give organisations an advanced threat detection solution that removes many of the shortcomings that make ‘air-gapped’ environments vulnerable and inefficient for teams to manage.

02 - Vehere Cyber Security

Who we areWe are a young product company developing strategic and tactical solutions for law enforcement and national security (LENS) agencies and Network Situational Awareness for cyber security and risk managers.

What we doOur products and services enable organisations to detect threatening abnormalities emerging across the network in real time, including insider threats and ‘unknown unknowns’, enabling the security team to disrupt attacks before they can cause any harm.

What sets us apartPacketWorker technology can identify an attack early enough to ensure that an incident doesn’t escalate and become a problem.So, it helps defends your most critical assets.

Where we are presentWe are present in three continents with offices in the United States, South Africa, Singapore and India.

Vehere Cyber Security - 03

Working off full packet capture or flow-records, PacketWorker’s self-learning starts from day one, detecting anomalous and suspicious behaviours on the network.

PacketWorker for Network Situational Awareness


PacketWorker for Network Situational Awareness


Increased risk of exposureIt may come as a surprise to some, but the fact is that <10% of all known vulnerabilities have actually been exploited so far. This leaves the security and risk practitioners with a daunting task of ensuring that the assets under their watch stay protected. With a dearth of security skills, adoption of advanced strategies and expensive technology is beyond the feasibility of most organisations.

For all practical purposes, the network is a perpetual source of data for proactive and predictive analytics that can enable monitoring of almost all possible attack vectors.

Security and risk practitioners are well aware that cyber-security has a significant impact on accomplishment of business goals. To better defend their organisation, it’s imperative that they start automating analytics tasks on network data to identify threats and risks.

Improved Network Situational AwarenessIt’s known for a fact that advanced malicious actors test and validate effectiveness of their craft against the same set of tools that enterprises use for defending their assets. Besides, advanced automation techniques are actively being employed by malware factories to improve code quality and evasion techniques resulting in repetitive success against well-fortified targets.

Organisations looking at improving their defenses can benefit by employing automation techniques to anticipate and respond to security risks.

Vehere PacketWorker is an effective cyber threat detection and response solution that helps organisations minimise risk by accurately detecting and enabling swift response to cyber threats. It facilitates efficient resolution of identified security incidents using concrete evidence, actionable intelligence and response work-flow integrations.

Working off full packet capture or flow-records, PacketWorker’s self-learning starts from day one, detecting anomalous and suspicious behaviours on the network.

PacketWorker enables security practitioners to monitor the current state of the network in aid of their security posture assessment. Retention of raw packets and metadata enables historical analysis to probe into root-cause or past trends that find use in predictive analysis.

PacketWorker reduces dwell time from days to hours when it comes to investigating security issues. It enables security managers to free up human resources quickly to attend to important business imperatives. PacketWorker’s user interface offers an easy-to-use and customised dashboard to gain situational awareness using data enrichment that eliminates the need to refer to third-party correlations and look up sources.

Comprehensive rules, frameworks and Machine Learning algorithms automate detection of security risks in real time.

Powerful visualisation platform enables threats to be analysed and investigated intuitively to help reduce mean-time-to-detect and mean-time-to-respond.

Deep packet and payload inspection helps detect thousands of protocols and applications to provide precise contexts.

Session replays and reconstructions facilitates better assessment of security risks using third-party tools or human analysis.

Detects IPv4 and IPv6 traffic in VLAN, MPLS encapsulation and tunneled traffic to support deployment for most environments.

Key features

Net

SA


Packet broker

Network tapRules

frameworkPort mirror

Advanced automationFlow

configuration Flow record

DATA ENRICHMENT

Northbound integrations

Forensics

Provisioning Acquisition Context Automation and integration Action

Packet broker

Data store User interface

UNIFIED INTERFACE

Response actions


Network Situational AwarenessFull packet capture: Integration with network packet brokers and taps to support non-disruptive setup in any network.

One box and one hour to install: Everything is contained in a single appliance. Setup is easy with built-in configuration wizards.

Bundled DPI and ML algorithms: This ensures that the system is up-and-running in any environment (including air-gapped networks) without the need to look up external sources of threats. The system leverages Machine Learning and human knowledge to detect cyber risks.

Accelerated results: PacketWorker provides useful results from the very first day. Quality insights into cyber activities and proactive threat detection enables improved assessment and effective responsiveness in the face of security risks.

Capabilities � Capture, classify and index all

communications on the wire at line-speeds.

� Detect, analyse and, dissect traffic across all ports and protocols.

� Use mathematical modeling to classify encrypted communication.

� Detect threats, policy and compliance violations using out-of-the-box automation.

� Integrate with existing security ecosystem tools such as SIEM, sandboxes and trouble-ticketing systems.

Available as ISO image and purpose-built appliance.

User interface accessible using a web browser.

Installed, configured and deployed in less than an hour.

‘Standard’ and ’Extended’ support options to suit different service-level agreements.

About PacketWorker

Incident response and professional services to assist with product use optimisation.

Net

SA


Case study #1

Banking


Industry/Organisation

Banking

SolutionPacketWorker 10G (combined with professional services)

Challenges � Comply with regulatory and audit

requirements

� Attain comprehensive visibility

� Secure organisation from breaches, data thefts and malware/zero-day attacks

� Reduce complexity with security analytics adoption

Benefits � >50% improvement in detection

efficiency

� >60% time optimisation for investigations

� >30% reduction in risks associated with data breaches

� >90% reduction in compliance efforts

Summary

PacketWorker’s innovation has turned it into an essential device for security teams attempting to comprehend the scale of their network, observe activity levels and detect potential shortcomings. Machine Learning plays a key role in defending assets from cyber-criminals and malicious insiders.

Bank

ing


“Insider threat is one of the most serious threats a company can face. We knew we needed to prioritise, reduce, and manage cyber security risks to address the needs of our business.” - Name withheld, R1


BackgroundThe contemporary world is witnessing customer expectations, technological capabilities and regulatory requirements join forces with demographic and economic factors to bring about radical changes. This has caused banking institutions to look for ways and means to get used to these changes and adopt a proactive approach towards security. Financial institutions will always be prime targets for cyber-criminals, making their security requirements extremely complex.

This case study focuses on a large global bank and will be referred to as R1 for the sake of anonymity. The bank’s intelligence data was facing significant cyber threats from multiple sources. However, despite implementing multiple security protocols, R1 continued to suffer security lapses. The bank’s business operations were getting impacted each time such an incident was happening.

Business challengesDue to a growth in its customer base and burgeoning data usage, R1’s ability to respond to these increased risks from malicious insiders and unknown vectors/exposures, had been severely hampered. R1 needed to manage this ever-growing, ever-changing array of risks from across the globe while ensuring adherence to stringent regulatory requirements. The challenges included:

� Preserving customer trust by protecting data privacy.

� Maintaining strong security without impeding business operations.

� Ensuring compliance with regulatory requirements.

� Adding new devices and introducing services to networks devoid of security monitoring or any understanding of exposure.

� Accommodating bring-your-own-devices and guest end-points without compromising on security.

� Combining existing security tools into cohesive solutions that accelerate incident-response times and reduce vulnerabilities.

Regulations regarding technology and information security are far-reaching and include areas such as e-mail, SWIFT-coded payments, cipher suite strength, domain name systems, core banking solutions and, back-office applications. R1 recognised a need to proactively defend its sensitive information across the technological value chain. Therefore, R1 undertook a decisive initiative to implement technologies that could help it make sense of the ‘unknowns’ and provide tangible answers during investigations.

If there was a targeted attack and R1’s computers were to become affected, it would have resulted in business disruption and potentially lead to privileged information getting leaked. R1 needed to urgently respond to incidents that required sourcing specialists from external agencies to assist it with time-consuming and risky processes. Thus, the impact of any incident could have amplified. R1 needed an integrated solution that would allow it to maintain staff productivity, ensure threat detection and facilitate rapid response and recovery.

Bank

ing


“PacketWorker’s technology gave us visibility into potential implementation differences and policy discrepancies. Leveraging its technology, we were able to identify and remedy these differences before connecting the two networks, mitigating potential integration risks.” - Name withheld, R1


Solution – PacketWorker 10GTraditional tools that are programmed to spot known threats are no longer sufficient. Modern network border defenses, such as firewalls, perform an important function. However, insiders often escape restrictions imposed by these perimeter security controls.

Limitations posed by legacy approaches

� Perimeter controls are dependent on signatures, rules and heuristics and, hence, are likely to miss attacks at points-of-entry.

� End-point security controls rely on signatures and fall short when it comes to detecting rogue behaviours or detecting unknown attacks.

� Sandboxes are side-stepped by modern attacks, which recognise when they are in a fake space and delay the execution of malicious activities.

� Log tools and security information and event management databases require inordinate amounts of manual effort to ensure data is consistently collected across the entire organisation and matched against the security team’s predictions of threats. Besides, not every actor needs to target assets holding the ‘crown jewels’, they wish to simply exploit the chain of trust.

To combat these challenges, R1 deployed PacketWorker 10G at the core and peripheries of its network. After a prompt installation and using the deep packet inspection and analytics capabilities of PacketWorker 10G, R1 gained complete visibility of its entire infrastructure, including IoT and non-sanctioned devices. Using PacketWorker 10G, the security team was able to identify anomalous activities and disrupt them early, before any damage was done.

PacketWorker 10G’s innovation has turned it into an essential device for security teams attempting to comprehend the scale of their network, observe activity levels and

detect potential shortcomings. Machine Learning plays a key role in defending assets from modern cyber-criminals and malicious insiders. The technology detects threats and abnormalities emerging across the network on a real-time basis, including insider threats and ‘unknown unknowns’, enabling the security team to disrupt attacks before they can cause much harm.

Whenever any anomalous behavioural changes happen within the environment, PacketWorker identifies them and alerts the organisation. Changes that are not real threats are fused into PacketWorker’s evolving understanding of normality. The arithmetic inside PacketWorker makes it uniquely equipped for featuring noteworthy potential threats without burying them beneath numerous unimportant or repetitive alerts. Going beyond setting down simple rules applicable for network traffic, it can correlate numerous inconspicuous trends isolated by type or time to sniff out real emerging threats and ensure that security analysts are not burdened with false positives.

Benefits - visibility and answersEquipped with Vehere PacketWorker, R1 can autonomously defend itself against pernicious cyber-criminals and insider threats. Since it does not rely upon any prior assumptions of what ‘bad’ entails, the self-learning solution is also uniquely capable of identifying hitherto unseen threats.

PacketWorker empowered R1 to deal with cyber threats on a real-time basis. It allowed the security and risk management teams to proactively assess cybersecurity postures and lay down rules to detect malicious behaviour besides using advanced predictive analytics to spot ‘unknown unknowns’ without disrupting ongoing business processes.

Bank

ing


“R1 has been able to maintain stringent compliance with industry regulations since PacketWorker was implemented. The platform provides real-time anomaly detection capabilities and unprecedented visibility that is simply unmatched by any other vendor in the industry.” - Name withheld, R1


Results � Faster detection of internal breaches and

compromised customer.

� Reduction in incident response times.

� Fewer resources required to manage and act on risk assessment.

� Seamless detection of unknown and insider threats.

With PacketWorker 10G, R1 managed to speed up triage from an average of five days to less than six hours. By simplifying an analyst’s interaction with network data and using an easy point-and-click interface to lay down complex behaviour-based rules, enabled the security operations team was imbued with the ability to deliver predictable and repeatable outcomes (irrespective of the skill set of the user), maximising efficiency and significantly reducing dwell-times.

Over time, R1 was able to identify and alleviate threats with greater productivity compared to the same period during the previous year.

PacketWorker facilitated simplification of implementation of big data-led security analytics in security operations by leveraging readily-available structured data from the source of truth – packets on the network. Data enrichment

Vehere PacketWorker

Search Automation Machine Learning

Custom Analytics

Packet capture Flow data

Integration

“We no longer live in an era where cyber-attacks are limited to the desktops or servers. PacketWorker’s Machine Learning fights the battle before it has begun.” - Name withheld, R1

Bank

ing


Case study #2

Manufacturing



Manufacturing

SolutionPacketWorker 1G

Challenges � Lack of consistency and accuracy

in cybersecurity monitoring of organisational assets

� Inability to detect anomalous events

� Inadequate context when it came to analysing security events

� Absence of monitoring of IT-OT integration for real-time risk detection and response

Benefits � 100%-visibility into cyber activities

of organisational assets

� 70% improvement in network/security issue triages

� Real-time detection of anomalous events and activities

Summary

Man

ufac

turin

g


“Many manufacturing powerhouse companies fear disruptive attacks the most, regardless of whether it is done by internal or external attackers.” - Name withheld, Client


BackgroundCyber attacks against industrial control systems (ICS) weren’t noticeable till about recently, and were purportedly less frequent than IT attacks because numerous ICS attacks don’t get revealed. However, ICS are presently among the top targets of cyber threats and attacks worldwide. Malware infection, ransomware and other attacks, on ICS assets can have serious ramifications. With IT-OT integration, the risks of cyber-attack on ICS endpoints are expanding.

Interconnections between control systems and public networks deliver important business benefits. However, without appropriate security measures, it can compromise control system availability and cause service disruptions.

A 2017 industry report found that attacks targeting ICSs have increased by >110% compared to the previous year. While, a 2018 SANS study found that 69% of ICS security practitioners believe threats to the ICS systems are high or severe and critical.

Business challengesTraditional solutions don’t work in ICS/SCADA environments. The customer needed technology to monitor their enterprise IT and SCADA networks as coherent entities of the enterprise network. Given the mission-critical nature of assets deployed in ICS environment, enhancing or upgrading these systems with preventive security controls was deemed unacceptable.

ICS and SCADAICS is an umbrella term covering many historically different types of control systems such as SCADA (supervisory control and data acquisition) and DCS (distributed control systems). Also known as IACS (Industrial automation and control systems), they are a form of operational technology. In practice, media publications often use ‘SCADA’ interchangeably with ‘ICS’.

Man

ufac

turin

g


“The energy sector has become a major focus for targeted attacks and is among the top-five most targeted sectors, worldwide”.- Name withheld, Client

The threat to the energy/manufacturing sector is serious and it’s becoming increasingly difficult to guard against lateral movements as a result of integration of IT with operational technology (OT) systems. This integration offers attack vectors the chance to seep into OT networks, which were unmonitored and unprotected, leaving the company with little technological help to effectively respond to such risks.

The client’s in-use tools offered little or no visibility into network traffic and the security operations were found to be inadequately prepared to manage never-before-seen threats in SCADA environment. The client required a solution that would give comprehensive visibility into the network, and also lower some of the burden their security team was carrying.


Solution – PacketWorker 1GFollowing a tightly-guarded security event whose remnants were detected by PacketWorker during a later proof-of-concept trial followed by a pragmatic policy review cycle, the company decided to adopt PacketWorker 1G for their IT and OT networks.

PacketWorker demonstrated the inherent value of its self-learning threat detection abilities, which is uniquely capable of forming an understanding of normal and abnormal behaviours without any prior knowledge.

ICSs confront various cybersecurity threat vectors with varying degrees of loss potential, ranging from non-compliance to disruption of operations, and beyond.

Cost of post-event mitigation is significantly higher, not to mention the financial loss. Hence, it is a prudent strategy to ‘efficiently detect and respond swiftly’ to security threats in ICS networks to keep costs low.

PacketWorker is a fundamental innovation that views data from an ICS network in real time and sets up a developing pattern for what is normal for operators, workstations and automated systems within that environment. With PacketWorker’s Machine Learning, organisations can distinguish and react to emerging threats in real time. Advanced behavioural analysis can detect even previously unseen novel or custom-fitted attacks, regardless of whether they originate in the corporate IT or OT domains or navigate between them.

Total prevention of all cyber compromises is not a realistic goal, but, if identified early enough, threats can be alleviated before they become full-blown crises. PacketWorker’s technology can be deployed across both IT and OT environments to provide full coverage to an organisation.

BenefitsPacketWorker has rapidly turned into an essential part of client cyber security strategies, because of its one-of-a-kind methodology and capacity to detect emerging threats before they have the potential to cause significant damage.

On deploying PacketWorker, the organisation was immediately alerted of potential intrusions inside its systems that had already bypassed its other security tools. Following an easy implementation process, it now currently utilises PacketWorker to persistently analyse the overall health of its system and to spot sporadic activities that have a high likelihood of being pernicious, hazardous or non-compliant.

The advanced cyber defense technology allows clients to secure themselves from the most deceptive attacks that endanger critical infrastructure systems, regardless of whether those threats originate from within or outside the organisation.

“PacketWorker has added another dimension of refinement to our defense systems and productively identified threats with the potential to disrupt our networks”.- Name withheld, Client

Man

ufac

turin

g


Case study #3

Telecommunications



Telecommunications

SolutionPacketWorker 10G

Challenges � Gain visibility into what’s

happening on the network

� Speed up triage – reduce time to respond to security incidents

� Comply with regulatory mandates

� Protect the system from constantly-evolving threats

Benefits � Real-time insights into

applications, actors and, actions

� Prompt incident response and discovery by leveraging comprehensive indexing and searching capabilities

� Improved performance of application monitoring and network behaviour analytics for non-standard management-plane traffic

� Reduction in total cost of ownership for security implementation

Summary

Tele

com


“We needed to ensure compliance with regulatory requirements and enhance visibility with respect to management-plane applications.” - Name withheld, Client


BackgroundThe security leadership of a leading telecommunications company was looking to curtail costs and improve the efficiency of the cyber threat detection solution that was deployed for their management-plane networks. The incumbent vendor’s solution was at its end-of-life stage and the cost of refreshing the technology was proving to be higher than budgeted.

Gaining visibility into the networkBurgeoning growth in terms of customer base and data usage had meant that the company’s network had become more complex and the throughput had exceeded 10 gigabytes per second across majority of their router interfaces. Adding to their woes was the fact that the solutions available at their disposal did not really have much to offer in terms of detection for management-plane applications. Subsequently, the company began to look for a technology that could help them make sense of the ‘unknowns’ and provide a response to the questions that were being raised as a result of the security incidents they were encountering. The company was found to be lacking the ability their sectoral peers had in terms of discovering and triaging a security incident. Not only did this indicate the waning power of the company’s risk management framework but also its potential inability to deal with a material attack, if and when it happened. There was a strong likelihood that the company was on the verge of inviting customer ire because of the aforementioned failings.

“Vehere’s PacketWorker is extremely powerful when it comes to detecting abnormal activities that can threaten our cybersecurity framework.” - Name withheld, Client

Tele

com


“We have ensured stringent compliance with established sectoral regulations ever since PacketWorker was installed.” - Name withheld, Client


Solution – PacketWorker 10GBy leveraging the deep packet inspection and analytics capabilities of PacketWorker, the company gained incisive insights into their management-plane traffic and by utilising signature-less techniques they were able to detect security risks and shield the network from sophisticated cyber threats. PacketWorker is an effective cyber threat detection and response solution that helps organisations minimise risk of expensive breaches by accurately detecting and enabling swift responses to thwart cyber threats. PacketWorker facilitates the efficient resolution of identified security incidents using concrete evidence, actionable intelligence and response workflow integrations. The solution is true big data architecture that is built around a search engine to speed up retrieval of information and execute complex analytical tasks such as identifying instance of spikes and slow and low-flying traffic, correlating them across multiple activities and finding similar patterns to tell normal and malicious behaviour apart.

Visibility and answersPacketWorker empowered the company to get cyber threat alerts on a real-time basis. PacketWorker’s unique ability allowed the company’s security and risk management teams to proactively assess security postures and formulate detection rules and use advanced predictive analytics to detect

unknowns. Capitalising on a powerful deep packet and payload inspection, PacketWorker offered full visibility into network traffic along with the ability to analyse encrypted communications using mathematical models. Security analysts leveraged the visual play-book and time-travel capabilities to determine root causes of incidents and retrieve actionable intelligence – from session correlations and graphic analyses – to improve the organisational security posture. Furthermore, all this was done without disrupting ongoing business processes.

Accelerated resolutionsWith PacketWorker, the company managed to trim their incident resolution time from days to hours and simplified an analyst’s interaction with network data. An easy point-and-click interface was used to lay down complex behaviour-based rules, which enabled the security operations team to deliver predictable and repeatable outcomes, irrespective of the skill set of the user. The result: maximised efficiency and reduced dwell-time. PacketWorker used big data analytics to eliminate considerations pertaining to events or log rates and obviate the need for deploying collectors for different applications and processes. The platform ran on readily-available structured data that it gathered from the source of truth – packets on the network.

Tele

com


Case study #4

Critical infrastructure/Government



Critical infrastructure/Government

SolutionPacketWorker 10G and professional services

Challenges � Concerns about the prevalence of

fast-moving, automated attacks

� Adopt a proactive approach to cyber defense

� Attain comprehensive visibility into critical infrastructure stations

� Secure itself from breaches, data thefts, malware/zero-day attacks

� Too many false positives

� Insider threats

� Surfeit of reactive and lack of proactive measures

Benefits � 100%-network visibility including

in ICS protocols

� Improved response time by >100%

� Reduction in cybersecurity risks, data losses and subsequent costs of restoration

� Compliance with contractual and regulatory obligations

� Detection of automated attacks in real time

� Increased efficiency with proactive alerts

Summary

Criti

cal I

nfra


“A wide range of risks are now being played out in the cyber domain and pose a real and growing threat to the energy and utilities industry.” - Name withheld, Client

Critical infrastructure owners need more resilience, with fewer siloes and the competency to detect, scrutinise and respond to issues in real-time – as they occur.


BackgroundAs an integral part of national critical infrastructure, cyber security has been a priority for the client (a public sector enterprise) for some years. However, recent high-profile attacks on operational technology uncovered significant gaps in security posture. With the threat landscape rapidly advancing, and mounting cost of mitigating security breaches, a new approach to cyber defense for Industrial Control Systems became an urgent requirement. As attacks continue to increase in volume and sophistication, critical infrastructure owner had to evolve.

The client acquired significant cyber threat and risk intelligence data from multiple sources. However, despite application of available intelligence to various security controls, client continued to experience security incidents.

Business challengesIn the context of an increasingly sophisticated threat landscape, the client was essentially worried about impact of an attack on its rather infrequently-updated and under-protected SCADA network. Specifically, it was concerned about fast-moving and automated threats, like ransomwares/cryptwares, that have the potential to jeopardise operations at the earliest opportunity. With a security stack that primarily depended on border defense based on rules and signatures, the client was unable to take a proactive approach when it came to cyber defense.

In addition to confronting evolving cyber threats, the client was affected by tight budgets and lack of resources, complex processes, and a need to stay up-to-date with latest regulatory mandates, attack methods, and technologies.

Additionally, client felt it lacked visibility into its internal network. It wanted a solution that could provide insights into the behaviours of users, devices, and the network as a whole. Keeping resource constraints, training and integration needs in mind, the client set out to identify an easy-to-deploy solution to combat next-generation threats, including zero-day and advanced persistent threats, to supplement legacy security defenses across the corporate infrastructure.

“Disruption of critical infrastructure has tremendous psychological impact as large-scale disruption to civilian facilities leave a profound impact”.- Name withheld, Client

Criti

cal I

nfra


“PacketWorker’s Machine Learning technology has proven instrumental in terms of providing visibility of devices we didn’t even know we had on our network”.- Name withheld, Client


Solution – PacketWorker 10GFollowing a quick installation, security analysts were able to identify abnormal activities and disrupt exploitative actions in the early stages, before any damage was done. It also provided the client with total network visibility. From day one, PacketWorker started to analyse users, devices and network behaviours, in real time and, detecting anomalies pertaining to cyber risks.

PacketWorker demonstrated the inherent value of its self-learning threat detection abilities, uniquely capable of forming an understanding of normal and abnormal behaviours without any prior knowledge.

PacketWorker proved to be an effective cyber threat detection and response solution that helped the client respond swiftly to cyber threats. It facilitated efficient resolution of identified security incidents with concrete evidence, actionable intelligence and response workflow integrations.

Machine Learning is a principal ally in terms of defense of assets from cyber-criminals and malicious insiders. The technology detects the slightest of abnormal behaviours across network in real time, including ‘unknown unknowns’, enabling the security team to detect and respond to attacks before any harm befalls.

BenefitsWith PacketWorker’s Machine Learning abilities, the client re-established trust in its security operations to defend itself from evolving and increasingly automated attacks. Since the solution prioritises detection outcome by potential gravity, it enables security professionals to optimise their resources for increased effectiveness.

PacketWorker allows the security and risk management teams to proactively assess security postures and then sets up detection rules to maintain their edge over malicious behaviours besides using advanced predictive analytics to detect unknowns. All this is done without any disruption to ongoing business processes.

Exemplary performance and detailed contextual availability enabled the cyber security team to focus on responding to threats quickly, minimising operational and business impact.

Over time, the client was able to identify and alleviate threats more efficiently compared to the previous year.

Criti

cal I

nfra


Case study #5

Energy and Utilities

“We have a lot of suspicious communication that we don’t necessarily get time to analyse but PacketWorker helps focus our efforts just on the riskiest ones and enables us to safely investigate their true nature and intent”.- Name withheld, Client



Energy and Utilities

SolutionPacketWorker 10G and professional services

Challenges � Need to improve detection rates

without impacting business continuity or taking excessive measures to lock down machines

� Enhanced compliance posture

� Long and tedious operations and security investigations lacked visibility

� Concern about prevalence of fast-moving, automated attacks

Benefits � Gained real-time operational

visibility

� Reduced operational disruption and remediation costs

� Consolidated intelligence and reporting

� Ensured immediate and significant drop in attacks

Summary BackgroundCyber security and compliance continues to be a challenge for many energy sector organisations. Hackers, including both state and non-state actors, are getting progressively advanced in their attacks, making it increasingly hard to keep up with the latest threats.

Analysts noted an increase of >60% in hacktivism targeting the energy sector. A 2018 survey of IT professionals across the oil, gas, utility and energy sectors found that fewer than half believed their organisations could immediately detect a cyber-attack, although ~65% believed that they were a target. Furthermore, 81% believed that attacks could do ‘serious damage’. All the statistics pointed to a clear state of uncertainty with the prevalent style of risk management and adoption of security controls.

Ener

gy &

U

tiliti

es


Business challengesAlthough there has been an increased focus on cyber security in the recent years, threats against the energy sector continue to go undetected for an average of six months.

A key reason behind this is alert overload. Standard cyber security deployments generate thousands of alerts per week, but the client organisation only had the resources to investigate ~5-6% . With 20% reliability rate, the client believed they were wasting precious time and money each year chasing false positives or performing investigations with inadequate insights.

The main hindrance faced was that users could not get a context or insights from multiple security solutions quickly enough and in one place to perform an efficient investigation. This is precisely why adopting Machine Learning can help improve versatility cyber hygiene and compliance.

The client’s previous tool set had led to a number of challenges, including:

� Slower threat detection and response due to too many disparate tools, too much information and the need for a lot of manual correlation to find the right data.

� Limited data retention capabilities.

� No compatibility with other technologies.

To protect its digital infrastructure, the client required situational awareness of its security posture, context and relevant insights for its departments and stakeholders.


Key facts and figures � Energy attacks went up by 20% between

2017 and 2018. This trend is expected to continue as governments pours more resources into cyber warfare

� 75% of companies in the oil, gas and electricity reported a cyber attack in 2018. Intruders were able to bypass protections that were in place.

� Cyber-attacks against energy companies usually take months to discover.

� 48% of energy and utility CEOs think a cybersecurity attack is inevitable, sooner or later.

BenefitsPacketWorker empowered the client to detect and neutralise cyber threats in real time. PacketWorker immediately affirmed that the bulk of client infrastructure was clean but did detect the presence of a certain malware in their network and allowed them to zero in on a specific workstation for remediation.

From the first day of deployment, clients have seldom had issues with false-positives of the rule engine. This has given them the certainty to resolve security incidents.

With large volumes of data transfer

going on daily, the client was unable to analyse everything.

Exemplary performance and high detail availability enabled the cyber security team to respond to threats quickly, minimising operational and business impact.

PacketWorker facilitated simplification of implementing big data-led security analytics in a secops environment by eliminating the considerations around event rate and the need for collectors for different applications/processes. It is a platform for readily-available structured data lifted from the source – Packets on the network.

Solution – PacketWorker 10GDeployed in promiscuous mode to monitor networks, PacketWorker proved to be an effective detection and response solution that helped respond swiftly to cyber threats. It facilitated efficient resolution of identified security incidents using concrete evidence, actionable intelligence and response workflow integrations.

The client had an account that was the target of an email-based attack. PacketWorker put the right protection in place and stopped the ransomware from deploying.

PacketWorker was immediately able to identify a lot of malicious malware that had been entering the client’s environment. The client saw the cost savings generated in terms of preventing the attacks and the gains in efficiency resulting from PacketWorker.

PacketWorker does not require weeks and weeks of consulting to implement and the speed at which it can operate and mitigate risk is a key differentiator.

Clients often need easy access to real-time data and actionable information to understand where they need to focus.

“No business in the energy industry is immune to security issues and fear of disruptive attacks, regardless of whether it is done by internal or external attackers.”.- Name withheld, Client

Ener

gy &

U

tiliti

es


PacketWorker can provide meaningful insights from comprehensive monitoring of enterprise networks for cloud and shadow-IT, social media and recreational access, remote access, trusted-to-trusted communication, IoT, and encrypted communication, enabling security practitioners to take proactive remedial measures, faster.

PacketWorker Appliances


PacketWorker AppliancesDATA SHEET

� Comprehensive rules framework and Machine Learning algorithms automate detection of security risks in real time.

� Deep packet and payload inspection helps detect thousands of protocols and applications to provide precise context.

� Powerful visualisation platform enables threats to be analysed and investigated intuitively to help reduce

mean-time-to-detect and, mean-time-to-respond.

� Session replays and reconstructions to facilitate better assessment of security risks using third-party tools or human analysis.

� Detects IPv4 and IPv6 traffic in VLAN, MPLS encapsulation and tunneled traffic to support deployment for most environments.

Key features


PacketWorker 300 - ideal for throughput up to 300 mbps

� 1 X gigabit-ethernet copper OOB interface

� 2 X 1 gigabit-ethernet copper interfaces

PacketWorker 1K - ideal for throughput up to 1 gbps



PacketWorker 10K – ideal for throughput up to 10 gbps



� 2 X 10 gigabit-ethernet SFP+ LR/SR options

ServicesSupport• Standard – 8/5 e-mail and telephonic support

• Extended – 12/5 e-mail and telephonic support

• Appliances – next business day hardware replacement

• Web and knowledge base – 24X7 access

Implementation and consulting• Site survey, preparation/readiness assessment, consulting and deployment

• Custom-sizing and design for large- scale deployment

Incident assurance• Affirmation – confirm an incident/suspicion

• Assistance – provide operational assistance for PacketWorker while your key human capital undertakes critical incident response tasks

• Response – provides incident response execution assistance

Dat

aShe

et


Vehere’s PacketWorker is a Network Situational Awareness solution that enables comprehensive network monitoring using either a line-rate full packet capture or, flow monitoring technology. It enables security practitioners at leadership, risk management and operational hierarchies to find answers to the six most compelling questions – ‘What?’, ‘Why?’, ‘When?’, ‘How?’, ‘Where?’ and, ‘Who?’

White paper


I keep six honest serving men; they taught me all I knew.

Their names are ‘What’ and ‘Why’ and ‘When’ and ‘How’ and ‘Where’ and ‘Who’.- Rudyard Kipling

New-age secops

White paper


In defence of secopsSecurity operations are expected to be proactive in response. However, architectural complexity of layered defenses, demanding service level agreement availabilities and uptimes, performance penalties imposed on in-line tools while using deep inspection and executing complex policy enforcement activities are complicated further by a complex compliance and security monitoring setups. This has rendered security operations to adopt a reactive stance in the better interest of businesses they support.

Security operations can benefit by deploying security analytics that use full-packet capture technology. These are considerable easy-to-deploy, require minimal effort to configure and manage, do not require establishment of middleware to work with different data sources, resulting in considerably faster data analysis. Pairing with a customisable user interface ensures predictable outcomes of assessments and investigations and eliminates the need for expensive training and associated manpower costs.

Such technologies can provide businesses with the confidence to deliver timely responses in the face of eventualities and offering positive outcomes even in trying situations, such as serious security breaches. Response is no longer hostage to person or device availability. Instead, actionable intelligence is attained without disrupting business processes and activities, boosting customer and investor confidence.

Whi

te P

aper


Business impact analysisLeft to itself, technology would do no harm. It is the human factor that introduces and amplifies risk in any ecosystem.

Safeguarding an enterprise’s digital ‘crown jewels’ is a priority. However, business is a social activity and several organisations have actually lowered their guards to improve productivity, increase customer engagement and identify new revenue sources.

The result is a manifold jump in security risks and a serious impact on the business.

Additionally, security teams find it difficult to enforce policies on applications being used by business teams. Risk managers cannot determine the security posture of personal devices or tools used for customer engagement. Newer digital initiatives by enterprises for business benefit has put pressure on risk managers and security operators to keep up pace without enforcing stringent policies of the past and at the same time assuring the senior leadership team of being able to accurately determine business impacts and respond to eventualities.

Cloud/Shadow IT

Comprehensive visibility

Encrypted traffic analysis

Incident response and network

forensics

Threat detection

Network anomaly detector

Security orchestration

Adaptable interpretive monitor

Businesses are increasingly focusing on being able to ‘find more for less’ i.e., better quality insights but with less talented and lesser number of manpower.

Source: Gartner Analysis Viewpoint, July 2018

ReactiveProactive


To observe and respond is human nature. Let’s just apply this to the cyber world. Deploy a simple monitoring capability that enables secops to be proactive and fall back to retrospective analysis mode, on demand.

Gain visibility into every session on the network. Monitor cloud usage and encrypted communications. Leverage Machine Learning to identify suspicious behaviour, watch out for non-compliances and travel back in time to determine root causes. Pick up evidence to build actionable intelligence, uncomplicate

critical monitoring tasks in a cost and resource-efficient manner to streamline security operations. Integrate output and intelligence to prevent perpetrators – on the inside or from the outside – from causing significant damage to enterprisal assets. Free up cycles to focus on future readiness of security operations. Hone capabilities of network managers to troubleshoot performance or availability issues and assist in terms of capacity planning along with risk assessment.

Doing it rightThe concept of surveillance is ingrained in our beings. God was the original surveillance camera.- Hasan M. Elahi

Whi

te P

aper


Affirmation ResponseAssistance

Services


Uncomplicate secopsSecurity and risk practitioners need an upper hand over their adversaries. This can be achieved using technologies that permit security and risk practitioners to adopt their learnings as templates and apply it to discover threats or risks in corporate environments. These silently monitor multiple network segments and easily integrate with current solutions in the security ecosystem to provide visibility and control.

Vehere’s PacketWorker is a Network Situational Awareness solution that enables comprehensive network monitoring using either a line-rate full packet capture or flow monitoring technology. It enables security practitioners at leadership, risk management and operational hierarchies to find answers to the six most compelling questions – ‘What?’, ‘Why?’, ‘When?’, ‘How?’, ‘Where?’ and, ‘Who?’

A powerful deep packet and payload inspection offers incisive insights into network traffic, analyses encrypted communications without resorting to decryption, detects network anomalies and compliance violations, provides visibility into cloud and software-as-a-service applications, goes back in time to perform forensics and root-cause analyses and retrieves actionable intelligence via session correlations, graph analyses, full-fidelity user-session reconstructions for evidence retrieval and attribution. This ensures operational efficiency and bolsters the organisational security foundation without disrupting ongoing business processes.

With a simple and easy-to-use, web-based interface and an adaptable interpretive monitor, it offers secops the ability to deliver predictable and replicable outcomes irrespective of the skill-set of the user, maximising efficiency and significantly reducing dwell-times.

The solution is based on true big data architecture built around a search engine to speed up information retrieval and execute complex analytical tasks such as identifying spikes and instances of low and slow-flying traffic, correlate these across multiple activities and find similar patterns to tell normal and malicious behaviours apart.

PacketWorker gels well with the secops ecosystem by integrating with the existing security monitoring and orchestration layers and using standardised interfaces – with security information and event management for security monitoring and preventive controls for delivering immediate responses.

PacketWorker facilitates seamless implementation of big data security analytics in security operations by eliminating concerns pertaining to events or log rates and the need for collectors for different applications or processes. It is a platform for readily-available structured data and lifts the same off from the source – packets on the network.

Vehere backs PacketWorker’s deployment with a set of services aimed at assisting enterprises in various phases of risk management.

Whi

te P

aper


Machine Learning as employed by Vehere

PacketWorker

52 - Vehere Cyber Security52 - Vehere Cyber Security

Machine Learning as employed by Vehere PacketWorker


M

Topic modeling is a natural language processing technique with a design principle that offers responses to one question – What is the probability that observed session adheres to a behaviour?

Observed session is the network activity as it happens and, ‘probability’ is a score between 0 (zero) and 1 (one). Lesser scores imply suspicious activity and these are delivered as alerts in human-readable form.

PacketWorker uses the Latent Dirichlet Allocation (LDA) model.

During Machine Learning analysis, the system infers a probabilistic behavioural model of each network node using ‘topic modeling’.

Mac

hine

Lear

ning


Rule enginePacketWorker enables security analysts to define and specify various rules in the rule engine to help them discover compliance or policy violation issues, look for risky communications or discover attacks and, identify network or security-related issues proactively. Security analyst’s need to set rules in the application after analysing their environments. Rules run through the flow records captured in the system and generate an alert or execute an action upon a rule hit.

Rule types with common monitoring paradigms include:

� Match where there are X events in Y time (frequency type)

� Match when the rate of events increases or decreases (spike type)

� Match when there are less than X events in Y time (flatline type)

� Match when a certain field matches a blacklist or whitelist (blacklist and whitelist type)

� Match on any event matching a given filter (any type)

� Match when a field has two different values within some time (change type)


Vehere1629 K Street NW Suite 300, Washington DC 20006-1631, USA P +1-202-355-6371

7500A Beach Road, #04-327, The Plaza, Singapore 199591 P +65 9299 0905

232 DLF South Court, Saket District Centre New Delhi 110017, India P +91 33 4004 6349

#1603, PS Srijan Corporate Park, Block GP, Sector V, Salt Lake, Kolkata 700091, India P +91-33-4054-5454

E [email protected] W www.vehere.com

V-1.4.2

Documents

CYBER SECURITY - Vehere · external sources of threats. The system leverages Machine Learning and human knowledge to detect cyber risks. Accelerated results: PacketWorker provides