Threat2Alert Platform

Nettitude provides cyber security event management services through its dedicated solution Threat2Alert.

Nettitude has developed a unique product called Threat2Alert (T2A) that is used to generate rich data from your environment from which Indicators of Compromise (IoCs) can be detected. Each component of T2A work together to provide a detailed picture of the systems you need protected.

To find out more about the mechanics of how Threat2Alert works, including details on all of the individual components, please see www.threat2alert.com

The Five Elements of Threat2Alert

The Nettitude SOC combines this with many other sources of data to provide a rich base source of information. Intelligence is derived to ensure the actions and events you are provided with are real and credible.

The data is created from your business intelligence needs and the areas of impact for your organisation are highlighted. Data that is not relevant is removed.

Nettitude’s SOC Personnel

The SOC is made up of the following key personnel and expertise:

1:   Threat2Alert – Taking control of your log data

LogRhythm SIEM tool, Cyber Threat Intelligence (CTI), honey traps, host based agents, network appliance (coming soon)

2: The Nettitude Computing Emergency Response Team (NCERT)

Investigations, analysis and forensics Incident management

Alerting and reporting

3: SOC Analyst

Certified and trained ‘Eyes on Screen’

Proactive actions, giving you peace of mind when events occur Guidance, advice and help on hand when you need to respond or investigate

4: Incident Response (IR) Consultants

Escalation and in depth investigations with advanced IR tools Malware reverse engineering, host based analysis, network packet inspections, deep dive investigations

On and off-site forensic capabilities

SIEM – Log Sources through LogRhythm

As part of the on-boarding stage, we work closely with you to ensure the right log sources are captured, the logs are set to the correct level and are reporting back from your environment.

Best of breed, Gartner major quadrant SIEM provider – LogRhythm – provides a mechanism to collect and correlate a wide set of log data

Collects packets and logs for in depth analysis and correlation

Extensively tuned to reflect your infrastructure, as well as your people, processes and technology

Generates alerts and events 24 x 7 x 365

Forensically recorded for 3 years

The right log sources must be plugged in   to your centralized logging reporting system (no black holes within your environment)

The volume must be set at the right level so that your security events are not missed. Are you seeing all the events types and follow on actions required?

The correct events from each log source must be reported (often too much log data is collected but this is because it is the wrong data)

LogRhythm_MSSP_PARTNER_OF_THE_YEAR_LOGO

“Threat2Alert’s security managed service is a vital part of our IT security operations, and has helped to strengthen our organization’s overall security posture. Thanks to the deployment of Threat2Alert we have 100% greater visibility of any threats and potential threats within our environment.”

IT Director

Financial Services Client

Cyber Threat Intelligence

Our system ingests data from a variety of sources, confirms through active analysis if the data is valid and gathers context around the data. Our global honeypot network has over 200 nodes and is growing all the time collecting data on breaches, malware samples, malicious users, servers and payloads. Our in house tools mine this data for IoCs and patterns that can be used on the hunt within your networks.

All of this gives a powerful set of information that can be used in context of your business, to give true intelligence to the actions and guidance being provided. We can provide information from commercial sources and operational threat intelligence as well as well-known in-house and open source feeds.

This gives you the confidence that any value being derived from this data warehouse will be incorporated into the service Nettitude provides for your business.

How does the service work?

1: Our big data platforms to gather intelligence relevant to your business

2: Commercial OSINT and TECHINT intelligence feeds

3: Open Source TECHINT intelligence feeds

4: Proprietary honeypot collectors harvest real time TECHINT intelligence

5: Intelligence is normalised, weighted and integrated in to the Threat2Alert SIEM services

Threat2Alert Honey traps

This provides you with an early warning system that hackers are moving around in your network. These can be deployed in multiple locations and with multiple appearances.

Nettitude has built custom devices that are either virtual machines or deployed onto Raspberry Pis that can act as flypaper for malicious users should they get into your environment. These are built to mimic servers within your environment and present a vulnerability that a malicious user can find and be tempted to exploit. The system monitors all traffic to itself and will alert you on not only any actions to scan/find itself, but also indicate if any attempt to exploit the simulated vulnerability takes place.

How does the service work?

1: Custom honeypots are deployed in your internal network

2: They mimic normal servers in your environment

3: Configured with a tempting vulnerability

4: All actions are logged and monitored

5: They give the ability to detect compromised systems as they happen

6: Provide detailed analysis of the sophistication of any attacker

Host Based Agents

Detecting changes on local hosts is critical, as this is often where the first signs of a zero day or a high level phishing type attack will emerge.

Our agents provide FIM and can be used to detect changes on each of your end points to ensure that these can be captured. They can provide forensic level details in an investigation about what has happened and can be used to protect your sensitive sources. Your configuration files, registry and data can be actively monitored for rootkits, changes and unauthorised access.

Our agents provide on box File Integrity Monitoring (FIM)

These detect changes to local system resources

Provide compliance checks

Give forensic level details about the actions taken

Help protect your sensitive resources

Network Traffic Analysis

Network traffic provides the final piece of the jigsaw in the data collection toolset of Threat2Alert.

Traffic that passes between the Internet and the corporate

LAN is categorised

Packet metadata around Source<>Destination<>Protocol packet pairs is captured

Detection and alerting on beaconing, C2 traffic and data exfiltration is configured

Malicious file types transported over HTTP and SMTP have triggers to detect them

Full launch scheduled for early 2016

As well as ingesting netflow data and IPS/IDS alerts, we are working on a network appliance that will be able to provide us with deep dive analysis of your traffic within your environment. This will mean that sensitive data will not leave your environment but any malicious activity, malware beaconing, or weaponised files can be examined and actioned appropriately.

Deep packet inspection will be used with machine learning techniques to detect malicious activity at the network layer. Files and malware will be examined, and sandboxes if required for further analysis.

To find out more about the mechanics of how Threat2Alert works, including details on all of the individual technical components, please see www.threat2alert.com.

To understand how we use Threat2Alert as part of our managed SOC services, please look here!