MENDEL 2.8 RELEASED

We are happy to announce the latest version of GREYCORTEX MENDEL. Version 2.8 includes three new important features: the first is the Event Collector. Released as part of v2.7 (a limited release), the Event Collector offers the opportunity to centrally monitor events from several remote GREYCORTEX MENDEL collectors. The second major new feature is the Correlation Engine. This tool correlates individual, less-serious events – which together may be indicative of attacks within the network, to more effectively alert security analysts. Finally, MENDEL 2.8 includes proxy pairing functionality which identifies source or destination addresses hidden by proxy servers, which will allow security analysts to better identify potential issues on the network and provide even greater visibility.
New Features

  • Added a beta version of the Correlation Engine, including seven tuned rules which further increase security (The feature may be turned on by going to Settings->System Components)
  • Added a proxy pairing feature to display source or destination addresses hidden by a proxy server

Improvements

  • Optimized the display of charts and tables in the Network module
  • Added information about the type of key exchange algorithms in HTTPS and TLS flows
  • Improved the calculation of flow metrics to show values valid for specific parts

Bug Fixes

  • Fixed issues with disabling deep packet inspection and enabling rules in IDS
  • Fixed an issue with updates to older installations
  • Fixed issues with MS-SQL protocol parsing at higher speeds
  • Fixed an issue with displaying current values on the Network Services tab
  • Fixed an issue with displaying multiple VLAN IDs in a single flow
  • Fixed issues with parsing SMB flows
  • Fixed issues with editing export definitions
  • Fixed an issue with pagination results in the Peers graph
  • Fixed issues with restarting services
  • Fixed an issue with filtering by protocol type
  • Fixed an issue with deleting user-defined filters
  • Fixed an issue with saving user-created or user-defined filters
  • Fixed an issue with displaying VLAN statistics in the Analysis module
  • Fixed an issue with exporting records in CEF and Syslog formats
  • Fixed an issue with long hostnames
  • Fixed issues with calculating the minimum and maximum duration of flows
  • Fixed link formatting in Exports
  • Fixed an issue with displaying ASN names in flows
  • Fixed an issue with displaying host information in the Analysis module
  • Fixed the calculation of RTT and ART metrics in long term flows with unfinished communication
  • Fixed an issue with the validation of row counts in Column Manager

GREYCORTEX WINS AGAIN AT CESA 2017

GREYCORTEX took home the top prize in its category at the Czech Finals of the 2017 Central European Startup Awards (CESA). The Czech final,  held on September 25th in Prague, recognized GREYCORTEX as the Best AI Startup in the country.
The Central European Startup Awards is a series of national events in the CEE countries, recognizing and celebrating the entrepreneurial spirit and startup ecosystems of the region. Having been successful in the AI Startup category in the Czech Republic, GREYCORTEX now competes in the Regional Finals, to be held in Sofia Bulgaria on November 23rd. GREYCORTEX was successful at least year’s Regional Final, winning “Best Newcomer” in Ljubljana, Slovenia.
A list of CESA Czech Winners in 2017 may be found at: http://centraleuropeanstartupawards.com/season-2017/czech-republic-national-winners

GREYCORTEX JOINS ESET TECHNOLOGY ALLIANCE

Excellent news from Brno!
GREYCORTEX is proud to announce that we have been named as part of the ESET Technology Alliance. In addition to complimenting ESET’s existing endpoint security solutions – by addressing traffic within the network, this relationship means that GREYCORTEX MENDEL is now available through all ESET partners, worldwide. You can read our full press release below:

GREYCORTEX Joins ESET Technology Alliance

Brno, Czech Republic – GREYCORTEX, advanced network security solutions provider, is happy to announce that it has been named as a part of the ESET Technology Alliance which provides holistic protection against advanced cyber threats. Launched in 2013, the ESET Technology Alliance is an integration partnership that aims to better protect businesses by offering a range of complementary IT security solutions. All members of the ESET Technology Alliance are carefully vetted against a set of established criteria to extend “best-in-class” business protection across IT environments.
Through the ESET Technology Alliance partnership, MENDEL, GREYCORTEX’s network traffic analysis solution, is now available to enterprise customers through all ESET partners. MENDEL uses advanced artificial intelligence, machine learning, and data analysis to detect threats to enterprise, government, and critical infrastructure networks that other network security solutions miss. It is able to offer rapid detection and response to network security teams, but also gives them the security to know that they can efficiently monitor network performance and visualize the entire network up to, and including the application layer.
Providing effective network security is continually evolving. Security analysts need to be able to identify not just threats like viruses, but also advanced persistent threats like malware, RATs, Trojans, and Zero-day attacks. Analysts also need to know that they have full network visibility on every device and application in the network. MENDEL provides complete network visibility and detailed insight into application and network performance, so that security teams can identify threats before they do damage,” said Petr Chaloupka, CEO, GREYCORTEX.
GREYCORTEX compliments ESET’s existing endpoint security solutions, by addressing traffic within the network. “There are never enough layers of security for one’s network infrastructure,” said Jeronimo Varela, Director of Global Sales at ESET. “The GREYCORTEX solution provides an analysis of any behavioral anomalies that may go unnoticed. Moreover, the solution is easily integrated into the infrastructure of businesses of any size and can work not only as a detection or monitoring tool, but also to provide visibility into the  functionality of additional security components.”
For more details about GREYCORTEX’s solution MENDEL, please click here.
More information about the ESET Technology Alliance can be found here.
About GREYCORTEX
Built on a decade of extensive industry and academic experience, GREYCORTEX uses advanced machine learning and data analysis to help protect sensitive data, networks, trade secrets, and reputations. In addition to the ESET Technology Alliance, serves customers in over 14 countries through its own distributor network. In 2016 GREYCORTEX received an investment of 1.3 million USD from Y Soft Ventures, a venture capital arm of leading enterprise office solution provider Y Soft.
About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security, to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real-time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET becomes the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information visit www.eset.com or follow us on LinkedInFacebook and Twitter.

MENDEL: SECURITY AND VISIBILITY IN NETWORK MANAGEMENT

Network management is a stressful proposition, comprising not only the administration of the network, but also maintaining its performance, provisioning devices, etc. With the number of devices in a network growing – due in part to IoT within the office and BYOD which come and go frequently, and the risks of advanced persistent malware, the stress is only increasing.

Luckily, GREYCORTEX MENDEL helps reduce the stress of network administration. According to recent studies, 76% of IT Professionals cite lack of visibility as a challenge in addressing issues in their networks. MENDEL offers full network visibility, up to, and including the application layer, without profiling a specific subnet or host. This means that whenever a new device enters the network, or a subnet or host is moved, identifying vulnerabilities or reconnecting appropriate devices is easy to accomplish.
MENDEL also helps network administrators improve their security, especially against advanced threats hiding within a network. It is common to use firewalls, antivirus, but also SIEMs, IPS, sandboxes, etc to protect a network. These various solutions all overlap for layered security, but each can be defeated.
Currently it takes 46 days to detect a network breach. MENDEL steps into these gaps by identifying anomalous network traffic activity, differentiating between human and machine activity, and integrating robust IDS rulesets to identify threats before they can do damage – often within hours. In some cases, like the recent WannaCry ransomware attack, MENDEL was able to identify the attack in a matter of minutes, well before it could start encrypting files.
MENDEL is based on machine learning and big data analysis. It installs in 30 minutes and can be configured in under two hours. It monitors networks using network traffic analysis without slowing traffic. Because deployment is painless, and network speed is preserved, a risk free 30 day trial is truly “risk free.” To find out more about MENDEL, or to see what may be hiding in your network from a 30 day trial, contact your local distributor or GREYCORTEX directly.

WE ARE CESA AWARDS NATIONAL FINALISTS IN 3 CATEGORIES

For the second year in a row, GREYCORTEX has been nominated as a National Finalist at the Central European Startup Awards (CESA) – http://centraleuropeanstartupawards.com. The awards select the best startups from across 10 Central European countries, with the winners qualifying to go forward to the Global Startup Awards.
Last year, GREYCORTEX won Best Early Stage Startup, given in Ljubljana, Slovenia. This year, GREYCORTEX is nominated in three categories:

  • Startup of the Year
  • Best AI Startup
  • Best Newcomer

The Czech winners will be announced at the Czech National Finale on September 25th in Prague. Public voting GREYCORTEX in these three categories is currently open, and may be found here: http://centraleuropeanstartupawards.com/vote

GREYCORTEX RELEASES MENDEL V 2.6.1

In the newest version of GREYCORTEX MENDEL (2.6.1) we have implemented several new features to improve performance, including a new flow scheme. This new scheme will also store more flow data and metrics. Existing data will be automatically transferred into this new scheme to ensure its continued usability. This data transfer process will run in the background, allowing you to continue to work with new flow data. Depending on the amount of existing flow data, the transfer may take few days, but it will not affect system usability.
We have also added a new DHCP application parser. This means you can now use DHCP data to identify hosts by their hostnames, giving you better knowledge/information about hosts; for better and more effective action.
Additional Features

  • Added new aggregated flow structures and their visualizations to achieve better performance
  • Added an additional severity decision mechanism for outlier detection to better highlight larger anomalies
  • Added a new DHCP application parser
  • Added the capability to display unfinished flows
  • Added an additional metric:  UET – User Experience Time – to network flows

Improvements

  • Improved database query performance
  • Improved the precision of the Round Trip Time and Server Application Response Time metrics computation
  • Optimized the performance of the Peers graph for faster loading
  • Upgraded the database to achieve greater performance
  • Set default log interval in log reporting to 7 days

Bugs Fixed

  • Fixed SMB protocol identification
  • Fixed network services model calculation
  • Removed queries to root DNS servers
  • Fixed missing DNS server configurations, which occurred in rare cases
  • Fixed settings for RX queues in network drivers
  • Fixed timezone usage
  • Fixed filtering issues in Incident Management
  • Fixed data inconsistency between Peers and Hosts graphs
  • Fixed report generation where data fields did not display correctly
  • Fixed hyperscan support on non-Intel architectures
  • Fixed password escaping issue
  • Fixed custom server certificate handling
  • Fixed system monitoring data propagation
  • Fixed DNS server settings
  • Fixed ICMP event and flow pairing
  • Fixed MS-SQL protocol parser
  • Fixed time handling in False Positives for different time zones
  • Fixed color configuration for Port Sweep detection
  • Fixed flows search in Outlier events
  • Fixed issue with duplicate hostnames
  • Fixed flow search in limit events
  • Fixed network configuration calculation
  • Fixed Url Share functionality in the comments field in Incident Management
  • Fixed filtering issue in Incident Management
  • Fixed pagination in Incident Management
  • Fixed issue in Url Share
  • Fixed transfer data calculation in the Peers graph
  • Fixed firewall autoconfiguration when enabling Netflow source
  • Fixed events filtering by name
  • Fixed subnet traffic calculation
  • Fixed allow/deny configuration description
  • Fixed the “To Filter” button in Peers graph
  • Fixed port and service name filtering
  • Fixed other issues related to Incident Management
  • Fixed subnet icons in Events
  • Fixed vulnerability to CVE-2016-2183
  • Fixed empty service description editing
  • Fixed false positives value editing
  • Fixed ICMP flow filtering on services
  • Fixed the assignment of hosts into incorrect subnets
  • Fixed host information display in the Analysis module
  • Fixed invalid DHCP transaction IDs in individual flows
  • Fixed DHCP parsing issues on flows from the DHCP relay
  • Fixed the password warning message when the password is shown as invalid during installation
  • Fixed the event payload display in IDS events
  • Fixed issues with special characters during installation
  • Fixed an issue with filtering port number and service name together
  • Fixed an issue with flow duration calculation
  • Fixed cancel button functionality in Flows view
  • Fixed calculation of the number of subnets in Events
  • Fixed the use of an incorrect filter in subnet to filter function in the Events tab
  • Fixed the filling service in False Positive
  • Fixed traffic information in incident links

“TALES FROM THE MALWARE LAB” IS LIVE!

Following the success of our video describing the WannaCry ransomware, we are happy to announce an ongoing series of YouTube videos: “Tales from the Malware Lab – Powered by GREYCORTEX.” In it, we will leverage our in-house malware lab, complete with the latest version of GREYCORTEX MENDEL to provide useful information about emerging network security threats in an easy-to-follow visual format.

 The videos will provide an overview of each threat’s activity within the network, and visualize these attacks from the network traffic analysis standpoint. We are releasing these videos as a public service to the greater network security community, which will benefit from this video-based approach to malware.

 The first video, addressing the “EternalRocks” malware, is available here: https://youtu.be/vI1lRi5e-SM

GREYCORTEX PROTECTS AGAINST WANNACRY

GREYCORTEX is happy to report that MENDEL, our network traffic analysis solution, affirmatively detects infection by the WannaCry ransomware, its possible variants/clones, and protects users more effectively than rule-based detection tools alone.
Because GREYCORTEX MENDEL uses advanced artificial intelligence, machine learning, and data analysis to identify network anomalies, it easily identifies threats like WannaCry, allowing network security teams to take rapid action and stop threats before they do damage.
In the case of WannaCry, GREYCORTEX tested the ransomware in our malware lab. It was found to engage in aggressive and anomalous practices, like port-scanning behavior on an SMB port (445), attempting to connect to over 4000 devices in 175 countries across the Internet in five minutes, and downloading TOR network software. All of these behaviors were identified by MENDEL’s advanced network behavior analysis.
MENDEL users are better protected from malware like WannaCry and its variants/clones than users of firewall, IDS, or other rule-based security solutions alone. Rule-based security solutions require a known malware signature in order to create a rule. This means an attack must happen before the signature of the attack can be added as a rule. MENDEL doesn’t need a signature to identify the attack. It’s network behavior analysis features detect the attack’s symptoms before it harms the network. This means security teams have the peace of mind to know that should an attack happen, they will see it, and be able to stop it before it does damage.
If you are concerned about malware attacks, either from WannaCry or from other ransomware or malware, you may benefit from a 30 day Proof of Concept (PoC) from GREYCORTEX. During the PoC, MENDEL automatically learns your network to identify threats which may exist, including ransomware which is lying dormant in your network, or unpatched applications, which may leave you vulnerable. Do not hesitate to contact your network security professional, or GREYCORTEX  directly to arrange a PoC.

KIWI.COM CASE STUDY

Kiwi.com (formerly Skypicker) is a fast-growing online travel agency. Founded in 2012, it has grown to over 1100 employees, and continues to grow rapidly. It serves millions of consumers every year by combining flights from carriers who do not offer route coordination. Kiwi.com administers a diversified network serving approximately 1,900 devices. The aim of the GREYCORTEX MENDEL implementation was to enable Kiwi.com to focus fully on their core business while keep their dynamically growing IT infrastructure secure and reliable.
Since its deployment in November, 2016, GREYCORTEX helped us immensely. We were able to find security policy breaches and performance problems, and link these to problems experienced by users that previous tools had not seen. We could see attacks as they were developing and take action. We have really strengthened our security posture and are very happy with the results.” (Josef Staša, IT Operations Manager)

CHALLENGES

While the business and team are growing quickly, Kiwi.com’s IT infrastructure and network are growing even faster.
Kiwi.com’s main reason for deploying MENDEL was to ensure that the goodwill and reputation which Kiwi.com had built through a reliable and secure IT infrastructure was preserved. It was critical to the day-to-day operations of the whole company that this be done effectively. Kiwi.com needed the ability to oversee their network’s technical infrastructure and network administration from an operational, performance, and security monitoring perspective.
Other challenges included:

  • Protection of customer data
  • Detection of modern threats and protection against attacks targeted at network users
  • Provision of a security-focused overview of network infrastructure behavior, including an automated analysis of normal behavior for individual network segments, devices, and individual users 
  • Monitoring Kiwi.com’s current security infrastructure configuration and effectiveness
  • Improved security policy enforcement
  • Easy scalability

 

ADVANTAGES

GREYCORTEX MENDEL includes several important features that benefited Kiwi.com’s IT team. The most important is a behavioral detection engine based on advanced machine learning and artificial intelligence. Outputs are integrated with an hourly updated list of blacklisted IPs and signatures. Because these tools are integrated, MENDEL can detect threats based not only on known signatures, but based on atomic-level symptoms of attack; for example, where an advanced persistent threat lies dormant, but communicates with its Command and Control. MENDEL also includes application performance monitoring capabilities, offering teams detailed data for business critical transactions, combined with security events for easy root cause analysis; all in real time, without slowing the network. Finally, MENDEL helped to enforce Kiwi.com’s existing security policies and maintain its compliance with government regulations.

RESULTS

GREYCORTEX MENDEL was installed quickly, and it immediately and automatically began to learn the network. Kiwi.com’s original security posture, while strong, was greatly improved with GREYCORTEX MENDEL and is now prepared for more advanced threats.
Among other results, MENDEL helped Kiwi.com achieve the following:

  • Better enforcement of security policies and quicker resolution of incidents
  • Complete network visibility
  • Discovery and analysis of network and application performance problems
  • Forensic analysis

View the case study in .pdf here.

MENDEL 2.5 RELEASED

GREYCORTEX has just released MENDEL 2.5. In this most recent version, we have made several additions to further improve performance, including a new detection method for forbidden services, faster pattern processing for IDS rules (requires Intel architecture), and HTTPS traffic decryption capabilities (with imported private key). The full changelog for MENDEL 2.5 is provided below.
Additional Features

  • Added a new detection method for forbidden services
  • Added faster pattern processing for IDS rules (requires Intel architecture)
  • Added new traffic direction types for better filtering
  • Added system self-reporting for additional functionality support
  • Added HTTPS traffic decryption capabilities (with imported private key)

Improvements

  • System components have been upgraded to their newest versions
  • VoIP protocol parsers have been included for better performance
  • Improved system hardening
  • Improved query performance in the Flows tab

Bugs Fixed

  • Fixed IDS stability problems
  • Fixed IP address settings for new interfaces
  • Fixed disabling parsing IDS rules and DPI
  • Fixed issues with system log rotation, maintenance, and removal
  • Fixed truncated application requests within flow data
  • Fixed ICMP codes reporting in flow records
  • Fixed the reporting service type in outlier analysis methods
  • Fixed upgrade log downloading via the GUI
  • Fixed false positive matching for countries
  • Fixed issues in Incident Management
  • Fixed displaying colored, blacklisted IP addresses on the Peers tab
  • Fixed support for IPv6 filtering
  • Fixed computation functionality in the Peers graph
  • Fixed the computation of severity in the Toplists dashboard
  • Fixed invalid filter value handling
  • Fixed an issue with user rights in the reporting module
  • Fixed autocomplete in Host filtering
  • Fixed time limit for false positive application
  • Fixed status monitor event information
  • Fixed filtering by timestamp in event lightboxes
  • Fixed filtering false positives in “Table by Service or Port”

User Note
To further improve performance, it is strongly suggested that users turn off unused ports.