GREYCORTEX IN CYBER DEFENSE MAGAZINE

Martin Korec’s article “Integration May Answer Questions in Machine Intelligence” has been published in the most recent edition of Cyber Defense Magazine’s “Cyberwarnings Newsletter.” A .pdf of the issue is available here. We have included the full article below.

Integration May Answer Questions in Machine Intelligence

 

Introduction

You are probably familiar with terms “Artificial Intelligence” and “Machine Learning,” i.e. the idea that computers can be taught to learn, and then make predictions based on the data they are given. Artificial Intelligence/Machine learning tools present huge opportunities in many areas, especially in cyber security. The UK government considers it technology which is the engine of the digital revolution. But, some are skeptical. Gartner put Machine Learning (a subset of Artificial Intelligence) at the “Peak of Inflated Expectations” in its 2015 Hype Cycle. Simon Crosby of Bromium considers these tools to be a “pipe dream.”

What Are Artificial Intelligence and Machine Learning?

Machine Learning is a subset of Artificial Intelligence, and both address the capability of machines to be taught to make predictions based on “learned” data. Both are popular terms in marketing materials, and are often confused. Deloitte has decided that a better term is “Machine Intelligence” – describing it as “an umbrella term for a collection of advances representing a new cognitive era. We are talking here about a number of cognitive tools that have evolved rapidly in recent years: machine learning, deep learning, advanced cognitive analytics, robotics process automation, and bots, to name a few.” We’ll use Machine Intelligence here (partly because “Artificial Learning” didn’t work as well) to mean the use of data analytic/predictive tools in the network security context.

The Benefits of Machine Intelligence

The essential benefit in Machine Intelligence is that it can take truly massive amounts of data, analyze it in real time, and identify anomalous or malicious behaviors invisible to manual review, or which would not be accurately identified through static detection rulesets (which are also a hassle to set up). Of course, the more data a Machine Intelligence solution has, the more effectively it can do its job. Some have claimed prediction can be improved by over 90%. If the solution has limited data from only Netflow, it is limited in its effectiveness. If input data comes from the every layer of the network, then it can identify anomalies at each layer, and each device within each layer. This means the Machine Intelligence solution identifies behavior – like advanced persistent threats or insider attacks – that may be limited or very well hidden among massive volumes of network traffic, and which would be missed by a security team pre-programming logic in SIEM systems, even well thought-out ones (a limitation of SIEM systems), or working with an IDS ruleset alone.

Some Claim Machine Intelligence has Drawbacks

Advanced analytics have been around for 20 years or more, there must be something wrong with them, or we’d all be using them. Right? Naturally, as with anything created by humans, Machine Intelligence solutions can be defeated by other humans. However, there are several existing approaches, including classification algorithms, proven to successfully mimic security analyst behavior which can be used in design and testing to avoid defeat by new threat samples. A second criticism of Machine Intelligence solutions is that they are not “plug and play,” e.g. that they need analyst time to filter out false positives/e.g teach the system what is a threat and what isn’t. Failure to do so leads to excessive false positives and alert fatigue. Alert fatigue is a problem. A recent article suggests that over half of security professionals are missing alerts they should address. However, MIT research indicates that human/Machine Intelligence collaboration is actually beneficial and can reduce false positives by close to 85%. Furthermore, while Machine Intelligence solutions may not be “plug and play,” their implementation time is much lower as compared to SIEM systems (hours vs. months) and training the machine on false positives requires a very small actual time commitment (minutes a day).

Bringing Solutions Together

Is it possible to have the benefits of Machine Intelligence technology, but minimize the hassles? Is it possible to use Machine Intelligence in such a way that this technology is used for truly advanced analysis, reducing false positives and saving the security team’s time? Integrating several features/technology types into one solution mitigates several issues with Machine Intelligence technology, and creates a more efficient system. Specifically, integrating with IDS rules and network performance monitoring is an efficient means of improving network security by joining complimentary features and data sets.

Advantages

In such an integration, detection is more effective and false positives are reduced. Less time training the system is required, and information that is “trained” starts from a more accurate position.

Integration with an IDS ruleset specifically brings two benefits: The first is that the IDS, a list of existing rules and known signatures, helps the Machine Intelligence tools function more efficiently, by determining early in the data analysis that certain traffic matches known malicious code or patterns, creating a deeper chance for analysis of events that do not trigger an IDS alert. Secondly, this type of integration has the added benefit of identifying for the Machine Intelligence tools what particular viruses/malware/trojans, etc, look like. This means that the predictive analysis tools have more, and more accurate data upon which to build their analysis. This data is also available much more quickly than if the solution was completely self-educating, or assisted only by the security team.
This also applies to adding a performance monitoring capability. A more informed and more efficient Machine Intelligence solution exists because traffic data is integrated to help it spot things like too many communication partners, services which haven’t been used before, exceptional netw
ork application delays, changed MAC addresses, or new devices or services in the network.
Integration also benefits the security team, because integrated IDS data increases efficiency. Not only does the team spend less time training the system (see above) but it also means more accurate results, resulting in less risk of alert fatigue. Alerts that actually matter are less likely to be missed as a result of the process.
In summary, Machine Intelligence technology, despite what its detractors suggest, is here to stay. Though all providers may not be using its full capabilities, its potential is too great, and its benefits in terms of detection of advanced threats too tangible for it to be given up. But, it can be improved. An integrated approach; featuring several different types of input and analysis helps to streamline Machine Intelligence data analysis, making it more effective and improves the functionality of the integrated tools. This means more effective and more efficient network security, and more family time for security analysts.

MS VULNERABILITIES EXPOSED BY GOOGLE

Google has disclosed the latest of several unpatched flaws in Microsoft software. GREYCORTEX MENDEL’s advanced machine learning and predictive analysis can identify these attacks.
Google’s “Project Zero” team recently disclosed a second unpatched Microsoft Windows security flaw, after Microsoft failed to fix the bug within Google’s set 90 day window. The vulnerability is identified as CVE-2017-0037, and is classed as a “type confusion flaw” in a module of Microsoft Edge and Internet Explorer. This flaw can lead to arbitrary code execution, and be used to crash IE or Edge, and allow hackers to execute code and gain administrator privileges on infected systems.
Advanced hackers may have either already exploited this flaw or they may soon exploit it. Network security solutions like GREYCORTEX that identify anomalous behaviour within your network are especially important in this situation. These solutions mean your IT team can identify malware by its anomalous movement within the network, and identify it as it replicates. GREYCORTEX MENDEL identifies such anomalous behavior, offers deep network visibility, and differentiates between human and machine behavior, meaning you can find infected devices within your network and secure your company’s data and reputation even without relying on Microsoft to fix vulnerabilities in its browsers.

You can read more about the vulnerability here: http://thehackernews.com/2017/02/google-microsoft-edge-bug.html

GREYCORTEX ATTENDS CEE INNOVATORS SUMMIT

The team from GREYCORTEX was selected as one of only five Czech high technology companies to attend the CEE Innovators Summit in Warsaw, Poland on March 27-28 2017. The conference focused on innovation ecosystem in the Visegrad Four (V4) countries – Czech Republic, Slovakia, Poland, and Hungary. It’s purpose was to highlight the need for greater innovation and investment in the V4 Group, and included a signing by the Prime Ministers of each of the four countries of the “Warsaw Declaration” – a statement of intent by each of the V4 countries to undertake the development of an innovative economy in the region.
The event brought together not only government officials, but press, investors, innovators, and other interested groups to the Służewiec Racetrack in Warsaw. At the conference, GREYCORTEX was represented by Pavel M. Chmelař and Milan Kaděra, who presented GREYCORTEX MENDEL, our innovative network security solution based on artificial intelligence and machine learning, which finds network threats that traditional security network security solutions miss.

If you are interested in finding out more about the conference itself, you can find it here: http://ceeinnovatorssummit.pl/en/

Press coverage from the Czech Republic can be found here: http://domaci.ihned.cz/c1-65675460-visegradska-ctyrka-se-ma-stat-rajem-inovaci-premieri-domlouvaji-spolecnou-podporu-vedy-i-start-upu (in Czech)

GREYCORTEX LOOKS FORWARD TO FUTURE COLLABORATION WITH KONICA MINOLTA

Following its inclusion in the Berlin-based global release of Konica Minolta’s new Workplace Hub, GREYCORTEX is looking forward to working with Konica Minolta, in the future, to provide its performance monitoring and advanced network traffic analysis, solutions as an extension of the Konica Minolta Workplace Hub.

Konica Minolta’s newest offering – Workplace Hub – is an innovative new enterprise IT solution, which unifies an organization’s technology into single centralized platform. Designed to future-proof workplaces of every size as they work towards digital transformation, Workplace Hub directly addresses growing IT complexity by providing more efficient and effective management of the disparate array of tools, services, and devices used by modern organizations.

Konica Minolta is one of the leading innovators in the technology sector. We are looking forward to working with them in the future, to offer network performance monitoring and advanced traffic analysis solutions as an additional extension of Workplace Hub. We believe the partnership will be a good fit because of our advanced artificial intelligence, machine learning, and data mining functionality which will help users identify threats to their emerging businesses.” Petr Chaloupka, CEO of GREYCORTEX.
GREYCORTEX MENDEL enables users to monitor their unified network for attacks and also events like poor performance and unauthorized access. MENDEL is based on 10 years of extensive academic research and is designed using the same technology which surpassed all competitors in four consecutive US-based NIST Challenges. Released in 2014, MENDEL is already an integral part of network security at companies like T-Systems, Kiwi.com, and the Czech National Security Authority.

About Konica Minolta Laboratory Europe:

KMLE is the hub where innovative solutions in the field of ICT come to life to transform the next generation of products and services from Konica Minolta. KMLE is the catalyst for development of business opportunities and innovative applications for Digital Workplace, Sensor Information and Automation, Digital Healthcare and Smart Data Systems. As a research organization, KMLE is eager to share innovative projects and ideas with its network of academic and industrial partners.

GODMODE DDOS ATTACKS INCREASING

Indian network security researchers have noticed an increase in DDoS attacks from a Windows OS and Windows Explorer vulnerability. The attack allows hackers to deliver a malware payload which spreads across the network to infect other machines, and can be controlled by a Command and Control (CnC) server.
In this case, the malware installs via user access to a malicious website. After checking for compatibility, the malware, as part of its penetration into the system, disables restricted VBScript functionality within the browser. This process; which involves changing the safemode flag within the browser, is also known as the “GodMode” exploit. Once “GodMode” is exploited, the virus is downloaded, then the virus payload connects to a remote CnC server, downloads  additional malware executable files, copies itself into C:WINDOWS, and deletes itself to avoid detection. Once installed, the malware spreads throughout the network, and executes DDoS attacks specified by the CnC server. To avoid this infection, researchers suggest immediately installing the latest system and browser updates.
Would you be able to tell if your network was infected with this attack? Updating your browser and operating system might stop future infection, but what about if the infection has already happened, and the malware is lying in wait? GREYCORTEX MENDEL identifies threats like the one described here because its advanced artificial intelligence and machine learning identify communication between the malware and its CnC server. MENDEL is unique in the industry because it can distinguish malware communication with a CnC server from human communication. MENDEL can also identify the threat through flow analysis. Because it analyzes all network flow data (rather than just a specific profiled flow – like Netflow or IPFIX), its IDS engine can identify the malware’s signature, even though it is encrypted.
To learn more about how GREYCORTEX can help you identify attacks of this nature, contact your IT Security professional, or GREYCORTEX directly.
The original research on the attack can be found here: http://blogs.quickheal.com/ddos-attacks-spreading-godmode-exploit-cve-2014-6332/

GREYCORTEX IS A STARTUP TO LOOK FOR IN 2017

Leading European start-up blog “EU-Startups.com” has identified GREYCORTEX as one of “7 Czech Startup to Look For in 2017.” The website, an authority on the European startup ecosystem, has published a list of its selections for leading Czech startups since 2015, and has included well-known companies like Kiwi.com (formerly “Skypicker”) in previous editions. Article author Pavel Curda notes the advanced artificial intelligence, machine learning, and big data analysis components of GREYCORTEX MENDEL which set us apart from other network security products.
Developed after several years of academic and market research, and based on technology which won four US-based NIST Challenges in a row, MENDEL uses artificial intelligence and machine learning tools to identify advanced persistent threats which commonly deployed network security solutions often miss. While several other solutions in the market which claim to focus on meeting advanced threats, MENDEL is unique in that it provides exceptionally deep network visibility, combined with the ability to differentiate between human and machine behavior. This allows IT security teams to spot more threats as they emerge, and take action.
You can read the full article here: http://www.eu-startups.com/2017/02/7-czech-startups-to-look-out-for-in-2017/

NEW VERSION 2.4.1 RELEASED

GREYCORTEX has launched version 2.4.1 of its MENDEL solution. This release adds a couple of new features and several bug fixes to help you better and more efficiently identify threats within your network.
The full list of additional features, improvements, and repairs is provided here:
Features

  • New background report generation with historical download capability
  • Extended IDS signature information with integrated description

Bugs Fixed

  • Fixed DNS cache parameters to improve hostname record display in network flows
  • Fixed system timeout issue during transmission of large reports via email
  • Fixed data update when downloading via proxy server
  • Fixed false positive detection for specific time periods
  • Fixed boundary display in network model
  • Fixed invalid time window in incident management link
  • Fixed data traffic display for selected hosts in graphs displayed on the Peers tab
  • Reduced system load following upgrade, including service restart
  • Fixed issue with IDS service restart after system reboot
  • Fixed database upgrade

GREYCORTEX IS THE NATIONAL WINNER IN THE CESAWARDS 2016

GREYCORTEX won the national round in the Central European Startup Awards (CESAwards) 2016. Subsequently, GREYCORTEX is going to compete with other national winners from CEE that have also shown a promising growth, in the Grand Finale held on the 1st of December, 2016 in Ljubljana, Slovenia.
The Central European Startup Awards is a competition of startup enthusiasts, serial entrepreneurs, investors and ecosystem in ten Central and Eastern European countries.
National Winners 2016: http://centraleuropeanstartupawards.com/national-winners-2016

GREYCORTEX WINS AT CESA 2016

GREYCORTEX took home the top prize in its category at the 2016 Central European Startup Awards (CESA) Grand Finale. The Grand Finale, held on December 1st in in Ljubljana, Slovenia, recognized GREYCORTEX as having the most promising growth ahead of startups from nine other Central European countries including Austria, Poland, and Slovakia.
The Central European Startup Awards is a series of national events in the CEE countries, recognizing and celebrating the entrepreneurial spirit and startup ecosystems of the region. CESA regional winners must first win their category in their home country to be eligible for the regional title. Regional winners, like GREYCORTEX, are automatically shortlisted for the World Startup Awards, held this year in Kuala Lumpur, Malaysia.
A list of CESA Grand Finale Winners in 2016 may be found at: http://centraleuropeanstartupawards.com/cesa-2016-winners