Cybersecurity Implementation

The amount of data being generated on today’s networks by system logs and security devices is daunting. Qato turns this massive flow of data from a burden into an advantage. Cyber security is one of our Nation’s greatest priorities. Networks are constantly under attack, and these attacks are growing in volume and sophistication. Early detection of attacks is key for proper responses to be taken. 

Qato empowers the network defender to achieve information dominance over the malicious attacker. 

Today’s networks have grown into vast enterprises consisting of thousands of devices running many operating systems and software packages. The constant flow of security patches and software upgrades is almost impossible to keep up with. The number of possible individual configurations of systems is nearly infinite. This gives a huge advantage to attackers. When attacking a network, they need only find one flaw among the millions of permutations of system variables. 

The network defender is better able to detect malicious activity by collecting more information both in volume and detail. However, this increased amount of data has historically ended up being a further vulnerability. A skillful attacker can not only rely on the odds that they will find a vulnerability, but also take advantage of the massive amount of data that defenders must sift through on a daily basis by hiding among it. Most detection systems are not able to scale to handle the full breadth of information available to the defender. This massive amount of data is further compounded by false positives and obscure meanings that end up overwhelming the defender.

In an ideal situation, the defender would have the following key advantages:

• The defender should know the normal operations and flows in their network better than an adversary. 

• The defender can collect information about what is going on in their network to a great level of detail. 

• The defender should be able to lay traps that, while appearing safe, are easy pits only an adversary would fall into on their particular network. False alarms should be overcome using an aggregate method whereby multiple suspicious activities are detected from multiple sources before the operator is alerted.

The necessary data for these advantages are available, but it has not been technologically practical to take advantage of them to the fullest extent because of the massive amounts of data that must be processed on a continual basis. Qato is a game changer.

The Solution

It is very challenging to remotely attack a network without generating network traffic and leaving some trace. and is very difficult for the network defender to find the needle in the haystack that is that trace and to correlate all the traces into the realization that something malicious is going on. The Qato anomaly detection solution is able to collect operating system logs, firewall logs, intrusion detection logs, network logs, and other security relevant information, and combine them with supporting information such as vulnerability scan results, port scan results, etc., thereby allowing the defender to much more easily perform tasks such as identifying new data connections that occur on the network on a daily basis or identifying new programs that were run on Windows desktops that have never been seen before. These types of results allow the defender to better focus on the early signs of anomalous behavior on the network. The inherent false positives in any one detection method are mitigated by combining the results of all detection methods to highlight the activities that are doing multiple “bad” things. Attempts to hide efforts to gather network information by acting slowly over long amounts of time will be more easily detectable. Beyond these examples, other new analytic techniques will be discovered and made possible by a greater ability to store and process the vast amounts of data available to the defender today. The problem then shifts from drowning in data to trying to find more sources of data to cross correlate with.

Our Qato anomaly detection solution utilizes recent advances in Big Data technology to put these advantages within reach. Instead of trying to collect less data and look at as much of it as possible, Qato allows for collecting as much data as possible and running analytics to enable reducing viewings to as few as possible until a threat is detected. Then, upon detection, the analyst has a vast amount of data to dive into. 

Imagine logging the metadata for every network connection on a network including source, destination, source port, and destination port on a daily basis over long periods of time. Numerous opportunities arise for the defender to gain advantage by having the ability to both store and process this information. For example, it would be helpful to be able process a day’s worth of connections and highlight any connections from an internal host to an external host that have never been seen before. People and systems tend to be creatures of habit. Given enough time, a large percentage of connections will be repeated. Being able to easily identify “new” activity that has not been seen before would be very useful. You could also use the same type of data to produce profiles of what is “normal” for a large number of systems and then highlight any deviations from those systems. 

There is no one “magic bullet” for detecting malicious behavior. However, our experience has shown that, while any one technique may provide false positives, it is rare for multiple monitoring techniques and/or algorithms to start alerting for a particular entity at the same time. Therefore, looking for cumulative patterns causes truly suspicious behavior to bubble to the top.

To watch a Cybersecurity use case demo featuring Qlik and AlphaSix QATO, please click on the following link "The Key to Cybersecurity - Data Analytics"