Taking a Crack at Locky

Since mid-February, security researchers have been encountering Locky, the latest ransomware tool in the adversary’s arsenal. The engineers at MetaFlows observe Locky primarily in email attachments that are processed using the MetaFlows sandbox. On networks being monitored by MetaFlows sensors, the engineers are able to take samples of inbound .zip email attachments and send them to a Cuckoo Sandbox to be processed. The sandbox runs the sample in a virtual machine and is able to detect malicious behavior. Often malware tries to evade detection, but since Locky is trying to get noticed by the user anyway, it is not subtle. Locky typically triggers over a dozen indicators of compromise and IDS signatures on the sandbox and therefore, is almost impossible to miss.

MetaFlows has seen consistent spam campaigns over the last month that deliver zipped JavaScript files that Windows is designed to execute by default with its native wscript.exe. The files, when executed by the user, appear to do nothing at first. This is a bad sign. Within moments a secondary payload is fetched, encryption has begun, and command and control beaconing has been performed in the background. Once it is done, the user will be greeted with the typical ransomware demands webpage, image, and wallpaper.

Selection_010.pngSelection_009.png

The spam campaigns use short, simple subject lines, or they include only “Re:” or “Fw:”. They are often appeals to business or tax related concerns, and the body is usually curt with a reasonable request to review the attachment and respond. These emails frequently include a legitimate appearing signature and use appropriate spelling and grammar. It is easy to see that people who are not constantly on guard about these issues could easily be tricked into opening the file. In the example below, the target could be concerned that they or their business missed a legitimate payment, or knowing that they have no business with “China Information Technology, Inc.,” they may open it to investigate why they have been billed.

Screen Shot 2016-05-19 at 3.36.44 PM.png

The engineers at MetaFlows also collect statistics on the email subjects used to lure victims into opening the attachments, these are part of the Weekly Statistics page. The subjects vary from scare tactics, to just curiosity, to near gibberish, but they are rarely outlandish or over-the-top as spam quite often is. Not all of these are Locky, but the vast majority those that have made an appearance this week are.

Enterprises can make themselves less of a target by employing a two-layer approach.  Investing in an IDS such as MetaFlows that will detect the inbound file, and recognize the infection behavior of a compromised system is the first layer.  Given the current view on the spam campaigns distributing ransomware, the best solution is user education. Staff members should be approached, reminded regularly of this problem, and ideally possess some healthy paranoia about opening email attachments unless they absolutely know the sender. Also, even though .doc and other common files can be vectors for infection as well. Most users have no reason to ever open a .js with a strange icon.

The next layer consists of getting user files out of the path of Locky and other ransomware. While the campaigns we are seeing are spam based, ransomware has been previously documented coming from drive-by sites and browser exploits, so even a user savvy to email attachments could still get hit. Users should make secondary backups of important files part of the daily work-flow. Options for this can be summed up with three “C”s.

  • Copy files to a remote device. This is probably the best option, as long that remote device is not permanently connected to the user’s machine. Network shares that are mounted when Locky is executed will also be encrypted. Copying files to an ftp server manually (or as a scripted job for the advanced users out there) is probably the best bet.
  • Create a local backup directory. During experiments researching Locky, in which our engineers continuously re-infected virtual-machines (for science), MetaFlows engineers did find that it ignores the C:\Windows directory. Do not bank on this working forever, but for now it seems like users can make a local backup directory under C:\Windows\JustInCase.  If Locky strikes, it will ignore files that are stored there. This is probably the riskiest option since the malware may change its behavior at any time, but it is a clever one to use in the short-term. Of course, it also requires administrator privileges.
  • Consider using USB storage. This a fantastic solution, except that people forget to unplug them once they are done backing up files. Users can plug in an external drive or usb stick, backup all necessary files, then unplug it again and Locky cannot touch it. However, if it is left it plugged in, these backups will all get encrypted just like a mounted network share.

In conclusion, Locky, like all ransomware, is a peril for all users.  However, like all problems, there are solutions.  Employing the MetaFlows IDS, maintaining backups, and investing in education are three of the most important tools one can use to prevent adversaries from succeeding.

The Skinny on CVE-2015-7547

While the DNS exploit CVE-2015-7547 was discovered a week ago, the code containing the flaw has been in use since May, 2008. CVE-2015-7547 works by allowing arbitrary code to execute on any system reliant on glibc by way of a malformed query response.  As discovered by Redhat Linux and Google, there are flaws in GNU C Library.  The GNU C Library connects to DNS to resolve names.  This problematic code effects all versions of glbc since 2.9 and allows for remote code execution.

We have seven signatures, the first of which was released the day after the exploit was discovered. We were able to push the beta version of the rule to our research partners immediately, and to all sensors during the normal daily signature update.

2022531 || ET EXPLOIT Possible 2015-7547 Malformed Server response || cve,2015-7547

2022542 || ET EXPLOIT Possible 2015-7547 PoC Server Response || cve,2015-7547

2022543 || ET EXPLOIT Possible CVE-2015-7547 Long Response to A lookup || cve,2015-7547

2022544 || ET EXPLOIT Possible CVE-2015-7547 Long Response to AAAA lookup || cve,2015-7547

2022545 || ET EXPLOIT Possible CVE-2015-7547 Malformed Server Response A/AAAA || cve,2015-7547

2022546 || ET EXPLOIT Possible CVE-2015-7547 A/AAAA Record Lookup Possible Forced FallBack(fb set) || cve,2015-7547

2022547 || ET EXPLOIT Possible CVE-2015-7547 Large Response to A/AAAA query || cve,2015-7547

          Signature 2022547 is currently triggering on multiple customer sites, but at least for now it is in low volume.  However, according to Dan Kaminsky, this is a threat that could swiftly escalate as more and more adversaries improve their attack strategies to increase the damage made possible by CVE-2015-7547.  Patching this particular bug is paramount, as well as continually monitoring your system for the exploit.

 

Taking Care of Business: Information Retention & Responsibility

16666571547_6cc99092d3_o

Every business accrues data about their current patrons and prospective clients.  What information do you collect about your customers?  Do you collect only what is relevant or pursue all of the data you can possibly accumulate?  No matter what your approach to data collection, or the why behind it, the FTC thinks that it is time that you reviewed those policies.  The Federal Trade Commission (FTC) recently released a document entitled “Start with Security:  A Guide for Business.”  This may initially seem both dry and somewhat irrelevant.  However, choosing to ignore or dismiss these guidelines out of hand will ultimately prove to be expensive.  On Monday, a ruling from the United States Court of Appeals for the Third Circuit Court has ruled that the FTC has the ability to take actions on the behalf of consumers against companies that do not follow these guidelines.  Established within this document are “10 practical lessons businesses can learn from the FTC’s 50+ data security settlements” and for the purpose of this blog post, we will take a look at the first five points on the list.

The first of which asks that you start with security in mind.  Until security is breached, companies are often quite confident in their in-house or SaaS security solutions.  The issue with this, of course, is that it is a reactionary strategy to security, not a proactive one.  If an in-house security team is not given the tools that they need to do the job properly, expecting them to stay ahead of cyber threats is more than a bit unrealistic, it is irresponsible.

The FTC also advocates that companies do not collect personal data that they do not need or retain data longer than necessary.  In translation, you are in charge of making decisions regarding exactly what and how much data that you acquire from your customer base and how long you hang on to it.  It is worth keeping in mind that whatever you do choose to collect and store, you are responsible for it.  The more data you have, the stronger the security solution you will need, so as not to be found liable should that data become compromised.

When considering stored data, one must also consider who within the company has access to what and how much.  The FCC recommends creating user accounts for employees based on a need-to-know basis.  (This also includes paper data as well as copies stored on external memory hardware including drives and disks.)  Companies should not only restrict access to sensitive data but also limit the administrative access of each user.  Much of cyberterrorism functions as partially pure code hacking and the rest social engineering.  If an employee is tricked into opening a compromised document or visiting a hijacked web page, they may unleash any number of terrors upon your network.  Certainly, every business should invest in backups but beyond that, by controlling employee access one also controls the amount of potential employee damage.

The third point the FTC has chosen to make revolves around passwords.  It is responsibility of every business to safeguard their data to make sure only the right people can access only the necessary information.  They recommend that businesses “insist on complex and unique passwords,” “store passwords securely,” “guard against brute force attacks,” and “protect against authentication bypass.”  When considering password safety, creating and reinforcing password protocols is an absolute necessity.  Criminals should not be able to guess their way into your system through weak passwords, reveal unencrypted documents that contain sensitive information, take down your network through the use of automated programs that guess at passwords, or be able to discover back doors that allow access.

Information travels and transferring sensitive data is an absolute requirement.  This can be accomplished through cryptography, the use of Transport Layer Security/Secure Sockets Layer (TLS/SSL) and other methods.  If data is not resting securely, or being transferred securely in the span of its life in a business, then that business can be held liable should predators acquire that data.  By using “industry-tested and accepted methods” business owners can take advantage of all the security research that has come before and has been confirmed as functional and safe.  Of course without the proper configuration of all of these elements, businesses become vulnerable to such man-in-the middle attacks that are rather infamous in the world of information security.  They allow priceless data to slip through the business’s poor execution of the standards they have put in place.

The fifth and final point we will cover is the requirement to “segment your network and monitor who’s trying to get in and out.”  This by far, is one of the most vital items on the list.  Firewalls are a very effective tool for regulating access to information by segmenting your network.  While it is tempting to connect everything, doing so puts your data and your reputation at risk.  You are also required to monitor the activity on your network.  This may seem like a daunting task, all of those hackers trying to get in to your system so they can get out with sensitive materials.  However, there are products available to help you perform this necessary task

The best way to address the first five points is to use a multi-part IDS, such as MetaFlows MSS.  Providing your security team with the best software on the market is the only way to make sure that you are in compliance with the most vital of the FTC’s requirements.  If a business’ network is compromised because they did not follow these guidelines to the best of their ability, the FTC can and will take action.  In just the first five bullet points of the PDF businesses such as Twitter, DSW, Fandango, and Credit Karma were all publicly revealed as companies with insecure systems and networks.  It should never be anyone’s goal to join them.

Common Threads in Black Hat 2015

130659908_922e26a071_oWhen discussing the need for tighter, and better cyber-security one of the common themes discussed at Black Hat centered around the lack of research and preparation on the part of software developers.  Katie Moussouris, in speaking at the special event, “Beyond the Gender Gap:  Empowering Women in Security,” mentioned that her career revolved round encouraging software developers in major corporations to address security at the design stage or as early as possible in the development phase.  The issue with this, of course, is that if a potential exploit is discovered, the individual responsible for that discovery would receive no credit for it. The fix would simply exist as a part of an after-thought – thus encouraging the habit of sitting still, waiting for the problem to become evident, and then offering a security patch.  When internal efforts fail, it would behoove developers to seek outside assistance.  However, this solution is one that is not readily accepted.  In the panel, Moussoris cited Microsoft’s initial commitment to not pay individuals to hack their product, and the challenges she faces in encouraging software developers in their creation of their Bug Bounty programs on sites such as Moussoris’ HackerOne.

In the instance that companies like Adobe institute their Bug Bounty programs, they range in effectiveness as participants can be awarded in everything from cash to a high-five for their efforts.  However, when one considers how many vulnerabilities continue to crop up in Adobe’s software, a high-five may not be enough.  Given the compromises that their Flash updates have caused, it is clear that Adobe’s approach is failing.  The gravity of this issue is especially evident as Cisco’s most recent Midyear Security Report and resulting blog entry call upon companies, “To reduce the occurrence of these common code errors, software developers should participate in regular security training to build awareness of current vulnerabilities, trends, and threats.”  Although the ball for creating, publishing, and updating secure software lies within the hands of software developers, only a naïve or irresponsible user would sit back and wait for the developers to handle it.

The pro-active approach, on the user end, is to assume that every software system is inherently flawed and problematic – to have a security solution already in place that can detect when employing a new software system has unintended and quite possibly, disastrous consequences. Defensive security systems must be flexible enough and powerful enough to meet evolving threats coming from an onslaught of flawed software systems and riddled web user interfaces, that can catch users unaware but ideally, not unprepared.

As the Internet of Everything becomes more of a reality, it is the onus of the user to make sure that they are meeting the challenges that come with it.  Conferences like Black Hat open up the dialogue by asking important questions, the most resounding being, “What do you plan to do to keep your information secure?”  In a room full of options, this question may seem both overwhelming and considerably difficult.  No one can afford to spend money on services that (while not being comprehensive) will not work with others, in accidentally duplicating coverage, or even investing in a system that flat does not meet the demands of a connected world.

Finding solutions and making connections are why security professionals attend Black Hat.  At the MetaFlows kiosk, our engineers were able to explain to professional after professional as to why the SaaS model works and how the MetaFlows MSS is a cooperative solution that pulls from a variety of sources, partnering with Emerging Threats, Cyber-TA, and Virus Total, to name a few.  As Microsoft plans to release Windows 10 and Adobe continues to update their products, it is imperative that every user have a security plan in place to protect the integrity of their data.

Adobe, Angler, and CryptoWall

3997730524_e6cb3e6954_oAdobe Flash is an extremely severe vulnerability when it comes to Crypto-locker/CryptoWall, It seems that every time Adobe comes up with a new patch, the Crypto hackers are quick to discover how to break it.  The latest CryptoWall bonanza was the security vulnerability discovered in an Adobe update that was released on May 18th.  This is not a singular occurrence, but is rather a part of a larger trend of exploiting security holes in Adobe software.

Just this week, Adobe’s last round of updates for Flash Player have proven problematic.  These are new vulnerabilities are being used by the Angler exploit kit, a kit that has been around for some time, a kit that has now found fresh ground.  These exploits are used to distribute Cryptowall, as well as other forms of malware.  The intent is to encrypt (steal or take data hostage), take over (root kit or remote access tools), or recruit (make it a part of a botnet).

MetaFlows catches these types of fresh exploits better than any other security tool (according to many of our customer).
Several analysts using our system praise us.  While they are running several other security products, MetaFlows was the only one to identify this threats.  We were able to identify the behavior patterns that were triggered when this exploit was seen on a live network:

 

 

 

 

 

 

 

 

 

As you can see, the IDS events identify the individual behaviors, and our correlation engine recognizes the use of Angler toolkit to infect the target with the intended payload.  In this case, it is Cryptowall, a ransomware program that has cost over an estimated $18 million from U.S. users alone. In some other cases odd behavior left undetected can cost the reputation of a brand and cause irreparable loss in intellectual property.

Criminals are swift to take advantage of any emerging opportunity that can penetrate the perimeter (it has become BIG money). You need to start monitoring the behavior of your internal hosts not only the perimeter. Our behavioral analysis and correlation engine are able to identify these threats, even when they occur across multiple sessions and employing zero-day techniques that make it through your perimeter defenses.

Our security professionals have identified the issue and are working to keep our subscriber’s networks and systems safe while Adobe has updated their Security Bulletin site with the appropriate information.  Users are advised to download the newest Adobe Flash update immediately.  As evidenced by our findings, criminals are swift to take advantage of any opportunity and so employing new advanced detection technologies like the one offered by MetaFlows is key to preventing expensive and sometimes irreparable IT disasters.

MetaFlows: SC Magazine Innovators Hall of Fame

sc_logo_21413_345884Our friends at SC Magazine have inducted us into the SC Magazine Innovators Hall of Fame. It is nice to be recognized for our innovations. Importantly, this is purely based on their journalistic curiosity; we give them props for performing their reviews based on sound technical knowledge. We refuse to pay money for recognition. You might think we are old-fashioned but this is how we roll at MetaFlows.hall_of_fame_495827

Their article also points out the importance of monitoring beyond the network perimeter using multi-session correlation. If you are not sure what multi-session correlation can do for you, it is best for you to put it to the test. You will be amazed of what you can find out about your network.

Read the article at SC Magazine’s Website

What’s Wrong with NG Firewalls?

Cut Your Cisco Network Hardware CostsNext generation (NG) firewalls allow administrators to efficiently restrict network use policies to prevent infections. These firewalls (Palo Alto Networks is the most notable example) secure your enterprise by blocking everything that is not explicitly allowed by your network administrator. It clamps down on anything unknown: unknown users, unknown applications, unknown ports, etc. NG firewalls also provide some traditional IPS features that can be used to shape traffic coming into the network.v

 

 

So what is wrong with locking everything down as a primary defense mechanism? This approach has 2 major drawbacks.

Problem 1: It’s Not Scalable

complaintNG firewalls are basically a heuristics-based approach to security. Some networks and some operators might be a good fit for this, but many are not. This approach works in small, simple networks where the operator is omnipotent and has complete visibility on the network use policies. Unfortunately, most networks are not simple and most operators are not omnipotent.

As new uses for networks evolve and new applications are used, these heuristics need to be constantly updated and evolved as well.  After a few months of complaining from their users, operators will start relaxing the policies and therefore leave the network as exposed as it once was with a traditional firewall.

 

Problem 2: It’s Can’t Actually Stop Active Intrusions

DamOnce something bad makes it inside the network, NG firewalls are no better than a traditional IDS system. They flood network operators with thousands of alerts which can be used as audit trails, but are otherwise useless for detecting active intrusions. This poses a significant risk: most data breaches today happen through legitimate network channels (browser drive-by, spear-phishing, social engineering, etc.). Think about your house: you can put bars on the windows, but if your teenager invites a thief inside the house, the bars and the locks are useless.

 

 

Don’t Put All Your Eggs In One Basket

eggsThere is a saying in security: “Hard on the outside and soft and chewy on the inside.” If you are serious about security, you need to lock the gate. But you also need a way to look for anomalies on the inside. That is what MetaFlows does well: we complement your firewall, traditional or next generation. We don’t claim to be able to replace everything in one magical box like most of our competitors, and you shouldn’t put all of your eggs in one basket. Your firewall should do what it does best: lock your door. But firewalls must also be complemented by a security solution that can actively detect and respond to network intrusions. 20 years of cyber-security research helped us to create a product that detects threats, no matter how they got in. Try Metaflows today to see what your firewall is missing!

What’s Wrong with Sandboxing?

How Sand-Boxing Works

The latest and hottest trend in cyber-security is sand-boxing. Sand-boxing is virus detection on steroids. Instead of relying on prior knowledge about particular viruses, this technique emulates a user’s workstation with a sandbox and tracks anything that attempts to go out of the box or attempts to infect other machines. The process is straightforward:

  1. Get all potentially infectious content coming into your organization, and
  2. Emulate each piece of content as if it was executing on your hosts.

Limitations of Sand-Boxing

Sand-boxing has low false positive rates, but causes a lot of false negatives. In other words, when it tells you that something is bad, it is almost certainly bad. But it has the potential to miss a lot of bad things.

Architectural Limitations

PerimeterThis limitation has to do with step 1 above (get all dangerous content coming into your organization). Your defense perimeter is dissolving because of new network trends and applications:

  1. Mobile devices continuously come into and go out from your network.
  2. Peer-to-peer protocols (which go right through sand-boxing and firewall appliances) are becoming mainstream (skype, bittorrent, b2b applications).
  3. Services are being pushed to the cloud, out of the grasp of your sandbox.
  4. Virtual machines move around at the speed of light from one host to another.
  5. IPv6 and other emerging trends are facilitating end-to-end encrypted tunneling right through your perimeter.

So, if you do not have a perimeter, how do you know what is coming in? Well, you don’t! That is why sand-boxing (or pure virus detection) is limited in scope and cannot survive the evolution of malware.

Another architectural limitation has to do with cost. If you run a large network, executing and/or opening every piece of content before it is delivered requires a lot of CPU and will slow down your network. Sand-boxing can only scale to a certain size; beyond that it becomes unrealistic and expensive.

Algorithmic Limitations

EvasionThis limitation has to do with step 2 above (emulate each piece of content as if it was executing on your hosts). Evasion is an information security term that refers to the ability of the bad guys to:

  1. Know how you are detecting them and
  2. Add subterfuges to defeat your specific security measures.

A sandbox can be detected. Once malware realizes that it is in a sandbox, the malware will switch to its best behavior so that the sandbox is happy. Only when the malware gets out of the sandbox and on to the the actual target device will it do its damage.

A second algorithmic limitation is that not every system is the same. Sandboxing a particular version of Microsoft (which is what commercial sandbox solutions do) leaves all you other devices (Linux, Apple, Android, etc.) completely open to attack.

How is MetaFlows Better?

MetaFlows is not an antivirus. We detect the attempts to introduce a virus in your network AND/OR detect the presence of a virus. Think of it as a network-level sandbox that not only inspects individual pieces of content, but also keeps track of the behavior of all your devices over time. There is one thing a malicious host cannot evade: being malicious!

If it looks like a duck, swims like a duck, and quacks like a duck… it is a duck.

How does it work?

MetaFlows looks for classes of odd behavior from hosts on your network:

  1. Scanning behavior
  2. Being attacked on vulnerable ports
  3. Downloading dangerous content
  4. Communication with questionable sites or sites that are already known to be bad
  5. Scanning outward or doing a lot of DNS lookups

If we detect behavior from multiple event classes over a time period (ranging from minutes to hours), MetaFlows triggers an alert.

Here is simple example:

  1. External host B performs a brute force attack to guess your password on port 22 on server A.
  2. One hour later there there is a large transfer of data from server B to another server C (on your network).

Bang! That’s a hit for us. But a sandbox has no clue! By itself, a sandbox would not detect this behavior. The malware could “play nice” once it realizes that it is in a sandbox. The sandbox would then allow the malware to leave and get inside your network, where it could do substantial damage. But MetaFlows can keep an eye on software even after it leaves the sandbox.

biohazard-laptopThe main advantage of a network level sand-box is that it does NOT solely rely on inspecting content (like an antivirus) but instead detects malware in the act of being bad. So, if someone walks in through your front gate with an infected laptop, as soon as that laptop misbehaves, it will be flagged down.

 

The best part is that MetaFlows works regardless of what devices are on your network – it solves the algorithmic limitations of sandboxes. Our behavioral event classes do not depend on the type of system: if an internal host is performing outbound scanning, we do not care if it is a Microsoft device or an Apple device. All we need to know is that it has engaged in malicious behavior.

 

networkcableFinally, our approach is much more scalable than a content sandbox. MetaFlows mitigates the architectural limitations of sandboxes by scaling to 10 Gbps links with standard off-the-self quad-CPU systems. The cost and power consumption are orders of magnitude lower.

Predictive Correlation — The Future of Cyber Security?

What is Predictive Correlation?

Research funded by the National Science Foundation has led to the development of a proprietary inter-domain correlation algorithm that is mathematically similar to Google’s Page Rank algorithm. Event scores are autonomously obtained from a global network of honeypot sensors monitored by the MetaFlows Security System (MSS). The honeypots are virtual machines that masquerade as victims. They open up dangerous ports/applications and/or browse dangerous websites. As the honeypots are repeatedly infected, the MSS records both successful and unsuccessful hacker URLs, files, bad ports, and bad services. When a honeypot has a security event that triggers a false positive, the alerts for those events are ranked negatively, thus providing insight into events that should be routinely ignored or turned off. Security events that trigger true positives are ranked positively, thus improving their visibility. This information is then propagated in real time to each of our subscribers’ sensors in the system to augment traditional correlation techniques. This additional inter-domain correlation is important because it adds operational awareness based on real-time intelligence.

How does it work?

As shown in the figure below, honeypots work behind the scenes, continuously mining global relevance data and flow intelligence (IP reputation) for threats that penetrate differing degrees of cyber-defenses on different types of systems. After this step, annotated data from all network sensors (whether the sensors are honeypots or not) are compared and events are correlated with an algorithm similar to Google’s Page Rank algorithm: (X = bs + aW*X).

Diagram of MetaFlows event correlation system
Figure 1: Predictive Global Correlation

This process is designed to provide subscribers with intelligence data that takes into account the similarities and differences between the sources of the data. For space limitations we cannot explain the math and why it makes sense; however our system builds on the work described in “Highly Predictive Blacklisting” by Jian Zhang, Phillip Porras, Johannes Ullrich, SRI International and the SANS Institute in Usenix Security, August 2008 (we highly recommend that you read this article).

So What?

As a result of the algorithm, once a piece of intelligence reaches our system it is not equally distributed to all customers. Instead, it is mathematically weighted and routed to where it is most relevant, just as the first few web pages of a Google search yield the most relevant information for a particular search.

In addition to real-time intelligence on true positive security events (positive ranking), our system also provides information on security alerts that are irrelevant by demoting them and reducing false positive clutter. In other words, this system can propagate known false positives and known true positives among sensors using a mathematical model that maximizes prediction.

Graph of prediction power for MetaFlows ranking algorithm

The graph above quantifies the prediction power of the ranking algorithm. The experiment was carried out on the Snort event relevance data gathered between February 7th, 2010 and February 22nd, 2010. At the start of each day we performed the ranking operation over the previous day’s Snort event data and compared the predicted ranking values with the actual events gathered during that day from the sensors and honeypots. The simple prediction (blue line) is based on predicting that, for each sensor, the same event ranking is carried over from the previous day without running the algorithm (this is what people normally do today).

The Y axis is the hit ratio. The “hit ratio” is defined as the number of times the prediction matches the outcome in terms of the sign (positive or negative), divided by the number of non-zero rankings predicted.

  • We increment the hit counter if the prediction and the outcome have both positive rankings.
  • We increment the hit counter if the prediction and the outcome have both negative rankings.
  • We decrement the hit counter if the prediction and the outcome have opposite signs.

The figure shows that the ranking prediction (orange line) is strictly superior to simple prediction by 141% to 350% (depending on the day). This might not seem too impressive on the surface but if you dig a little deeper this is what it means:

  • Assuming 5 minutes of human analysis time per incident, a system with no ranking would give you a hit rate that finds 1 actionable item for every 20-30 incident investigations (or 0.4 incidents per analyst hour).
  • A system with predictive ranking would let you find 1 actionable item every 6-7 incidents investigations (2 incidents per analyst hour).

You can do the math in terms of cost savings: it’s huge! Most of the cost of network security systems is not the appliance or the software, but rather wasted analyst time!

You Should Not Just Take our Word for it!

The cyber-security arena is packed with technologies that claim they have the best solutions. That is why we encourage users to take the time to evaluate our predictive correlation and run it side-by-side with existing solutions. The outcome is always surprisingly good.

Collaborate with An Audit Log

Audit Log

cloud-basedcorrelationThe MetaFlows Security System allows organizations to grant access to multiple users for online collaboration in sharing sensor data and intelligence. This is a big advantage because it helps distribute workloads across departments and at different levels of the incident response process. One issue customers brought up was the lack of ability to know who took what action, and at what time they did the action. This is why we added the Account Audit Log feature. You can find this feature under Account -> Account Audit Log. With this new Audit Log, you can track most account actions, including:

  • Changes to contact information and subscription
  • All account access
  • Sensor restarts
  • Creating, changing, or deleting:
    • Sensors
    • Classifications
    • Snort Rules
    • Report Specifications

For every logged action, we track the user, time, and IP address from which these actions originated. We also provide extra details if available.