Threat Detection and Prevention - GCX Mendel

GCX Mendel

Overview

Advanced Threat Detection

Better and faster Incident Response

GreyCortex Mendel employs advanced machine learning, unique detection algorithms and several additional traditional detection methods for detection of both known and unknown threats.

The most advanced Security Network Traffic Analysis

GreyCortex Mendel is a solution for advanced network security and performance monitoring for enterprise, government and other critical infrastructure. It dramatically improves the capabilities of security and network operations departments for rapid detection and response to security and other incidents. Its advanced machine learning, unique specialized algorithms and deep insight into network traffic make the detection of advanced threats and other behavioral anomalies more sensitive and reliable while decreasing the cost of operation.

Artificial Intelligence in Behavioral Detection

Unlike most solutions, Mendel is not dependent on manually set rules (thresholds). Instead, its advanced artificial intelligence (Machine Learning) and Data Mining automatically generate rules for anomaly detection relevant for particular networks or devices. These rules describe behavior of the whole network, each subnetwork, hosts and services. The rules gradually and automatically adapt as traffic and threats in the network evolve to effectively pinpoint malicious and anomalous behavior.

Much more capable than NetFlow and IPFIX

Mendel collects several times more information on network traffic than NetFlow, IPFIX or similar protocols. NetFlow or IPFIX records are enhanced with security parameters and performance analysis. These include frequency, spectral and traffic content features which are crucial for more sensitive behavioral detection.

Robust Detection Capabilities

Most specialized security technologies deal only with certain attack vectors, such as network threats to endpoints, and miss a range of other vectors such as infections outside of the network (especially important in case of BYOD policies) or threats targeting servers, databases etc. This has significant limitations that Mendel is designed to overcome. Mendel focuses on the entire enterprise infrastructure and all network traffic. Apart from general anomaly detection capabilities, it uses specialized detection algorithms for detection of malicious behavior, distinguishing machine and human behavior and more traditional signature-based detection.

Deep Network Visibility

Secure, reliable and efficient Network Operation

GreyCortex Mendel differs from other Network Performance Monitoring, Diagnostics and Application Monitoring solutions in several crucial aspects: its application awareness, identity awareness and a flow-based monitoring engine that processes more features (six times more features than NetFlow, for example).

Highly capable Network and Application Performance Monitoring

With its flow-based technology (listening to the network), Mendel provides proactive and un-obtrusive real-time monitoring of network and application performance issues. This continuous real-time monitoring and strong data-mining capabilities enable easy and quick root cause analysis of problems well before they start affecting the user experience. Mendel brings comprehensive and detailed visibility into network traffic and behavior of individual users, applications, services and content within the traffic. In addition, it allows monitoring of application availability, internal security, user accountability and traceability. It helps organizations demonstrate and prove compliance with different regulations such as PCI DSS, SOX, HIPAA and more.

Flow-based and Packet-based Technology

Instead of relying on older and limited SNMP polling, Mendel leverages flow-based and content-based monitoring. Flow-based monitoring provides near real-time (1 minute intervals) visibility into network statistics and other summary and detailed issues. Deep content inspection (DCI) extends this information with real-time comprehensive contextual metadata (user identity, applications, for example).

Application Monitoring and more

Mendel constantly monitors communication of users and network applications of all ports and on TCP, UDP, ICMP and many other protocols. This enables monitoring of current and average bandwidth, response times, transit times, delay, jitter, ports in use, connection peers and more.
Powerful Forensics
Mendel generates metadata of network communication providing full contextual awareness – for example destination and source, user's identity and application protocol. It also integrates selective on-demand packet capture. Unlike technologies based on full packet capture, it allows the metadata on network traffic to be stored for a much longer time with low demands on storage capacity. This includes metadata of application protocols such as HTTP, SSL, TLS, SMB, SMB2, DCERPC, SMTP, FTP, SSH, DNS, IRC, VNC, RDP, XMPP, IMAP, SIP, ICQ, SSH, MySQL, MS SQL.

Easy to Use

The web user interface presents comprehensive information about network traffic: From management overviews, through aggregated information on communication of the network, subnetworks, users and applications, communication of peers, to details concerning individual flows and their content to precisely investigate interesting events. Users can use its powerful capabilities to filter and sort the data in any way.

High Usability & Effectiveness

More focused and less time demanding work. GreyCortex Mendel is designed for Advanced Security Network Monitoring of critical infrastructure and other high-demand environments. The advantages of Mendel technology including artificial intelligence, risk assessment, an intuitive web user interface and robust filtering will help you accomplish much more in less time.

Going Deeper, Knowing More

A unique Advanced Security Network Metrics (ASNM) protocol is used for monitoring over 70 features (attributes) of each individual network flow. For each network flow, information about source and destination, duration, data and content sizes, various packet counters and performance and spectral (signal processing) information is generated so Mendel can learn to distinguish normal flow characteristics from some types of malicious ones, even without the need to decode or decrypt the data. Since NetFlow only uses about 10 features, GreyCortex Mendel is much more sensitive and effective in the detection of malicious and other unwanted behavior. Another difference between Mendel and NetFlow is that Mendel uses proper and consistent bidirectional network flows which enables us to identify the beginning and the end of each flow (even non-TCP) and determine most of the requests and responses they contain and not necessarily ones split into 1 to 5 minute intervals. This is accomplished by the (ISO/OSI Layer 7) application detection (also known as NBAR). The information content is fully reconstructed to allow Deep Packet Inspection (DPI) techniques extract application-specific metadata for almost 1,000 application protocols including transferred files and related metadata even in tunneled traffic as described in the DPI section.

Features

GCX Mendel is a state-of-the-art network security solution for the detection of modern cyber threats

Detects known and unknown threats active in the network
Enables early detection of security breaches
Alerts anomalies on the level of network, subnets, nodes, services and users
Provides detailed visibility in network traffic (collects more data than NetFlow protocol)
Collects evidence of network activities for forensic analysis
Know if your security and network infrastructure is working
Detection of advanced attacks in early stages
Protection against 0-days, APTs, RATs, targeted & internal attacks
First intrusion detection system with active learning
Self-configuration with passive and active learning
Always steps ahead of attackers & rogue employees

Intrusion Detection System - Detection of known threats based on signatures:

Four signature sources
Three external databases
Signatures of attacks against Honeypots

Network Traffic Monitoring:

Provides detailed visibility in network activities
Enables “drill down” up-to level of individual flows
Stores evidence about activities in the network
Performance monitoring (NPM, APM)

Detection Capabilities:

Detects most widespread and omitted cyber attacks (designed on security analytics, University research and Gartner recommendation):
Data leakage (misused DNS, SSH, HTTP(s), ...)
Tunneled traffic (ICMP, DNS, SSH, HTTP(s), ...)
Protocol anomalies
Time consuming port scans
Mascaraed brute-force attack (dictionary, brute-force)
Preparation for data theft by an employee and other internal threats
Breach of internal security rules
Misconfiguration in network
(Distributed) denial of service (DoS, DDoS)
Automatic data harvesting (e-shop)
Fraud detection (web application)

Deployments

OPERATIONAL MONITORING

Bandwidth Utilization at the Level of Services, Hosts and Subnetworks

Mendel does not use predefined profiles for displaying monitored data. Therefore, it enables the network administrators to monitor, trace, sort, filter and visualize data in real-time. The data can be displayed with one-minute to 24-hour granularity and can cover any period – the length of data history is the only limit.

Network Performance Monitoring

Mendel enables monitoring of network performance at the level of physical transfer rates. Several performance metrics are measured and recorded such as Round Trip Time, Jitter, Data Transfer Time or data Delay. This approach exposes bottlenecks causing delays of network communication. In addition, administrators can quickly analyze reported problems and see whether these problems were caused at the network or application level.

Visualization of Communications

Mendel visualizes communication of peers from the point of view of a host or a subnet. Users can further filter these visualizations and easily trace all communication with a certain service or a device. These data are supplemented with other information such as amount of data transferred or security events detected in these communications.

Network Security

Forensic Analysis

Mendel stores application metadata of selected communication protocols. These include packet headers of SMTP, ICQ, SSL protocols, service banners and certificates of SSH and SSL or full application content of DNS communication. Depending of the storage, users of Mendel can get access to several months of historical data.

Detection of Known Threats

Mendel detects known threats using a comprehensive set of detection signatures that is updated several times a day. This method can detect known threats that avoided detection firewalls or intrusion prevention systems at the perimeter or that get into the network by other means such as those introduced through BYOD policies.

The detection signatures targets a wide range of security incidents – including exploits, vulnerabilities, breaches of security policies, non-compliance with best practices. As a crucial advantage over an IPS or a firewall that are deployed inline, GreyCortex Mendel is deployed as a passive solution. Therefore it can use several tens of thousands of detection signatures without any concern for affecting the network performance. The system also utilizes threat intelligence databases of known malicious IP addresses or files.

When analyzing a security incident users can display the data content of the communication, wide contextual information on this particular security incident and all network flows related to this incident.

Anomalous Data Transfer or Data Leak

Data leakage (misused DNS, SSH, HTTP(s), ...)
Anomalous data transfer
Anomalous internal file transfers
Preparation for data theft by an employee and other internal threats
Tunneled traffic (ICMP, DNS, SSH, HTTP(s), ...)
Automatic data harvesting (e-shop)

Advanced Persistent Threats

Remote access attack linked to dangerous malware
Infection with ransomware
Malicious web drive-by
Remote access attack linked to dangerous malware
Connections to website linked to Advanced Persistent Threats

Network Reconnaissance

Port-scanning for internal company resources
Time consuming port scans

Breach of Internal Policies

Breach of internal security rules
Use of 'Tor' anonymizing network
Peer-to-peer connections with the Far East
Bitcoin mining

Password Misuse and Attacks

Mascaraed brute-force attack (dictionary, brute-force)
Unauthorized use of administrator credentials
Fast travel indicating password compromise
Fraud detection (web application)

Illegitimate Access to Resources

Illegitimate access to database server
Misconfiguration in network
Risk from 'bring-your-own-device' (BYOD) policies

Non-availability of Services

Distributed denial of service (DoS, DDoS)
Attempted connections to non-existent domain names

Sidebar