Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

Transcription

1 Niara Security Analytics Automatically detect attacks on the inside using machine learning Automatically detect attacks on the inside Supercharge analysts capabilities Enhance existing security investments Overview In an era of increasingly sophisticated threats and huge alert volumes, enterprises need an intelligent monitoring and response solution that reveals rather than clutters. Niara s security analytics platform automates the detection of attacks through cutting-edge machine learning. Niara uses advanced analytics, including entity and user behavior analytics (UBA), which leverage machine learning to deliver comprehensive high-fidelity Entity360 risk profiles for users and hosts; network and security data for unmatched visibility; integrated forensics that provide the supporting evidence security analysts need to pinpoint real issues; and a big data-based architecture to scale easily. By combining machine learning with big data technologies, Niara ensures that attacks that have evaded real-time defense systems are surfaced and responded to before they inflict damage. Copyright 2015 Niara, Inc. All rights reserved. 1

2 The Approach Niara surfaces sophisticated attacks, discoverable only by detecting and stitching together weak signals in the context of an entity over a period of time. Reveal Intelligence via Data Fusion and Analytics Niara s innovative proprietary data fusion and machine learning-based analytics techniques, continually happening behind the scenes, are the underpinnings of the Niara solution and help in incident investigation and unearthing threats that bypass traditional detection and prevention systems. Data Fusion In Niara, data fusion is the process of converting raw data from both network and security data sources (i.e., packets, flows, logs, files, alerts, threat feeds) into meaningful information while simultaneously reducing it in size. During data fusion, raw data is correlated to make it more meaningful (e.g., associating IP addresses with users) and distilled into summaries that provide rich context (e.g., authentication and device usage histories, port-protocol relationships, etc.). The process of data fusion is further complicated because of varying velocities in the arrival of voluminous data from different sources. However, since Niara is built on a robust big data architecture, data fusion can occurs at scale. Copyright 2015 Niara, Inc. All rights reserved. 2

3 Advanced Analytics Niara s analytics use proprietary machine learning models both supervised and unsupervised to aid in in attack detection and incident response. These analytics separately contribute to an entity s (i.e., user or host) overall risk score, which is tracked over time, and identify the relationship between disparate events. Discrete Analytics Here analytics are applied on each datum (e.g., a domain name, a file, a HTTP header, an SSL certificate, etc.) in isolation. For example, Niara has created a supervised machine learning model to detect HTTP header anomalies that are often indicative of malware activity. Discrete analytics are stateless as each data element is examined in isolation. If a discrete analytics module triggers, the result can either be escalated directly as an alert if deemed to be severe (e.g., a malicious file) or used to annotate that datum (e.g., a suspicious file) to facilitate further processing at a later stage. Behavioral Analytics In this phase of Niara s analytics, unique unsupervised machine learning models operate on fused data to profile entity behavior on a variety of dimensions (e.g., time of day, duration of access, bytes transferred, etc.) and build up a baseline. Baselines are established in a number of ways including historical activity or membership in a group. New activity is then compared against that baseline to unearth anomalous behavior. Comprehensive Risk Profiling Entity360s are comprehensive risk profiles that are generated for entities, i.e., users and hosts. Entity360s provide a coherent, visual representation of all the enriched security information that is associated with an entity, along with the ability to conduct remedial actions (e.g., flag event for review by a higher-level analyst). Entity360s provide one-click access to information that security Copyright 2015 Niara, Inc. All rights reserved. 3

4 analysts would otherwise spend hours or days searching for across multiple data silos and assembling as part of any investigation and response effort. Entity360 profiles are very accurate. The machine learning models used in discrete and behavioral analytics enable weak signals to be threaded together and tracked across disparate data sources and multiple attack stages. Use of both supervised and unsupervised machine learning models enable Niara to provide immediate value, identifying attacks as they evolve, without the need for human help. Because Niara s analytics are also using network data (i.e., packets and flows), it surfaces attacks and risky behaviors that are unattainable with log data alone. For example, entropy mismatch and suspicious PDF analysis are only possible with deep packet analysis, not with log analysis alone. As Niara is not solely dependent on logs, what logging levels are turned on does not impact the insights provided by Niara. Forensics Niara integrates analytics with a complete forensic trail to support different stages of investigations. The depth of forensics from raw packet data to events contributing to an entity s risk score to a timeline view of an entity s profile, and more, and more is unavailable with other in-market solutions. Analysts get one-click access to forensics from within the Niara solution, giving them perspective on why something was flagged. No more having to find, search, and analyze across isolated data stores. The richness of and easy access to forensics is invaluable. It provides context that s often needed during investigations. It provides evidence needed for testing hypothesis when threat hunting. Niara, by converging analytics and forensics, enhances the capabilities of analysts at all levels, enabling them to efficiently separate the real from the innocuous and discover the sophisticated attacks happening within corporate networks. Copyright 2015 Niara, Inc. All rights reserved. 4

5 The Benefits of Converged Analytics and Forensics Machine learning-based analytics and forensics enable automatic detection of attacks on the inside and serve as a force multiplier for security analysts Niara is the only security analytics platform that natively collects, analyzes and incorporates network packet and flow data, in addition to logs, files, alerts, and threat feeds. Coupled with the fact that Entity360s are generated at the entity level, not just at the user level, Niara provides unparalleled attack detection capabilities (e.g., discovering a compromised headless server). Entity360 profiles help bring order to the alert chaos, fundamentally changing the way security teams interact with threat information generated by existing systems such as SIEMs, sandboxes, IDS systems, etc. Converged Security Intelligence Automatically Detect Attacks on the Inside Niara uses machine learning for automated detection of attacks that have bypassed perimeter defenses and are now on the inside. These attacks can only be discovered by intelligently correlating weak signals, often over an extended period of time. Niara does so by building up comprehensive Entity360 risk profiles for users and hosts, using machine learning models that do not require pre-configured rules. Copyright 2015 Niara, Inc. All rights reserved. 5

6 The output of this analysis is reflected continuously in an aggregated score that reflects the risk associated with tracked behaviors as well as other signals, including alerts generated by 3rd party systems. By examining changes and/or anomalies associated with each Entity360 profile, Niara flags security events that require attention. All data is also automatically correlated, making it easy to find all activities attributed to a user. Both are key to the rapid discovery of compromised users and malicious insiders. And because context is often needed, Niara also provides analysts with one-click access to rich forensic evidence, enabling in-depth investigations that can go back months or more. From a single place, analysts can answer questions such as: what rights did the employee have? Were any deviations noticed in the user s behavior? What did the employee download? What was the risk to the organization from these activities? Supercharge the Capabilities of Security Analysts Niara combines machine intelligence, visualization, and forensics into a single solution that acts as a force multiplier for security analysts, elevating the capabilities of the less experienced and amplifying the threat hunting skills of advanced security professionals. Niara simplifies incident investigation and response. Entity360 risk scores provide analysts with an easy way to prioritize and investigate alerts from other systems. All data is correlated to entities, providing attribution and tracking of event timelines (pre- and postalert). Analysts can easily search for Indicators of Compromise (IOC) on a single system or across the entire enterprise. Niara provides the capability to automatically analyze historical event data using recent threat intelligence to look for impacted systems, or manually initiate analysis with a particular thread of evidence. Analysts can perform efficient impact assessment by identifying all entities that may have been affected by an attack. Niara also enables security analysts to quickly test out hypotheses and hunt for threats within the organization, going back months. Analysts can tap into the rich and diverse data from the disparate Copyright 2015 Niara, Inc. All rights reserved. 6

7 sources that have already been distilled and correlated. Niara combines the results of its analytics modules with powerful search and visualization capabilities to empower hunting explorations intended to spot advanced threats. Conclusion The increasing sophistication of cyber threats has brought to light the all too real limitations of traditional security monitoring and response technologies. Organizations must be able to discover compromised users, gain insight into malicious insiders, support advanced threat hunting efforts, and efficiently investigate incidents. Failing to do so allows for a level of uncertainly and risk that most organizations find unacceptable. Niara s security analytics provides a single solution for complete visibility and context into all the entities in a network. By fusing network and security data sources, Niara provide a deep and contextually relevant foundation for analytics. Entity360 profiles deliver a comprehensive view across the organization over time. Machine learning supports automatic and rapid detection of attacks that have evaded real-time defense systems and reduce the time for investigation and response. Rich forensics support every level of an investigation. And included open APIs enable the Niara solution to easily plug into existing security workflows, extending the value and efficacy of security infrastructure investments. About Niara Niara s security analytics platform delivers contextually relevant security analytics by fusing network and security data to discover compromised users and malicious insiders, perform advanced threat hunting and conduct incident investigations. Headquartered in Sunnyvale, Calif., the company is backed by NEA, Index Ventures, and Venrock. For more information, visit Copyright 2015 Niara, Inc. All rights reserved. NIARA, NIARA INC., the NIARA logo and PETASECURE are trademarks of Niara Incorporated. All third-party trademarks, trade names, or service marks may be claimed as the property of their respective owners. Niara s technology and products are protected by issued and pending U.S. and foreign patents