Security On-Demand just launched their latest exceptional service – ThreatWatch Hunt. This service provides customers an additional layer of security through a pro-active automated hunt across the network seeking to identify threats – both active and dormant – that may have made it through the network defenses. It does this through an agentless scan of all (or specified) devices on the network and performing an automated forensic analysis. Reviewing nearly every facet of an operating system looking for processes, DLL’s, files and more that are not supposed to be there or are anomalous.
Post-Event Analysis
No matter how secure your environment is, hackers are ever evolving their techniques and approaches. You may have a fully compliant, well secured enterprise complete with perimeter defenses such as firewalls, IDS/IPS, DMZ, proxy servers and more. You may have your network segmented to isolate your crown jewels and protect the loss of critical data. You may have robust email security, the latest end-point protection program, and many other exceptional security tools and you could still get hacked.
ThreatWatch Hunt is designed to be a fail-safe after all the prevention measures have been exhausted. It is Post-Event Detection. It assumes that an event or breach has already occurred and is actively hunting for it across your network.
How is this different from ThreatWatch?
ThreatWatch is a wonderful and valuable security monitoring and detection platform that performs security and behavioral analytics. As is appropriate for such a platform, it is constantly looking for threats, attacks, events, or incidents in real or near-real time. It performs log management, employs analytics to correlate threats as they occur, and does a modicum of historical analysis over the previous hours. However, generally it is reactive in nature. While organizations with ThreatWatch already have great visibility into their environments and the service does come with a measure of manual threat hunting, it is not advanced, automated hunting.
ThreatWatch Hunt provides in-depth, automated threat hunting. It is a pro-active approach to threat detection that takes the opposite approach from traditional security operations. Whereas security operations is generally reactive and passive, ThreatWatch Hunt scans the entire network (or segment thereof) looking for indications that a breach that already occurred. As it scans each device is does an in-depth review of all files, processes, DLL’s, and even volatile memory. It evaluates each element and determines whether or not it is legitimate and supposed to be there. It rates each artifact as either clean, suspicious, or bad. Bad are those that the system believes are most likely to be malicious and suspicious is just as it suggests, it may be bad or it may be clean.
It is an agentless scan that is exceptionally light weight on the network. No software is installed on individual workstations and it does not affect network performance.
ThreatWatch Hunt is an add-on the ThreatWatch platform. It is a natural addition to our monitoring system as the results from the scan are both manually analyzed by cybersecurity analysts and they are sent to ThreatWatch for correlation with alerts from other sources. This allows us to provide the customer with a more accurate picture of what happened and increase the fidelity and validity of our alerting.
What value does it provide?
ThreatWatch Hunt is one of the few tools that performs post-event detection. By assuming a breach already occurred it naturally distrusts all system artifacts. This approach provides the most value in decreasing the dwell time – or time-to-detection – that a hacker or malware has access to the enterprise. A recent study carried out by Crowd Research Partners revealed that the average amount of time breaches go undetected on a network is around six months. The cost associated with such a breach can be enormous and it only gets more expensive the longer the breach goes undetected. A Ponemon Institute study found that breaches detected in the first 30 days usually cost companies more than $1 million less than longer breaches.
Additionally, there is more than just a monetary value at stake. In most breaches, the initial devices that are infected are usually not the devices that the hacker really wants. It can take some time for the hacker to infiltrate the network, gain persistence, and ultimately compromise the system that has the data that is most valuable to them. For example, in the Target breach in 2013, Target’s vendor management system was compromised. That system did not have any data that the hacker wanted, but they pivoted their way through network until they found databases and systems storing and processing credit card information. The longer the hacker has access to the network, the more systems can be compromised and data stolen. Certainly these things have monetary value, but they also often contain intellectual property that your company relies on and sets them apart in the industry.
Through decreasing the hacker dwell time using ThreatWatch Hunt, you not only save yourself considerable money but you keep protected the information that is most critical to the success and future of your company.
How can you learn more?
We at Security On-Demand are very excited to launch this new offering. To learn more please visit our ThreatWatch Hunt web page or contact us at sales@securityondemand.com.
About Security On-Demand
Security On-Demand is an industry pioneer and recognized innovator within the managed security space. We are leading the industry in threat detection through behavioral analytics and machine learning.
Sources:
