Threat Detection

Zartek Global Unified Security Management™:Better Threat Detection for Effective Response

Over the years, hacking techniques have become more sophisticated and they continue to evolve every day–making them very difficult to detect and respond to. To combat this trend and make security a possibility for organizations with limited resources, Zartek Global Unified Security Management (USM) delivers real-time threat intelligence and threat prioritization by leveraging the kill chain taxonomy. This makes it easier to spot attackers, their victims, their methods and their intents.

 

We research global threats & vulnerabilities every day so that you don’t have to

Your USM platform receives updated threat intelligence every 30 minutes under the direction of the Zartek Global Labs threat research team. This dedicated team spends countless hours analyzing the different types of attacks, emerging threats, suspicious behavior, vulnerabilities and exploits they uncover across the entire threat landscape. They also leverage the power of the Zartek Global Open Threat Exchange™ (OTX), the world’s first truly open threat intelligence community that enables collaborative defense with actionable, community-powered threat intelligence. With over 47,000 participants from over 140 countries providing global insight into the latest attack trends and bad actors, USM users are assured they’ve got the most up-to-date, comprehensive threat intelligence in their USM deployment, on day one.

 

Advanced Threat Detection for an Ever-evolving Landscape

Here are a few of our collection and analysis techniques:

Security Artifact Analysis

Using a wide range of collection techniques, including advanced sandboxing to quarantine malware samples, the Zartek Global Threat Research team analyzes over 1 million unique security artifacts every day. This analysis provides key insights into the latest attacker tools and techniques.

 

Attacker Profile Analysis

We’re constantly monitoring hacker forums and underground networks for in-depth profiling of the common traits of cyber criminals. This information gives us unparalleled access for understanding the “attack horizon” and has resulted in major discoveries such as the evolution of Sykipot, Red October, and other malware outbreaks.

 

Honeypot Deployment and Analysis

Our global honeypots are essentially “virtual venus fly traps” set up to detect, capture, and analyze the latest attacker techniques and tools. Leveraging honeypots placed in high traffic networks, our USM platform customers are armed with the latest defensive strategies in the form of updated event correlation rules, IDS and vulnerability signatures, and more.

 

Open Collaboration with State Agencies, Academia, and Other Security Research Firms

Thanks to the broad reach of our threat intelligence sharing community, we’ve been able to establish strong connections with state agencies around the world, academic researchers and other security vendors. These relationships enable us access to pre-published vulnerability and malware updates as well as enhanced verification of our own research. By gathering threat intelligence from a diverse install base, spread across many industries and countries, and composed of organizations of all sizes, we’re able to shrink an attacker’s ability to isolate targets by industry or organization size.

 

The Unified Security Management™ Difference

5 Essential Security Capabilities in a Single Console

The Zartek Global Unified Security Management (USM) platform provides five essential security capabilities in a single console, giving you everything you need to manage both compliance and threats. Understanding the sensitive nature of IT environments, we include active, passive and host-based technologies so that you can match the requirements of your particular environment.

 

Asset Discovery

Find all assets on your network before a bad actor does

  • Active Network Scanning
  • Passive Network Monitoring
  • Asset Inventory

 

Vulnerability Assessment

Identify systems on your network that are vulnerable to exploits

  • Network Vulnerability Testing
  • Continuous Vulnerability Monitoring

 

Intrusion Detection

Detect malicious traffic on your network

  • Network IDS
  • Host IDS
  • File Integrity Monitoring (FIM)

 

Behavioral Monitoring

Identify suspicious behavior and potentially compromised systems

  • Netflow Analysis
  • Service Availability Monitoring
  • Packet capture

 

SIEM

Correlate and analyze security event data from across your network

  • Log Management
  • Event Correlation
  • Incident Response
  • Reporting and Alarms

Detect and Minimize Threats from Within

In the wake of high-profile breaches where trusted employees were involved, enterprises are increasingly concerned about the threats those employees pose, such as:

  • Disgruntled employees looking to damage systems or steal data
  • Users engaged in corporate or state-sponsored espionage
  • Unsuspecting users clicking on phishing e-mails
  • Users illegally downloading torrents

Insider threat detection can be challenging because it often spans across a multitude of systems. Even with security tools deployed, you still need to establish a baseline of normal activity. For example, HR users connecting to an employee database is probably a normal part of operations. But, if a user in marketing suddenly starts accessing a vast number of records within the employee database, something is likely very wrong.

Zartek Global USM™ delivers essential Insider Threat Detection and Management capabilities, including:

 

Behavioral Monitoring

  • Network Intrusion Detection System (NIDS)
  • Network flow analysis
  • Network protocol analysis & packet capture

 

Privilege Escalation Detection

  • Host Intrusion Detection System (HIDS)
  • File Integrity Monitoring (FIM)
  • Detect unauthorized user access attempts

 

Event Correlation

  • Security Information and Event Management (SIEM)
  • Detect communications with malicious hosts
  • Centralized dashboard that prioritizes threats the way you want to see them

 

Behavioral Monitoring

Insider threat detection techniques lie in monitoring user activity as opposed to system activity. As such, you need to first establish what constitutes normal user behavior within your environment. Once you have obtained a baseline of normal activity, detecting outliers becomes easier.

Zartek Global USM helps you understand normal activity in your network by building up a picture from the moment you install USM. You’ll also get better visibility into the threats that come from legitimate users, helping you detect malicious insiders.

Zartek Global USM’s Network Intrusion Detection System (NIDS) inspects traffic between your internal devices and critical systems, giving you visibility into what’s happening inside your perimeter. In addition, network flow analysis provides the high-level trends related to what protocols are being used, which hosts are using the protocols, and the relevant bandwidth usage.

Furthermore, network protocol analysis and packet capture allows you to fully replay events that occur so that you can be sure of exactly what a malicious insider has done.

 

Privilege Escalation

Most companies will track the activities of privileged users as an essential security practice. In order to bypass this, insiders will seek to escalate privileges in order to gain access to information, subvert controls, damage systems or to facilitate exfiltration of sensitive data – all while flying under the radar.

Zartek Global USM’s host intrusion detection system (HIDS) capabilities can detect and alert on privilege escalation that doesn’t have a corresponding change request. In addition, USM correlates suspicious events to detect when a user’s access to critical systems and applications may be malicious. This allows you to detect, respond and neutralize the insider threat posed by employees trying to bypass security controls by escalating their rights, or by employees hijacking user credentials for malicious purposes.

 

Event Correlation

Humans, unlike computers, are often unpredictable in nature. As such, identifying an insider threat usually requires the ability to correlate seemingly benign events to detect insider threats that take place across various systems. Insiders will often account for existing security controls and attempt to keep their activity ‘low and slow’ to avoid triggering any alarms.

Zartek Global USM can link disparate events across your network and correlate events related to malicious insiders. USM’s strong correlation engine uses built-in correlation rules to detect relationships between different types of events occurring in one or more monitored assets to identify suspicious activity. This eliminates the need for IT teams to create their own correlation rules, so they can spend their time mitigating threats rather than researching them.

That’s where the Threat Intelligence produced by Zartek Global Labs steps in to assist. Think of it as an extension to your IT team – they are constantly performing advanced research on current threats and developing updates to Zartek Global USM’s threat intelligence. In addition to the vulnerability signatures, you receive updates to SIEM correlation rules, IDS signatures, knowledgebase articles, and more.

Updating the Zartek Global USM platform is extremely easy, designed to minimize downtime, and just requires a couple of mouse clicks. This ensures that Zartek Global USM is continuously conducting network vulnerability scans for the latest threats without requiring in-house research or development of vulnerability data. This allows you to allocate your time and resources to other responsibilities and, do more with a smaller team.

  • System Compromise
  • Exploitation & Installation
  • Delivery & Attack
  • Reconnaissance & Probing
  • Environmental Awareness

Minimize Damage from Advanced Persistent Threats

Data breaches attributed to Advanced Persistent Threats (APTs) continue to make headlines when they involve large, well-known entities (large corporations, governments, etc.) and/or result in the exfiltration of sensitive data. However, APTs also frequently target the valuable data found in smaller networks. Often this is because smaller organizations tend to lack the technologies and security expertise to detect these types of attacks.

You Can’t Prevent a BreachIt’s impossible to prevent a dedicated, patient attacker from breaching your network, regardless of the amount you invest in preventive technologies like UTM, Next Gen Firewalls or Sandboxing technologies.

You can, however, arm yourself with the best-in-breed technologies of Zartek Global Unified Security Management™ (USM) to detect APTs at every stage of the attack. This, coupled with an intuitive platform, provides you with the security expertise needed to minimize the damage to your environment.

Zartek Global USM™ gives you essential APT detection capabilities for each stage of an APT attack:

 

Identify Vulnerable Systems Being Targeted by APTs

  • Asset discovery will identify all systems on your network
  • Vulnerability assessment will prioritize the vulnerabilities that APTs exploit
  • Network IDS detects malicious traffic targeting vulnerable systems for initial compromise

 

Detect Communication with C&C Servers and Monitor Systems & Applications for Privilege Escalation and File Changes

  • OTX data alerts on inbound or outbound communication used for initial compromise of systems in your network, expansion to other systems, and exfiltration of data
  • Host IDS will detect privilege escalation on systems
  • Close monitoring will identify any malicious processes that are running or any critical services that have been disabled
  • File Integrity Monitoring (FIM) will detect changes to critical files

 

Get Alerted to Compromised Systems Before Exfiltration of Data

  • SIEM correlates alerts from all data sources to tell you who, what, where, when, and how you’re being attacked
  • Threat Intelligence from Zartek Global Labs presents alarms in Kill Chain Taxonomy to tell you of the highest priority threats
  • Integrated response guidance tells you how to respond to APTs before data harvesting and exfiltration

 

Identify Vulnerable Systems Being Targeted by APTs

A patient, determined attacker can compromise any network. The first step in any defense against APTs is to know what systems are on your network, and what vulnerabilities exist on those systems. Attackers target unpatched and misconfigured systems to gain the foothold necessary to eventually exfiltrate regulated or confidential data.

Zartek Global USM scans your network for devices and determines what vulnerabilities exist through both passive and active scanning techniques, depending on your policies and preferences. It then prioritizes the vulnerability data, telling you what are the highest priority vulnerabilities to address

Zartek Global USM’s built-in network IDS technology also detects malicious traffic attempting to exploit vulnerabilities on the targeted systems. Common malware delivery methods include email attachments disguised as everyday documents (word files, pictures, PDFs), links to websites hosting malware or code designed to exploit common vulnerabilities.

Preventive tools like antimalware, antispam, and web content filters can’t keep up with every new malware variant associated with today’s APT campaigns. This means that you need the ability to detect the attacker’s initial compromise of your network. Zartek Global USM provides this level of insight with cross correlation of contextual data, driven by Zartek Global Labs Threat Intelligence.

 

Detect Communication with C&C Servers and Monitor Systems & Applications for Privilege Escalation and File Changes

During an advanced persistent threat attack, a common first move is to compromise one of your systems to use as a base of operations for deeper infiltration into your network. Following that, increased access to additional systems will be attempted by gaining root or administrative privileges through exploits, social engineering, or brute-force password cracking.

With threat data from OTX (Open Threat Exchange) integrated into Zartek Global USM, you’ll get alerted to a wide range of Indicators of Compromise (IoCs) in any inbound or outbound communication. Due to their previous association with known threats, these IoCs are evidence of potentially malicious activity in your network (ranging from initial compromise to expansion to other systems, and ultimately exfiltration of your sensitive data).

In addition, Host IDS agents deployed on critical systems that store valuable data will detect the privilege escalation attempts as the attacker attempts to gain root or admin privileges. Once the attacker has admin access, he will stop security-related services running on the compromised systems, or start unwanted services in order to facilitate his malicious activities.

Zartek Global USM’s built-in File Integrity Monitoring (FIM) capability will monitor essential files to detect changes to critical application configurations, or data files. It will also detect the modification of log files, which is a common technique attackers use to cover their tracks and evade detection.

 

Exfiltration of Data

One challenge IT teams of all sizes face is how to sift through their mountains of log data to detect signs of an APT campaign before data exfiltration occurs. Zartek Global USM’s built-in SIEM capability aggregates and correlates event data from all of the platform’s data sources, as well as third party tools, into one management console.

The integrated Threat Intelligence from Zartek Global Labs correlates the events from disparate sources to alert you to the highest priority threats facing your network today, including those related to Advanced Persistent Threats. With over 2,000 correlation rules pre-built into the Zartek Global USM platform, you can spend your time responding to specific threats, instead of trying to research the significance of a particular event. Additionally, the Kill Chain Taxonomy makes it very easy for you to focus your response efforts on the most critical threats, showing you who, what, where, when, and how you’re being attacked, as well as the attacker’s intent to help you combat APTs at every stage.

Stop Ransomware in its Tracks with Advanced Threat Detection

One of the more crippling threats facing security professionals and the environments they protect today is the ransomware attack. Malware like cryptolocker and the hundreds of similarly debilitating variants (cryptowall, Reveton, torrentlocker, etc.) present a unique challenge in their ability to evade detection and execute their attack. The ransomware could be present in an infected system for hours or even days before it rears its ugly head.

Ransomware gets its name from its main intent: encrypting your sensitive files so that you do not have access to them and then demanding a ransom (usually in the form of cryptocurrency like bitcoin or prepaid cash cards) in exchange for the decryption key. The encryption used is quite robust and is not easily cracked; doing so would require a lot of time and computing resources not available to those outside of various 3-letter government security agencies.

 

Zartek Global USM™delivers essential ransomware detection tools and capabilities:

Enhance Network Visibility

  • Spot malicious payload deployment
  • Identify traffic patterns related to known ransomware
  • Prevent interference with monitoring due to the robust architecture of the detection controls

 

Monitor Critical Files and Registry Entries for Any Charge

  • Alert when configurations of Windows machines are modified
  • Detect encryption of sensitive and/or personal files in real-time
  • Deploy easily to your critical assets

 

Get Alerted to Status Changes of Critical Services

  • Observe status changes of services that could be indicative of the presence of malware
  • Detect when attacks try to mask behavior by interfering or stopping monitoring applications
  • Easily configure availability monitoring for all critical assets

 

Enhance Network Visibility

One of the best first steps in securing your environment is to deploy intrusion detection (IDS) at the network layer as well as host-based IDS on your critical assets. This gives you detailed insight into what exactly is coming across the wire, instead of educated guesses based on alerts from anti virus and anti malware scans. And when the data you gain from those scans uncovers the presence of ransomware or other malware, your sensitive data could already be encrypted and irrecoverable.

Identifying the presence of these files in real-time gives you a fighting chance, allowing you to quarantine infected systems before they spread. USM’s integrated Intrusion Detection monitors the network and will flag any known malicious files.

 

Monitor Critical Files & Registry Entries for Any Changes

While some of the early ransom software (namely Reveton and Citadel) would simply lock you out of a machine and display some page demanding payment, today’s ransomware encrypts the bulk of your sensitive and/or personal files but allows you to use your computer otherwise. This process can take some time (entirely depending on the size of your file system) so catching the malware in the act could allow you to remediate the infection and prevent any spread.

Modifying a detection tool’s configuration is a common technique attackers use to mask their ransomware’s activity. On Windows machines, this results in a change to the registry, which, proactive monitoring of these entries (much like file systems) can give you precious time to stop these threats before they wreak total havoc.

With File Integrity Monitoring (FIM) built into the Host-based IDS, USM is able to keep a close watch on the files and registries of your sensitive assets and critical systems to detect when ransomware initially takes hold. Easily deploy these HIDS agents to multiple assets at once, accelerating deployment and simplifying threat detection.

 

Get Alerted to Status Changes of Critical Services

Some of the more evolved ransomware variants increase their chances of success by masking their activity when establishing an initial foothold on the target system. This ability to maneuver stealthily is often a result of compromising a system’s own endpoint protection controls. In addition to altering the configuration files of these tools, some attacks involve the termination or freezing of services and processes of the monitoring tools themselves.

Service availability monitoring is a central part of USM’s Behavioral Monitoring functionality and is easily configurable. This affords you at-a-glance visibility into the status of your most valuable assets and can act as an early warning of a potential attack.