CyGlass Summer 2018 Launch

August 27, 2018

We’ve had a very busy Summer here at CyGlass. Our product has been further enhanced with additional data analysis, events, behavior, and Smart Alerts to increase the breadth of threat detection. The app.cyglass.com portal was enriched with a variety of features that extend and simplify the process of reviewing Smart Alerts and provide more detailed information about the activity in your network.

Below you’ll find an in-depth run through of all updates we’ve implemented during this recent launch. 

 


NEW DETECTION AND SMART ALERT CAPABILITIES

 

New Smart Alert: ACTORS NOT ACTING IN THEIR ROLES

 

Network nodes are assigned role tags (e.g. DNS Server, LDAP Server, Domain Controller) and CyGlass will then monitor their activity to detect:


CyGlass uses a layered AI approach.  The 
Actors Not Acting In Their Roles Area of Concern is raised based on the presence and prevalence of the following behaviors:

 

New Behavior: ETERNAL BLUE TYPE ATTACKS

CyGlass can detect potential malware infection spreading over SMB (port 445) using the Eternal blue attack, such as WannaCry, Petya, etc.

The following new behaviors are now included in the Exfiltration and Command and Control based Smart Alerts:

 

Internal IP Reaching Out on SMB

The Internal IP Reaching Out on SMB behavior indicates internal to external SMB activity that could be malicious.

 

Potential Malware Spreading Over SMB Protocol

The Potential Malware Spreading Over SMB Protocol behavior will alert when SMB attack behaviors or Internal to External Port Scan behavior is detected on port 445.

 

New Behavior: ICMP TUNNELING ATTACKS  

CyGlass can detect potential Command and Control activity via an ICMP Tunnel such as through the use of an ICMP shell.

 

Automated Communication via ICMP

Unusual robotic ICMP and/or varying packet sizes indicating potential ICMP command and control will trigger this behavior.

This new behavior will now influence the following existing Smart Alerts, including ICMP in possible tunneling activity:

 

REDESIGNED  CYGLASS APPLICATION USER INTERFACE ENHANCEMENTS

 

Improved future decision making by incorporating additional feedback when closing a Smart Alert. When closing a Smart Alert, you can now provide CyGlass with more feedback regarding the source of the potential threat and the impact of the threat to your network. CyGlass will use that information to learn about which threats are important to you and to make smarter decisions about how it alerts you to future similar threats.  Specifically, CyGlass will prompt you for feedback regarding the accuracy of its alerts, if detected threats are normal or abnormal for your network and if the flagged activity is authorized on your network.

 

COMPREHENSIVE TRAFFIC INVESTIGATION

The Investigate Traffic Panel displays network traffic and event data and trends, in both charts and graphs.  Select assets and time filters to display charts and data grids showing network flow, packet and byte traffic activity, or event counts. Additional filters enable you to isolate specific traffic patterns as you investigate Smart Alert and behaviors.

 

DRILL DOWN FROM SMART ALERT DETAILS TO INVESTIGATE TRAFFIC DETAILS

Links have been added to the Smart Alert detail screens to display specific filtered traffic or event information for that Area of Concern. clicking on the link will display the Investigate Traffic panel with the desired filters preconfigured for quick access to information helping in diagnosing the potential threat.

 

DRILL DOWN FROM AREA OF CONCERN DETAILS TO NEW BEHAVIOR DETAIL SCREEN WITH MAP, CHARTS, AND DETAILS.

The Smart Alert Behavior Type Detail Panel now contains a list of specific behaviors that are included in the Smart Alert being investigated. By clicking on an entry in the list, you can display additional detail on the behavior, showing charts, maps and the event or flow detail that was used to determine the behavior.

 

INGESTION OF NETFLOW TRAFFIC FROM FORTINET FORTIGATE  

CyGlass has been certified to receive NetFlow logs from the following Fortinet products:

 

Back To Blog
Product Resources Request A Demo