SOC THREAT2ALERT PLATFORM
Nettitude has developed a unique product called Threat2Alert (T2A) that is used to generate rich data from your environment from which Indicators of Compromise (IoCs) can be detected. Each component of T2A work together to provide a detailed picture of the systems you need protected.
The Threat2Alert platform provides the means for the Nettitude 24×7 SOC Monitor Analysts to investigate and respond to alerts generated from the events captured. It is built of the following components:
- Log data capture, analysis and event management (LogRhythm)
- A.I. Engine, behavioural analysis and alarms (LogRhythm)
- Network Appliance for traffic capture and analysis
- Managed endpoint detection and response (CarbonBlack Response)
- Threat intelligence data from a wide variety of sources
- ThreatReceivers (HoneyTraps) deception and decoy devices
- Host based agents for File Integrity Monitoring (FIM)
Request a free quote
THE FIVE ELEMENTS OF THREAT2ALERT
The Nettitude SOC combines this with many other sources of data to provide a rich base source of information. Intelligence is derived to ensure the actions and events you are provided with are real and credible.
The data is created from your business intelligence needs and the areas of impact for your organisation are highlighted. Data that is not relevant is removed.
Nettitude’s SOC Personnel
The SOC is made up of the following key personnel and expertise:
1: Threat2Alert – Taking control of your log data
- LogRhythm SIEM tool, Cyber Threat Intelligence (CTI), honey traps, host based agents, network appliance (coming soon)
2: The Nettitude Computing Emergency Response Team (NCERT)
- Investigations, analysis and forensics Incident management
- Alerting and reporting
3: SOC Analyst
- Certified and trained ‘Eyes on Screen’
- Proactive actions, giving you peace of mind when events occur Guidance, advice and help on hand when you need to respond or investigat
4: Incident Response (IR) Consultants
- Escalation and in depth investigations with advanced IR tools Malware reverse engineering, host based analysis, network packet inspections, deep dive investigations
- On and off-site forensic capabilities
SIEM – Log Sources through LogRhythm
As part of the on-boarding stage, we work closely with you to ensure the right log sources are captured, the logs are set to the correct level and are reporting back from your environment.
- Best of breed, Gartner major quadrant SIEM provider – LogRhythm – provides a mechanism to collect and correlate a wide set of log data
- Collects packets and logs for in depth analysis and correlation
- Extensively tuned to reflect your infrastructure, as well as your people, processes and technology
- Generates alerts and events 24 x 7 x 365
- Forensically recorded for 3 years
The right log sources must be plugged in to your centralized logging reporting system (no black holes within your environment)
The volume must be set at the right level so that your security events are not missed. Are you seeing all the events types and follow on actions required?
The correct events from each log source must be reported (often too much log data is collected but this is because it is the wrong data)
“Threat2Alert’s security managed service is a vital part of our IT security operations, and has helped to strengthen our organization’s overall security posture. Thanks to the deployment of Threat2Alert we have 100% greater visibility of any threats and potential threats within our environment.” – IT Director (Financial Services Client)
Cyber Threat Intelligence
Our system ingests data from a variety of sources, confirms through active analysis if the data is valid and gathers context around the data. Our global honeypot network has over 200 nodes and is growing all the time collecting data on breaches, malware samples, malicious users, servers and payloads. Our in house tools mine this data for IoCs and patterns that can be used on the hunt within your networks.
All of this gives a powerful set of information that can be used in context of your business, to give true intelligence to the actions and guidance being provided. We can provide information from commercial sources and operational threat intelligence as well as well-known in-house and open source feeds.
This gives you the confidence that any value being derived from this data warehouse will be incorporated into the service Nettitude provides for your business.
How does the service work?
- Our big data platforms to gather intelligence relevant to your business
- Commercial OSINT and TECHINT intelligence feeds
- Open Source TECHINT intelligence feeds
- Proprietary honeypot collectors harvest real time TECHINT intelligence
- Intelligence is normalised, weighted and integrated in to the Threat2Alert SIEM services
Threat2Alert Honey traps
This provides you with an early warning system that hackers are moving around in your network. These can be deployed in multiple locations and with multiple appearances.
Nettitude has built custom devices that are either virtual machines or deployed onto Raspberry Pis that can act as flypaper for malicious users should they get into your environment. These are built to mimic servers within your environment and present a vulnerability that a malicious user can find and be tempted to exploit. The system monitors all traffic to itself and will alert you on not only any actions to scan/find itself, but also indicate if any attempt to exploit the simulated vulnerability takes place.
How does the service work?
- Custom honeypots are deployed in your internal network
- They mimic normal servers in your environment
- Configured with a tempting vulnerability
- All actions are logged and monitored
- They give the ability to detect compromised systems as they happen
- Provide detailed analysis of the sophistication of any attacker
Host Based Agents
Detecting changes on local hosts is critical, as this is often where the first signs of a zero day or a high level phishing type attack will emerge.
Our agents provide FIM and can be used to detect changes on each of your end points to ensure that these can be captured. They can provide forensic level details in an investigation about what has happened and can be used to protect your sensitive sources. Your configuration files, registry and data can be actively monitored for rootkits, changes and unauthorised access.
- Our agents provide on box File Integrity Monitoring (FIM)
- These detect changes to local system resources
- Provide compliance checks
- Give forensic level details about the actions taken
- Help protect your sensitive resources
Network Traffic Analysis
Network traffic provides the final piece of the jigsaw in the data collection toolset of Threat2Alert.
- Traffic that passes between the Internet and the corporate
- LAN is categorised
- Packet metadata around Source<>Destination<>Protocol packet pairs is captured
- Detection and alerting on beaconing, C2 traffic and data exfiltration is configured
- Malicious file types transported over HTTP and SMTP have triggers to detect them
- Full launch scheduled for early 2016
As well as ingesting netflow data and IPS/IDS alerts, we are working on a network appliance that will be able to provide us with deep dive analysis of your traffic within your environment. This will mean that sensitive data will not leave your environment but any malicious activity, malware beaconing, or weaponised files can be examined and actioned appropriately.
Deep packet inspection will be used with machine learning techniques to detect malicious activity at the network layer. Files and malware will be examined, and sandboxes if required for further analysis.