GREYCORTEX JOINS EY PROGRAM

GREYCORTEX is happy to announce that we have been selected to be part of the 2018 EY Accelerating Entrepreneurs program. This event, which happens in Amsterdam between the 21st and 24th of April, 2018, brings together companies selected as among the most innovative and advanced, worldwide.  In addition to being one of only 30 companies selected to attend, GREYCORTEX is also the first Czech company in the history of the program to be selected.
As the EY press release notes: “The 2018 class of entrepreneurs represent dynamic businesses that focus on innovative and disruptive fields like artificial intelligence (AI), augmented reality, virtual reality (VR), customer interface, analytics, robotics and the Internet of Things (IoT).”
According to Annette Kimmitt, EY Global Growth Markets Leader, “… This year’s class is already solving big challenges, disrupting their markets and have cutting-edge technologies. We want to prepare these transformative entrepreneurs to expand from their local markets to a position of navigating and leading the world by pursuing their global growth objectives.”

We’re looking forward to joining the other 29 companies and accessing the wealth of information available from EY.

GREYCORTEX RELEASES MENDEL 3.0

March brings the most recent version of GREYCORTEX MENDEL; Version 3.0. As part of this release, MENDEL 3.0 brings several new features SOC administrators will love, as well as continued expansion for SCADA networks and upgraded hardware support.

Specifically, MENDEL now supports the latest in DELL Rx40 hardware. Those in SCADA network environments will enjoy updates to the MENDEL IDS system. Version 3.0 also includes visibility for the NFS (Network File System) and IEC 60870 5 101/104 protocols. SOC users will note that dashboards have been adjusted to better accommodate multiple sensors, and that the overall capacity for sensors connected to one collector has been increased to 30. Finally, MENDEL’s capabilities have been expanded to include the ability to add your own blacklist file, as well as export files to IBM Qradar SIEM via the LEEF format.
New Features

  • GREYCORTEX has added support for the latest Dell servers (Rx40) so users will now be able to use the latest hardware.
  • SCADA support continues, with updates to the MENDEL IDS engine to include visibility IEC 60870 5 101/104 protocols – bringing new security for professionals in the energy infrastructure sector.
  • SOC administrators will appreciate several new features in version 3.0, including new dashboard settings suitable for multiple sensors for better SOC visualization, as well as the ability to add up to 30 sensors on one collector, and finally; LEEF expert format for events exported to IBM Qradar SIEM, and the ability to upload users’ own blacklists in .csv file.

Improvements
Several MENDEL features were improved. These included easier license extension, host identification, decryption performance, status monitoring, and data export.
Bug Fixes

In general, our development team focused on improving the user experience and reporting.

Please note that updating to version 3.0 requires appliance restart and may take up to one hour.

Contact your local GREYCORTEX partner to find out how you can put MENDEL v3.0 to work for you.

GREYCORTEX OPENS JAPANESE OFFICE, ANNOUNCES FIRST PARTNER AND CUSTOMERS

GREYCORTEX is happy to announce that we have successfully entered the Japanese market with our first office outside of Europe, and first Japanese partner and customers.
The new GREYCORTEX office, located in Kobe, Japan, will focus on sales and service across the APAC region. It will be led by Milan Fujita, who brings nearly 20 years of experience in the software sector and the Japanese and APAC markets. The office will also coordinate the regional collaboration between GREYCORTEX and its regional ESET technology alliance partners. The office may be contacted at: Kobe Fashion Mart 10F, 6-9 Koyo-cho Naka, Higashinada-ku Kobe, Hyogo, Japan 658-0032.
GREYCORTEX is also happy to announce our first partner in Japan: iSEC. Information Security Inc. Based in Kobe City, iSEC is led by CEO Yoshihisa Suzuki. iSEC offers the MENDEL Network Traffic Analysis throughout the country. The relationship is already bearing fruit, with two customers implementing GREYCORTEX MENDEL; Hyogo Prefectural Government (https://web.pref.hyogo.lg.jp/fl/index.html) and University of Hyogo (http://www.u-hyogo.ac.jp/english/index.html)
We look forward to many years of success from these relationships.

GREYCORTEX MONITORS NATO CCDCOE CYBER DEFENSE EXERCISE

GREYCORTEX is happy to announce that we, represented by Petr Chmelar, Chief Research Officer, successfully participated as a member of the Situational Awareness (Yellow) Team in the recent “Crossed Swords 2018” cyber defense training exercise, held in Latvia and organized by the NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE) in cooperation with CERT.LV.
The sister event to the larger NATO CCDCOE “Locked Shields” cyber defense exercise (the largest and most complex live-fire cyber defense exercise in the world), “Crossed Swords” is focused on practicing skills required to carry out responsive tactical cyber operations. “The exercise aims to practice skills required to fill the role of the Red Team at cyber defence exercises and to offer the most cutting-edge and challenging training experience for national cyber defenders. It is evident that in order to defend ourselves better in cyberspace, we need to know how attacks are carried out,” explained Aare Reintam, Project Manager of Technical Exercises at the NATO CCDCOE. The “Crossed Swords 2018” event included a group of more than 80 cybersecurity professionals from 15 countries.
In this year’s exercise, the Red Team was tasked with conducting a full spectrum cyber operation in a fictional scenario, while the Blue Team actively defended their assets. The Yellow Team monitored Red Team activity from different sources of information, such as network tap and host-based log files, and provided a highly valuable near real-time feedback. As part of the exercise, GREYCORTEX contributed features to “Frankenstack,” a novel stack of tools built by NATO CCDCOE, Tallinn University of Technology, CERT.LV, and industry partners.
GREYCORTEX’s experience didn’t end with the end of the training exercise. Inspired by “Crossed Swords,” GREYCORTEX renamed its Malware Lab research team to the “Red Team,” but as Petr Chmelar noted, “We will always be Yellow Team-focused.”

GREYCORTEX BECAME A MEMBER OF EUCYBSEC

GREYCORTEX became a new member of the non-profit Association, EUCYBSEC (European Cyber Security Excellence Center). Interests of the Association are cybersecurity and protection of SCADA systems. EUCYBSEC is aiming to create a communication space, where commercial, state and academic specialists can freely interact and share their knowledge. Thanks to EUCYBSEC membership, GREYCORTEX gets an opportunity to participate in professional events organized by the Association.

About Version 2 Limited

Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About GREYCORTEX

Founded in 2016 in Brno, Czech Republic, GREYCORTEX helps organizations make their IT and OT operations secure and reliable with uses advanced artificial intelligence, machine learning, and data mining methods which detect advanced threats to security and risks to reliability that other solutions miss.

NEW VERSION 2.3 RELEASED

GREYCORTEX launched a new 2.3 version MENDEL Analyst. It added standardized support of NetFlow and IPFIX, new ways of data presentation and several performance improvements and more.
New features

  • New tool in GUI “Network Analysis” – user defined aggregated statistics for better analysis of network traffic and security incidents
  • Standardized NetFlow with IPFIX fully supported
  • New user account administration page
  • Changelog page with history and enhanced updating using RPM packaging system

Improvements

  • Major performance improvements of signature-based detection engine
  • Improved DNS cache with TTL support for better hostname resolution
  • Improved algorithm for matching hosts with Active Directory users
  • Inserted GUI URLs kept after login
  • Improved export of charts
  • Enhanced system log management with filtering by time and a system component

REVIEW OF GREYCORTEX MENDEL

A USEFUL SECURITY PRODUCT THAT OFFERS A WIDE VARIETY OF INTERESTING POSSIBILITIES

GREYCORTEX MENDEL is a solution for detection, monitoring and analysis of advanced security incidents in network traffic. This solution is based on a combination of various types of detection technologies:

  • Intrusion Detection System (IDS), including Deep Packet Inspection (DPI)
  • Network Behavior Analysis (NBA); the analysis is based on the principles of artificial intelligence
  • Network Performance Monitoring (NPM) and Application Performance Monitoring (APM)
  • A tool for event correlation and risk assessment

During the initial design, the focus was on custom Advanced Security Network Metric (ASNM), large scale data mining based on artificial intelligence, and unique specialized algorithms providing detection of the entire scale of threats and anomalies. Immediate outcomes can be obtained via an intuitive user interface and user-defined reports. GREYCORTEX also brings a whole lot of other interesting options, e.g. for forensic purposes, it provides a complex and detailed overview and history of network traffic, behavior of users, network hosts, applications and services.

DATA SOURCES

The main input is a network data from a mirror port on a backbone switch or a network tap. The NBA detectors are able to accept summarized data in the format of custom ASNM metrics or according to NetFlow v5/9 and IPFIX for IPv4 and IPv6. In addition to the network traffic, the product is able to identify identity context using the company’s LDAP or the Active Directory services. These technologies can also be used for user management and authentication.
Detection signatures dataset containing over 30,000 rules is obtained from external sources. IP address blacklists and their reputation (trustworthiness) are also obtained. These lists are regularly updated on an hourly or on a daily basis. This enables the tool to obtain information about generally known malware and about Command and Control (C&C) attack servers, sources of attack, and known botnets. Moreover, uses a list of known sources of spam, information about Tor[1] networks and about proxy servers as well as information about ownership and geographic position of the communicating hosts and domains.

ASNM PROTOCOL

The ASNM protocol is used to track over 70 attributes of each individual flow in the network. For each flow, it generates information about the source and the target, its duration, size of the data portion and packet counters. MENDEL also retrieves information about frequency spectrum and performance such as Application Response Time (ART), Round Trip Time (RTT), Jitter, and other.
The functions enabling the detection of anomalous and potentially undesirable behavior work similarly in NetFlow protocol; however, thanks to ANSM, they are more detailed and therefore more effective. Another difference consists in the ability to identify consistent bidirectional flows in the network. For application detection, a custom application protocol recognition mechanism similar to NBAR (Network-Based Application Recognition) standard used in Cisco devices is employed; the mechanism can recognize hundreds of protocols. The DPI technology enables extraction of metadata for almost 30 application protocols, even in tunneled traffic.

DETECTION MECHANISMS

The incident detection is based on two methods, first based on signatures (IDS) and anomaly detection (NBA) based on machine learning and artificial intelligence. The whole mechanism of learning consists in detailed modelling of the whole network on various levels. From models of the entire network to models of individual services of individual hosts and devices.
The application is continuously learning to distinguish characteristics of anomalous flows from the normal ones based on probability and statistical models without the need for decoding or decrypting the data. After installation into a network, it is necessary to let the application train itself in a new environment for at least a couple of hours. It gains the complete knowledge after approximately one week.
The following algorithms of machine learning are based on the ASNM protocol:

  • Selection of relevant individual metrics
  • Bayesian analysis based on learned probability of events
  • GMM/EM (Gaussian Mixture Models/Expectation-Maximisation) probability models

Probability based (Bayesian) modelling provides almost 1,000 parameters divided for each flow of a host in a network or subnetwork and its services provided locally or remotely. A separate model is created for each service of the host, network device, services aggregated on the network, subnetwork mask, state and ASN (Autonomous System Number).

OUTPUTS

GREYCORTEX MENDEL enables the user to export the created events in various formats and send them via e-mail or to remote SIEM (Security Information and Event Management) servers for archiving or further processing. This makes it possible to generate alerts based on defined conditions and notifications about the detected anomalies. In this way, it is possible to create user configured reports containing text or graphic visualization of the detected events, network performance or applications and other data in the system. The messages can include a variety of adjustable elements including tables and graphs. The messages can be exported to standard document formats such as DOCX or PDF.
The e-mail system supports connection to standard e-mail servers with SMTP protocol and encrypted communication based on PGP (Pretty Good Privacy). The data exports can also be performed in preset intervals or during detection of a particularly important event. The tool also supports export to SIEM systems using Syslog, CEF format (Common Event Format) or IDEA (Intrusion Detection Extensible Alert). These messages can be previously configured and filtered according to the requirements of system integration.
It is possible to detect:

  • RAT Trojan horses (Remote Access Trojan) including C&C system activities
  • Zero-day type of vulnerabilities and exploitation of services
  • Malware on mobile and embedded devices
  • Long-term APT attacks (Advanced Persistent Threats)
  • Data leaks with DNS, SSH, HTTP(S), etc.
  • Tunneled traffic
  • Protocol anomalies indicating a long-term port scanning and other attacker activities
  • Masquerade attacks (the attacker pretends to be someone else), dictionary attacks and brute force attacks
  • Spam detection
  • Preparation for data theft and exfiltration (e.g. by employees)
  • Automated data harvesting
  • Data theft (e.g. from web applications)
  • Phishing attacks
  • Violation of internal security rules and policies
  • Faulty network settings
  • Network and application performance issues
  • Dos and DDoS attacks
  • New or unknown devices, e.g., of the BYOD type (Bring Your Own Device)

Data fusion and correlation techniques enable the detection of a wide spectrum of threats and activities. These techniques analyze the most interesting information about a particular network obtained through various detection mechanisms. It is possible to find event correlations, eliminate false positives and perform risk estimates. The system is also compatible with systems for risk categorization such as CVSS (Common Vulnerability Scoring System) or NIST Critical Infrastructure Cybersecurity Framework, etc.

INSTALLATION PROCESS

The application is supplied as a hardware appliance or as an installation ISO file for a virtual hypervisor. Depending on the mode of deployment, the appliance is supplied with 2, 4 or 8 network interfaces enabling the monitoring of the required number of source lines. The solution can be installed in a probe/collector configuration that enables monitoring geographically remote networks or as a cloud.
We tested the version 2.2.0 of the product at Karel Engliš College (VŠKE). For testing purposes, we selected the virtual deployment on the base of a fully functional 30-day demo. To ensure that the application runs correctly, it is necessary that the server includes a processor with at least 8 virtual cores, 32 GB of RAM, disk capacity of 500 GB and two network interfaces; VM-ESXi virtualization system was used. The installation went smoothly, without any issues.
Tabs for the individual configuration areas are placed well, they enable a quick transition to settings of monitored networks and policies (Policies tab), Detection mechanisms (Detection tab), notifications and exports (Exports tab), and authenticating mechanisms, users and their rights (Users tab). In the Network tab, there is a practical priority setting.

USE OF THE TOOL

At first glance, working with GREYCORTEX is very pleasant, mainly thanks to the elaborate filtering options and user-configurable overview dashboards. The possibility of a quick display of the communication of each device and all its services was interesting for me. In particular, it is the security visibility and transparency network that the applications brings. The overview of incidents detected at the level of detection patterns is ideally complemented by incidents identified by NBA methods.
In the Detection tab, it is possible to display the defined blacklists and false alarms, set the NBA detection mechanisms and policies for IDS rules, create the necessary correlation rules, also capture and save network traffic on the basis of a defined filter into PCAP format files.
The Export tab allows to define exports; we at VŠKE use SIEM; therefore, the possibility of exporting the data into this system was interesting for us. However, we encountered an issue particularly relevant for schools; instead of one application we now need two: SIEM and GREYCORTEX.

CONCLUDING REMARKS

What particularly excites me about this product is the possibility to analyze incidents (we have quite a few of them in the student subnetwork) both from the point of view of their progress in time and in the smallest details. I also appreciate the elaborate elimination of false alarms. The documentation fulfills the basic criteria, but I believe it would be convenient to add some examples of typical settings. The product is still being developed and I am curious about what next the producer will come up with.
Doc. Ing. Jaroslav Dočkal, CSc.
Graduate of VDU Martin and VAAZ, currently the vice-dean of science and creative development at Karel Engliš College. He gives lectures at Masaryk University and University of Defence. He’ is also a lecturer at Cisco Academy, a tutor of HP and a member of DSM magazine editorial board.

MENDEL TECHNOLOGY MAXIMIZES SECURITY FOR COST

Cybercrime is evolving at drammatic speed and at every moment, hackers and attackers are figuring out new strategies to compromise organizations and industries. The cybersecurity sector must not fall behind these attackers.
But the number of technologies claiming to create cybersecurity is vast. Organizational spending and reallocating investments to the right network security sector can help reduce cost of cyber breaches. A recent report produced by Accenture, with an independent survey by the Ponemon Institute indicates that among the higher-valued security technologies per cost; machine learning tools and extensive use of cyber analytics and user behavior analytics, have a high return on investment – in other words, they can bring a greater security benefit for a lower cost. Yet, conversely, Accenture reports that these high value technologies are under-deployed compared to other tools in the marketplace.

MENDEL, from GREYCORTEX makes extensive use of machine learning and behavior analytics to identify cyber threats, protecting the network from attacks which would be unknown and unseen by other security tools.

To find out more about MENDEL’s machine learning technology can help you, or to schedule a demonstration, contact your local GREYCORTEX partner, or GREYCORTEX directly.
With this findings comes opportunity to focus on the right technology to protect a company’s assets.

Study and images are found in the following study: https://www.accenture.com/t20170926T072837Z__w__/us-en/_acnmedia/PDF-61/Accenture-2017-CostCyberCrimeStudy.pdf

GREYCORTEX RELEASES MENDEL 2.9

GREYCORTEX is happy to announce the latest version of GREYCORTEX MENDEL; Version 2.9.0. This version includes several new important features: the first is the Flow Exporter, which gives you the possibility to export flows from MENDEL to your SIEM solution. The second important feature is the ability to execute script commands to other devices e.g. a firewall systems in order to block communications. SCADA network protocols Modbus and DNP3 L7 visibility have also been added, as has the ability to audit commands executed from ssh connections.
New Features

  • Added a Flow Export feature, which allows you to export flows from MENDEL to your favorite SIEM tool. This allows you to have the same data detail of a much more expensive SIEM-specific flow export tool, at a fraction of the cost.
  • Added ability to execute and send scripts, e.g. to a firewall – which means you can identify and stop incoming malware at the firewall, without ever leaving MENDEL.
  • Added integrated Modbus and DNP3 SCADA protocol visibility. Think of it as MENDEL for the industrial control systems. GREYCORTEX takes its next steps into protecting not just “traditional” networks, but also SCADA systems as well with these protocols.
  • Added SSH auditing (turn on the SSH audit signature in status monitor signatures)
  • Added possibility to filter by group of entities (subnet, host, mac, user) to extend filtering options using comma “,”, e.g. src:172.16.9.20,172.16.9.21 & dst:1.2.3.4 which shows communication between source IPs 172.16.9.20 or 172.16.9.21 and destination IP 8.8.8.8. In a nutshell: much more efficient filtering capabilities are now yours. Identify communication from not just one source and destination, but several hosts to a single destination, so complicated attacks are now clear.
  • MENDEL is powerful and detailed, but now it works just as well for the T1 Security Analyst. New installations and newly created users will see new default dashboards with Overview, Performance, and Security tabs included, for ease of use by everyone.

Improvements
Several different features of MENDEL were improved. These included improvements to the installation and update process, optimization of flows, and detection features – including the ability to choose your favorite IDS ruleset, or better L7 application service recognition.
Bug Fixes
In general, our development team focused on repairing inconsistencies in user experience and connectivity.

PETR CHALOUPKA NAMED TO NE100

GREYCORTEX is happy to announce that CEO and Co-Owner Petr Chaloupka was named to the New Europe 100 (NE100). The list is made up of individuals selected by the Financial Times, Google, the Visegrad Fund, and Res Publica.

Now in it’s fourth year, the 2017 New Europe 100 “is a list of central and eastern Europe’s brightest and best citizens who are changing the region’s societies, politics, or business environments and displaying fresh approaches to prevailing problems. The aim is to raise the profile of changemakers in emerging Europe and to build connection among those in the vanguard.”
Previous editions of the NE100 have included such well-known business leaders as Vaclav Muchna, CEO of Y Soft.
You can read more about the NE100 here: http://ne100.org/news/show/new-europe-100-challengers-2017,5a166ff03228719568984a76