For most clients, understanding if they can defend against a known or zero-day attack is complex. Typically without a third-party auditor or framework, companies don't revisit their tools or practises often enough to prevent malware or other abuses from exploiting vulnerable systems. That is why IntelliGO offers an Managed Detection and Response (MDR) service for small and medium-sized clients looking to understand their security posture.
What is MDR?
“Managed detection and response improves threat detection monitoring and incident response capabilities via a turnkey approach to detecting threats that have bypassed other controls. Security and risk management leaders need to understand this service and its implications for their environments.”
- Gartner, MDR Services Market Guide 2017.
IntelliGO simplifies this process for new customers who are unsure of their security posture by simply and quickly installing our platform within their environment and generating a report. This report, known as the Prevention Posture Assessment (PPA), is a snapshot or a point-in-time evaluation of your organization's security posture, utilizing IntelliGO’s technology platform and cybersecurity analysts.
The PPA process will collect, analyze and report findings in a PPA report. In it, are four sections that help you to understand if you have, or can, be breached and recommendations to reduce the overall risk exposure for the organization.
Section 1 – Traffic Analysis
Network traffic can indicate active attacks or attempts to compromise systems remotely using application vulnerabilities. These attacks must be closely monitored to discover a breach or find any indicator that an attempt is being made to breach systems. This section looks for intrusion prevention, URLs, malware downloads and the ability for your systems to stop threats automatically and alert you.
Section 2 – Vulnerability Analysis
Vulnerabilities are examined to demonstrate how an attacker could compromise systems over the network to run malicious code through that network. This provides a view into the weaknesses within existing applications that an attacker would also be able to see.
Section 3 – Endpoint Detection and Response
Endpoint protection is the last line of defense against many different attacks and should prevent, as well as inform and forensically analyze, any threats on devices in your environment.
Section 4 – System Compliance
Systems must maintain software levels and be regularly updated and scanned to ensure that as many vulnerabilities or threats on the system as possible are being checked for and removed continuously.
The following is a map of the complete path for network communication from the process initiating communication on the endpoint to the content transmitted over the network to the final destination. This provides visibility into the devices, files and processes responsible for threats and tracks protection from security systems such as firewalls and endpoint protection.
- This tells you how threats can get in or take data out of your organization. Typical organizations deploy Intrusion Prevention or Firewall technology in the hopes of preventing security issues in network traffic such as viruses or denial of service attacks and copying sensitive data outside such as files or passwords over the network. The key to stopping data breaches using these tools is to collect all the traffic logs then correlate it to the devices and processes that are responsible for it. Then you illustrate it simply to a security team that uses the same tool to adjust policy across the network or devices and stop issues they find. That’s what the IntelliGO Managed Detection and Response service is all about.
- It also maps opportunities for improvement such as whether you can see threats over encrypted traffic channels such as SSL/SSH and/or shows you how IntelliGO can trace network traffic to the endpoint processes which create them to help hunt down threats or prevent issues faster.
IntelliGO collects data from the source and scans all systems in the organization for security vulnerabilities. The following describes the vulnerabilities which present opportunities for cyberattack. From this graph we determine the number of users with access to the network, the managed and discovered devices and the security vulnerabilities within them.
- This information helps administrators stay ahead of security vulnerabilities that hackers use to take over machines and steal data. By staying ahead of these issues, attackers have a much more difficult time compromising your systems.
- This also helps the IntelliGO security team measure how effective prevention systems such as firewalls, IPS and host firewalls are at stopping these attacks and informing the team that they are happening.
IntelliGO sensors and scanners observe endpoints across all operating systems. It tracks the location and system and application behavior from these devices. From the graphs below we observe that the physical location of assets is isolated to corporate offices with no devices venturing more than a few miles from the office locations or reported lost or stolen.
- This information is key in detecting any attempts to connect to your operating systems such as laptops and servers. Typically only central systems such as directories or RADIUS are monitored, leaving hosts such as applications running locally from tracking any unauthorized authentication.
- Communication from processes and their very presence is also a key indicator of compromise. If there is a process we don’t recognize as a standard or known processes are communicating to untrusted systems then this information will help our teams shut down processes faster.
Firewalls and Anti-Virus systems at the organization send data to IntelliGO to ensure that a consistent and mature prevention posture is configured at all times. Firewalls can be aggregated to see traffic by rules, or users and endpoints in relation to those rules. Anti-malware logs and status can be examined in detail by the IntelliGO sensor to observe status, quarantine and scan results.
- 99.9% of data breaches begin with a vulnerability that was released over a year before the compromise according to breach statistics. This section offers information about the most critical components of your security architecture patches and anti-malware protection.
- Above and beyond patching and updated anti-virus is the visibility of all endpoints on the network to ensure that there are no gaps from IoT or BYOD devices on the network. Third-party software for firewalling, backup and public file sharing applications are also analyzed to ensure compliance with regulations or to mitigate threats using the same standards as a best practice.
How information is collected:
IntelliGO’s security platform collects information from the network by integrating with various components in your network.
1) TAP/SPAN/Mirror Ports: By connecting to network traffic IntelliGO security platform can monitor for devices connecting to the network over DHCP and observe network traffic and threats leaving that network.
2) Scanning Engine: IntelliGO security platform can scan the local network hosts to find vulnerabilities in systems and configuration. Scans can be run with or without credentials. The scanner can also map the network by using SSH credentials to switches for dynamic and up-to-date maps of the network.
3) Syslog Collection: Security systems such as firewalls and anti-virus systems send syslog traffic to IntelliGO security platform to interpret consolidate the security issues across tools.
4) Sensors: IntelliGO supports sensors to examine endpoint software, packets leaving devices and query devices for changes to the file system, peripheral connections such as USB keys and other security issues. These sensors run on Windows, Mac OSX, Apple iOS, Android, Chromebook and special packages for Linux. The sensors can be self-enrolled or distributed through patch management software.
Information collected is stored in the IntelliGO security platform and custom dashboards created to populate security reports by IntelliGO Risk Mitigation Center. New reports and searches as well as integration are released and can be used in the console as needed.
Why do I need a PPA?
Prevention tools like firewalls, SIEM, IPS and EPP are still letting threats through because of poor coverage as they are mostly limited to perimeter and known signatures. They are not always optimally configured and have limited visibility and control over files and endpoints. In addition, security teams are not equipped to proactively handle the security operation workload to scan, patch, detect and collect forensics 24/7/365. Companies need to focus on detection and response and a PPA is the first step in recognizing this need.
What do I need to get started? How does it work?
The process is simple - we install a virtual machine inside your network. Data from your network, security tools and endpoints is collected using our methods, like TAP, Scan, Syslog and Sensor methods mentioned on the page below. Our engineers will work with you over the phone to set this up on VMware or Microsoft Hyper-V and configure your network, firewall or devices to provide information.
Once the devices are listening we will send a test file to the endpoint and see how the tools perform finding the file as it passes through the network and endpoint.
How long does it take?
Setting up the virtual machine and taking in the information from a sample device only takes a few days to set up and coach administrators through the setting up of other devices. From there, the elapsed time is a few weeks of data collection to ensure we get a detailed sample of what is going on in your environment. After that, an engineer will compile this report and book time to review it with you and other staff.
Does it cost any money?
The assessment is free of charge for customers who meet certain criteria. The assessment is targeted towards organizations that are actively looking for a security technology investment with a project, budget and timeline for one or more of the following product categories: network access control, managed services, security information and event management, vulnerability assessments, security gap analysis, mobile device management or bring your own device programs.
Do I need any special software or hardware to run the assessment?
IntelliGO can run on hardware or virtual machine. Virtual machines running VMware v5+ or HyperV are recommended with 2.4GHZ x 4 Cores, 16GB RAM and 100GB of space. The assessment may also look at syslog from an enterprise firewall such as Palo Alto Networks PANOS 7+. Sensors can be installed on sample devices from Windows or Macintosh products. If conducting a TAP install, network equipment must be capable of configuring SPAN or Mirror ports.