ACSIA – Automated Cyber Security Intelligence Application
Data Centric Security
ACSIA it is a ‘post-perimeter’ security tool which complements a traditional perimeter security model. It resides at the Application or Data layer. It monitors and protects the the platforms (physical/ VM/ Cloud/ Container platforms) where the data is stored which are the ultimate target of every attacker.
Most companies secure their enterprise to ward off cyber adversaries by using perimeter defenses and blocking known adversary indicators of compromise (IOC).
Adversary pre-compromise activities are largely executed outside the enterprise’s field of view, making them more difficult to detect.
ACSIA is focused on stopping cyber threats at the pre attack phase. It is a hybrid product incorporating a SIEM (Security Incident and Event Management), Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS), Firewall and much more.
Using a combined approach, ACSIA does the grunt work of security analysis – monitoring, analysing, profiling and mitigating cybersecurity incidents. The ACSIA analytic engine is built on multiple modular layers which capture and analyse threats from multiple perspectives as described below.
Layer 1: Signatures (Offensive tools detection)
When a threat is targeting servers monitored by our solution, ACSIA first detects the signatures of the offensive tools used as attack vectors. Typically, 90% of attacks are launched by non-professionals (non-highly trained/skilled) known as script kiddies. They use every potential tool available on the market to perform their attacks. The easiest way to track them is to detect the tools. ACSIA can recognise the signature of all tools that are used for cyber-attacks.
Layer 2: Patterns (Pre-attack phase identification).
If the malicious entity is able to mask the tools and the signatures, then ACSIA will trigger the so-called pattern recognition method (reconnaissance). ACSIA has numerous patterns that are capable of recognising hacking techniques at any stage (early, medium, advanced). Therefore, when a server is targeted by malicious entities, ACSIA will use its unique pattern recognition methodologies to instantly detect the cyber-attack.
Layer 3: Kernel (Behavioural analytics at operating systems level)
As advanced hackers are capable of eavesdropping signatures (masking them), the unique kernel level analysis within ACSIA captures and identifies these threats. Kernel level analysis has the ability to ‘listen’ to traffic for every single call made (inbound and outbound) from the user space to the kernel space, which means any interaction with the operating system is being monitored and analysed. ACSIA has one of the most comprehensive configurations on the market regardless of the type of threat. This includes old and brand new malware (unknown threats, zero-day), and has the ability to detect the threat instantly. One of the common methods used to install malware on a system is through cyber-attacks that replace themselves with some system binaries to avoid being discovered. As soon as an attempt is made to manipulate such binaries, ACSIA’s kernel level module will detect the attempt. The kernel level configuration is constantly updated to make sure every threat is prevented.
Layer 4: Correlation (Diversity of data sources, correlation and logic).
The correlation engine is one of the most innovative modules of ACSIA. It represents the stage where the analysed data is ready to go through orchestration and training by machine learning and artificial intelligence algorithms. The correlation engine is where the entire set of data and modules/methods are correlated to generate highly accurate output. For example, where ACSIA detects what might otherwise be a single innocuous event – ACSIA has the capability to collect and correlate them into a single threat detection notification.This drastically reduces false positives and prepares ML/AI modules to do their automation, orchestration and decision making
Layer 5: ML/AI (Automation, orchestration and auto-remediation).
This is the workflow layer where orchestration and automation of events processing is managed. This is where the data results from layer 1 to 4 have accurately identified the threat and passed onto layer 5 to prioritise, mitigate and notify.
Layer 6: UEBA (Profiler).
The user and entity behavioural analysis in ACSIA is different to traditional UEBA methods. From day 1 the user behaviour feature starts to explore each user’s full activity and creates a profile for each user by establishing their roles. This is done via unsupervised ML/AI algorithms and techniques that can populate profiles for each user autonomously. A similar principle is applied for system and application behaviours. This entity behavioural analysis feature studies every moment and activity performed by the system, and the applications that are running on the system. The UEBA feature of ACSIA is a robust module and a significant portion of our future developments will focus on the enhancement of this feature. In the UEBA feature, our ML/AI plays a heavy role.
ACSIA comes with a rich configuration where threats of all types, both known and emerging, can be detected rapidly. For example, it is a common technique when deploying malware to essentially hide in system binaries to evade detection. In this instance, any attempt to manipulate such binaries will trigger an alert from ACSIA’s kernel level module. This kernel level configuration is continuously enriched to ensure that such threats are instantly detected.
Behavioural Analytics or Entity User Behavioural Analysis (EUBA)
ACSIA looks at patterns of human behavior, and then applies algorithms detect meaningful anomalies from those patterns—anomalies that indicate potential threats. Instead of tracking devices or security events, EUBA tracks a system’s users. ACSIA detects insider threats and advanced persistent threats. EUBA builds a profile of an employee based on their usage patterns thanls to its deep learning unsupervised machine learning algorithms, and sends out an alert if it sees abnormal user behavior.
ACSIA EUBA helps mitigate the risks of both insider threats and external attackers by using the same principle. First, a normal baseline is defined based on user behavior – file access, logins, network activity, etc. – over an extended period. Second, EUBA can quickly identify user deviations from that norm, and generate an alert. In the case of attackers entering the system, EUBA can tell whether an employee’s credentials are being used by outsiders. For legitimate employees, EUBA can also spot changes in activity that signal insider data theft, or IT sabotage.
While businesses benefit from moving their data and operations away from their own physical servers in owned and operated data centres to Cloud companies such as Amazon Web Services, MicroSoft Azure and Google Cloud, there remain problems – the main one being cybersecurity.
While Cloud may achieve mass acceptance, through the widespread uptake of what might be described as a utility based model of computing, it disrupts not just traditional processing models, shifting the focus primarily off own premise deployments, it also disrupts corporate postures with respect to governance, risk and compliance (GRC).
The rapidly changing legislative and regulatory framework now clearly attributes responsibility for organisations GRC posture to named officers of those organizations.
No longer can liability for failure of business continuity, security and loss of customer data be attributed to the “IT crowd”. These are board level considerations – and the emergence of roles such as Chief Security officer, Chief information security officer and Data protection officer clearly reflect the radically shifting of emphasis from internal IT service providers to such officers when it comes to questions of responsibility and accountability.
The design concept underpinning our planned contribution to ACSIA is intended to provide an easily understood and managed communications channel from a corporate cloud based system directly to those who will be accountable in the event of issues arising and not being effectively addressed.
4Securitas are creating a comprehensive security and communications service integrated in easy to understand interfaces – against the trend of disconnected point solutions – ACSIA (Automated Cybersecurity Interactive Application) joins up system alerts and communications to the relevant people in a manner that is clear and concise while at the same time being sufficiently information rich to allow appropriate action to be taken.
Analysis of the recent history of large scale data breaches typically show that while traditional event logging may have been in place, information overload, corporate inertia and unclear understanding of roles and responsibilities meant that alerts were either switched off or ignored.
By aligning the detection as envisaged by this product, into one unified source of knowledge the product – as an enabling technology – will empower organisations to refine and adapt to the fast moving world of cybersecurity risk mitigation.
Indicators of Compromise (IoCs)
In the current threat environment, rapid communication of threat information is the key to quickly detecting, responding and containing targeted attacks. Hunting for Indicators of Compromise (IoCs) is an effective way to combat advanced attackers. IoCs are forensic artifacts of an intrusion that can be identified on a host or network.
IoCs tie to observables and observables tie to measurable events or stateful properties which can represent anything from the creation of a registry key on a host (measurable event) to the presence of a mutex (stateful property). For example, after using the APT Detection Framework to optimize and check for any gaps an organization should continuously monitor and detect things like:
Real time threat intelligence
The system can be configured to make most actions automatic, while at the same time informing security teams as to when to engage directly. An intuitive and easy to understand interface means that a CISO, with one glance at a mobile dashboard can take a snapshot of the prevailing platform status.
Using ACSIA is like hiring a security engineer who is available 24/7. Deployment is simple and straightforward, and the customer benefits from the ACSIA engine running seamlessly and silently in the background.
ACSIA: Ensure optimal cybersecurity and digital trust Cybersecurity
- Cybercrime is the greatest threat to every company in the world, and damages are predicted to reach $6 trillion annually by 2021. (Source: The 2019 Official Annual Cybercrime Report)
- As of 2019, cyber-attacks are considered among the top five risks to global stability. (Source: World Economic Forum)
- The global average cost of a data breach is $3.9 million. (Source: IBM)
- The online gaming community will be an emerging hacker surface, with cybercriminals posing as gamers and gaining access to the computers and personal data of trusting players. (Source: Experian)
- A cloud vendor will suffer a breach, compromising the sensitive information of hundreds of Fortune 1000 companies. (Source: Experian)
- By 2022, around 95% of cloud security failures result as a fault of the customer, not vendors of public cloud infrastructure. (Source: Gartner’s quarterly Emerging Risks Report)
- The extent with which 5G networks use software is one of the top security issues for both mobile networks as devices that use or incorporate it. (Source: EU report by the European Commission and European Union Agency for Cybersecurity)
|System level attacks threat detection||✔|
|Application level threat detection||✔|
|Malicious tools detection and identification||✔|
|SQL Injection detection||✔|
|Code Injection detection||✔|
|XSS attack detection (Type-0, Reflected and Stored)||✔|
|LFI – File inclusion detection||✔|
|Malware detection (trojan, webshell, rootkit, etc.)||✔|
|Portscan detection (invasive only)||✔|
|Potential account compromises (geo-location based)||✔|
|Eavasdropping and information gathering detection||✔|
|Potential account compromises (UEBA)||✔|
|Linux container support (threat detection)||✔|
|User activity and session player within the notification||✔|
|Internal user and entity activity analysis (UEBA)||✔|
|Exploitation and 0-day detection||✔|
|Privilege escalation detection||✔|
|File integrity check||✔|
|Kernel level threat detection (Linux systems and containers)||✔|
|Automated cyber attack event handling and remediation||✔|
|Incident Response (resource isolation)||✔|
|Advanced Persistent Threats (APT) detection||✔|
|Indicator of Compromises (IoC) detection||✔|