Part I: Demystifying Cyber Health and Cyber Threat Hunting
JEFF: Welcome to Cloud Expo, can you please help explain what cyber threat hunting is?
SNEHAL: Jeff, thanks for hosting us. First let’s talk to what a cyber threat is -– someone is trying to take your data by breaking into your critical digital systems. Let me describe three types:
- A threat can be an IP address from a hacker country, and that traffic is a sign of a breach.
- A threat can be someone breaking into your email systems and stealing identities, now they can gain more access to other systems.
- A threat can be someone that removes data from critical servers—and now you have a ransomware issue.
JEFF: So are you saying that cyber threat hunting is a practice of seeing a very complex attack and stopping it before real damage is done?
SNEHAL: correct Jeff, and threat hunting needs more than SIEM logs. You need network traffic, behavior analytics and application awareness. By correlating data across a broader set of tools, you can proactively piece together complex attacks across all IT infrastructure. SIEMs alone lack this comprehensive visibility. We also see AI – artificial intelligence– as a key enabler to help a broader community of companies take advantage of advanced SOC solutions. Computers are good at seeing patterns, and machine learning is a way to help SOC teams scale so they can focus on strategic work.
JEFF: I see, AI is hot topic here in Hong Kong — Before we dig deeper into technology, can you share the common challenges your customers had before you helped them with Threat Hunting?
SNEHAL: Even with all the right tools in place, a lot of our customers shared failures rather than successes. To help understand why, we recently worked with Enterprise Strategy Group – they go by ESG – to understand customer challenges in Asia. Let’s take a look at the key conclusions. First, threats are on the rise. Over 70% of the respondents see more complex attacks over time—still, they are not sure what to do
JEFF: We see similar challenges here in Hong Kong. In fact the latest updated financial regulator’s policy manual stresses the importance on threat and vulnerability management and the need for systematic monitoring processes.
SNEHAL: The second result shows concern over too much data coming into the SOC, it is easy to miss the RIGHT data, or spend a lot of time searching through logs that don’t paint a true picture of your IT infrastructure.
JEFF: So this is why the Hong Kong job market is so competitive for good security people. They are all busy writing queries to search through a lot of data.
SNEHAL: Thanks for sharing that Jeff, it makes sense, and last, with remote workers now commonplace and many aspects of your infrastructure now both on-premises and in public clouds, over 70% of customers note they still think they have blind spots. Again SIEMs alone are not going to help you see threats
JEFF: For the new normal, scalability and interoperability across heterogenous environments are essential then. Now, let’s talk about the solutions, as we understand why security teams need new ideas.
SNEHAL: Today’s hackers don’t attack you in the traditional ways—this is key—a perimeter approach no longer secures you Now, they gain access to low-profile assets and start to gather intelligence about more critical systems, then they go for more valuable information.
JEFF: Can you explain the example on the slide?
SNHEAL: Sure, let’s say you have tagged your CEO as a critical person, and you just see that they logged in in Tokyo and then in Sydney Australia two hours later. That is clearly an impossible travel event, yet his log-in was valid. Then you see him using commands to access an application, say SSL to access data on a SQL server.
JEFF: Why would the CEO be using SSL and why would he be looking for SQL data? Something is very suspicious, but all three actions are still valid based on everything we can establish from the existing tools and data—right?
SNHEAL: Exactly Jeff, to summarize what Threat Hunting really needs is a way to bring all your tools and feeds together, and process it with AI to help find patterns, purpose-built to find the RIGHT data. We call this Open-XDR –extended detection and response with the ability to integrate with any system, tool or data feed. Just as we augmented firewalls with SIEMs, it is time to reconsider how we build a SOC. A collection of tools – or — an intelligent platform is the key.
JEFF: So the way I hear this is, it’s really all about Better Visibility! And leveraging AI to get the RIGHT data that helps you see the complex attack more efficiently.
SNEHAL: That’s exactly right Jeff
JEFF: So let’s dig deeper into this idea of visibility and AI.
SNEHAL: Sure Jeff, this is the foundation of how we think. We are happy to share our thoughts. First as you can see on the left, a traditional SOC has a collection of tools. These tools all do a great job in their specific areas – like SIEM for logs, UEBA for behavior and NTA for network traffic. Now, the issue we are finding is that there are still blind spots between these tools and critical detections that are telling you about a complex attack and are getting missed. Even when some of these tools are using machine learning, the blind spots prevent a cohesive approach.
JEFF: I see that makes a lot of sense. I am keen to see how you think customers should work to close these gaps and gain both intelligence and comprehensive visibility.
SNEHAL: Absolutely, on the right – we think one way to pull all your tools together is to think about platforms, to use an open system that sits on top of your current infrastructure; to help piece complex attacks together. And now there is only one common data lake, with all data at ingestion being normalized – analysis is now much faster, and AI helps you to apply big data trending to sort term and long term trends In summary, you have one pane of glass to visualize, analyze and respond to all detections—all data—all sources, logs, traffic, visibility into cloud, network, endpoints, users and applications.
JEFF: Thanks Snehal, I think it is time to see the product in action! Let’s look at a live use case – can you do a short demo?
SNEHAL: Sure Jeff, I am going to Threat Hunt right now, and show you with 4 key steps, I will detect a hacked device and stop the attack. First, I just identified an infected server, it has been hacked.
JEFF: You got right to that, your dashboard looks easy to use.
SNEHAL: Thanks Jeff, our customers agree and tell us training takes only days, not weeks. Now let me show you the second step, I am opening our Interflow record, which is readable JSON, now I can see how they hacked this server.
JEFF: That looks like a lot of details in one file, many of our customers complain they have to use several tools to build a complete picture of an event
SNEHAL: Thanks Jeff, that’s right, it also includes how the AI processed each event, so you have an actionable record. Now let’s look at the third step, I will block the device from sending traffic. I used our Threat Hunting library to trigger a response, to close the port.
JEFF: I see the power of an integrated platform – you are quickly taking action with only a few clicks. That is clearly how you help organizations make running a SOC easier!
SNEHAL: That’s right Jeff, our customers tell us they increased productivity dramatically, in many cases several orders of magnitude—it’s the best way to demonstrate the power of AI. Now let’s finish this Threat Hunting use case with the fourth and final step, by seeing if the server is now infecting other devices, like we first discussed, this is a common way hackers infect other devices in your environment.
See, many other devices now need attention.
JEFF: Thanks Snehal, I am convinced I can see you really did a lot and that was simple and really only took a few minutes.
JEFF: Snehal, I think we need to wrap this up, can you summarize our discussion today?
SNEHAL: Sure Jeff, I think the most important thing I can say is now that hackers are using new approaches, customers need to look at new tools to combat them. And instead of siloed tools, think in terms of a platform that ties tools together. Now you have a better way to see the right data, know more, and act to respond faster. We think customers are tired of closed systems, they are frustrated with vendor lock-in – systems should be open. We also think new ideas need to use and leverage all the existing tools and data feeds – and make them work better through the power of AI.
Next, think about apps, not scripts. Have a library of pre-built playbook applications that help your analysts move faster, and help you broaden the talent you can hire from
JEFF: Thanks Snehal, So the goal of this session is to ensure customer/client can start to see new detections that are meaningful, and are derived from tools and data you already trust. I believe the Hong Kong market will like this way of thinking!
