We’ve had a very busy Summer here at CyGlass. Our product has been further enhanced with additional data analysis, events, behavior, and Smart Alerts to increase the breadth of threat detection. The app.cyglass.com portal was enriched with a variety of features that extend and simplify the process of reviewing Smart Alerts and provide more detailed information about the activity in your network.
Below you’ll find an in-depth run through of all updates we’ve implemented during this recent launch.
NEW DETECTION AND SMART ALERT CAPABILITIES
New Smart Alert: ACTORS NOT ACTING IN THEIR ROLES
Network nodes are assigned role tags (e.g. DNS Server, LDAP Server, Domain Controller) and CyGlass will then monitor their activity to detect:
- Unauthorized traffic (blocked ports)
- Missing traffic – unexpected drop in traffic on key ports for that role
- Unusual traffic – significant changes from learned baseline in traffic on key ports.
CyGlass uses a layered AI approach. The Actors Not Acting In Their Roles Area of Concern is raised based on the presence and prevalence of the following behaviors:
- Anomaly Associated with Asset IP
- The Anomaly Associated with Asset IP behavior occurs when a performance metric for an asset significantly varies from its baseline.
- Unacceptable Port
- The Unacceptable Port behavior occurs when traffic is detected for an asset on a port that has been identified to be unacceptable for a role assigned to that asset.
- Suspicious Behavior On Asset IP
- The Suspicious Behavior On Asset IP alerts customers to threats related to changes to their assets. The AoC will trigger when a major actor appears in one or more instances of the above behaviors.
New Behavior: ETERNAL BLUE TYPE ATTACKS
CyGlass can detect potential malware infection spreading over SMB (port 445) using the Eternal blue attack, such as WannaCry, Petya, etc.
The following new behaviors are now included in the Exfiltration and Command and Control based Smart Alerts:
Internal IP Reaching Out on SMB
The Internal IP Reaching Out on SMB behavior indicates internal to external SMB activity that could be malicious.
Potential Malware Spreading Over SMB Protocol
The Potential Malware Spreading Over SMB Protocol behavior will alert when SMB attack behaviors or Internal to External Port Scan behavior is detected on port 445.
New Behavior: ICMP TUNNELING ATTACKS
CyGlass can detect potential Command and Control activity via an ICMP Tunnel such as through the use of an ICMP shell.
Automated Communication via ICMP
Unusual robotic ICMP and/or varying packet sizes indicating potential ICMP command and control will trigger this behavior.
This new behavior will now influence the following existing Smart Alerts, including ICMP in possible tunneling activity:
- Suspicious Tunneling Plus Port Scan
- Suspicious Tunneling Plus Data Exfiltration
REDESIGNED CYGLASS APPLICATION USER INTERFACE ENHANCEMENTS
Improved future decision making by incorporating additional feedback when closing a Smart Alert. When closing a Smart Alert, you can now provide CyGlass with more feedback regarding the source of the potential threat and the impact of the threat to your network. CyGlass will use that information to learn about which threats are important to you and to make smarter decisions about how it alerts you to future similar threats. Specifically, CyGlass will prompt you for feedback regarding the accuracy of its alerts, if detected threats are normal or abnormal for your network and if the flagged activity is authorized on your network.
COMPREHENSIVE TRAFFIC INVESTIGATION
The Investigate Traffic Panel displays network traffic and event data and trends, in both charts and graphs. Select assets and time filters to display charts and data grids showing network flow, packet and byte traffic activity, or event counts. Additional filters enable you to isolate specific traffic patterns as you investigate Smart Alert and behaviors.
DRILL DOWN FROM SMART ALERT DETAILS TO INVESTIGATE TRAFFIC DETAILS
Links have been added to the Smart Alert detail screens to display specific filtered traffic or event information for that Area of Concern. clicking on the link will display the Investigate Traffic panel with the desired filters preconfigured for quick access to information helping in diagnosing the potential threat.
DRILL DOWN FROM AREA OF CONCERN DETAILS TO NEW BEHAVIOR DETAIL SCREEN WITH MAP, CHARTS, AND DETAILS.
The Smart Alert Behavior Type Detail Panel now contains a list of specific behaviors that are included in the Smart Alert being investigated. By clicking on an entry in the list, you can display additional detail on the behavior, showing charts, maps and the event or flow detail that was used to determine the behavior.
INGESTION OF NETFLOW TRAFFIC FROM FORTINET FORTIGATE
CyGlass has been certified to receive NetFlow logs from the following Fortinet products:
- The Fortinet products should be configured to send NetFlow logs to the CyGlass collector via port 2055.
- Static tags, labels, and roles can be imported and assigned to Assets monitored by CyGlass.
Back To Blog