When it comes to detecting potential breaches, visibility into the network and everything that runs on it is critically important. Simply having visibility into what is happening in real time, though, isn't always enough, since many advanced attacks can take weeks or months to get into a system. Security vendor SS8 is now advancing its BreachDetect platform with a new timeline view to make it easier for organizations to discover threats. SS8's core technology is something the company refers to as a Protocol Extraction Engine (PXE), which is a deep packet inspection engine that can understand everything that is crossing a network. The PXE technology helps to enable SS8's cloud delivered Software-as-a-Service (SaaS) BreachDetect Platform.
"BreachDetect has a sensor that sits at a customer site, that sees traffic and extracts intelligence from the data traffic it sees," Faizel Lakhani, president and COO of SS8, told eWEEK.
The data from the BreachDetect sensor is sent to the SS8 cloud service, where it is correlated and analyzed in an effort to discover communications that might be suspicious.
With the new release of BreachDetect, Lakhani said the goal is to make it easier to find issues by providing an improved interface and tools to help organizations without the need to have forensic specialists on staff. Among the enhanced capabilities in the BreachDetect update is a timeline view of all the correlated network events that are likely part of a single security incident.
Lakhani explained that the BreachDetect platform watches all the network communications over time so an organization can look back months in time at everything potentially suspicious that was coming from a specific endpoint. Any one individual item on any one given day might not be enough to definitely identify a real security problem, but looking at timeline view has the potential to expose a breach that otherwise might have stayed hidden.
"The timeline view provides a very quick graphical interface to expose event history in a way that easily understood," Lakhani said.
Simply identifying a potential security alert or risk isn't enough to expose a breach in the modern security climate where organizations often receive more security alerts than they can remediate. Cisco's 2017 Annual Security Report, for example, found that 54 percent of security alerts were not remediated by organizations in 2016.
What SS8 has done with the BreachDetect update is visually represent the chain of events that might have otherwise been lost as individual alerts that together might be an indicator of a compromise.
"A network behavior that is logged could sometimes be just a Dropbox connection and sometimes those connections are totally normal business practices, and then sometimes they are not,' Lakhani said. "When they're not, they tend to be accompanied by obfuscation and methods to hide the communications."
The BreachDetect system assigns a risk score to the event chains it monitors to further narrow down alerts and help organizations to focus on the most impactful issues.
"We're a system that is used to detect, respond and predict where security risks occur in an organization," Lakhani said. "The risk is not just a vulnerability like a buffer overflow, the risk is a specific system or device that is doing something that it shouldn't."