Security Audits to Keep You Safe

A key tool in a cybersecurity engineer’s arsenal is a comprehensive security audit.  Significant vulnerabilities can be quickly identified and mitigated.  Without this knowledge, you can only guess if your network is vulnerable to hackers.  Collective Sense has a powerful security audit product that can be run in standalone mode or integrated with our other products, taking advantage of their valuable data for our machine learning capabilities.  While other leading products promise to “prioritize your vulnerabilities by likelihood of use by an attacker, ensuring you always fix the most dangerous issues first”, we take it several steps further.  Why should you use your valuable resources to comb through lists of prioritized vulnerabilities, when you could let the Collective Sense engine solve your problems?

 

Full Security Audit Suite

Comprehensive coverage

Our security audit module uncovers all the known vulnerabilities that hackers will try to exploit.  Whether it’s on open port on an endpoint, insecure code on a printer or an unknown router bug, we will find it for you and give you the tools needed to fix the issue.

Summary of capabilities:

• Vulnerability scanning

  – Most solutions give you a single, manual security test to uncover vulnerabilities and security misconfigurations. We treat vulnerability scanning as a key to the never-ending vulnerability management process. We have built a rock-solid security management process based on:

  • hundreds of built-in tools, security checks and plugins for network devices and services, operating systems, virtual environments and web applications
  • automatic data collection from multiple sources including SNMP, DNS, NetBIOS, operating system fingerprinting, HTTP application servers, ICMP ping sweeps, SSH key fingerprints and others
  • dynamic discovery of existing and new devices in the network, finding and tracking open ports, service versions, and other important characteristics observed at each device
  • detection of security mis-configurations in network and application firewalls, routers and switches, web applications, and error handling issues in web applications as well as databases with weak passwords in use
  • an integrated update feed to ensure that you are always up to date with the newest known security vulnerabilities

 

• Port status and banner version tracking

  – Corporate networks are complex, heterogeneous environments composed of thousands of different services running at the same time. It is a must to track them regularly. Using the Collective Sense solution you can scan your network at regular intervals and compare the findings of the last scan with results of particular scan from the past. That way, you will not only be able to find open ports in use in your network, but also get a scan results delta, which helps you detect malicious services in your network like suddenly running internal C2 services, backdoors listening on exotic ports, or rootkited services for which the banner has been slightly changed since the last scan, for example SSH-2.0-OpenSSH_5.3 vs SSH-2.0-OpenSSH_5.3-magic-pass.

 

Assessing your entire network

No stone left unturned

Hackers know where to look to find your weak points, but engineers aren’t always aware of where the vulnerabilities exist.  For that very reason, we cover your entire network and the possible hiding spots which are often hard for you to locate.  All of this is fed to our Machine Learning engine so you don’t need to assess every little detail and waste time manually dealing with the results.

Summary of capabilities:

• Network –uncover, inspect and correlate observed network traffic by using packet headers and/or Netflow traffic data together with open ports and vulnerability scan results
• Audit –detect any suspicious actions and security events across all your core network and service infrastructure
• Threat –get phishing alerts by using active detector of DNS typo and bit squatting for your domains, uncover hidden data channels in your network such DNS or ICMP tunneling, monitor TLS based communication for self-signed certificates, use built-in passive DNS and whois capabilities, and many others
• Access – detect who, when and from where attempted connections have occurred and compare to past results. Track login access times, session duration, number of active sessions, number of failed/correct authentication tries, and number of different security event types
• Endpoint – recognize suspicious events by using real-time log data analysis tied together with open port profiles and active network connection tracking
• Identity – helps you generate a baseline behavior profile for users and devices in your network

 

Going a step further

Audit results provide key data for machine learning

By combining all the security audit information we gather along with the profile of normal behavior (at a single device, similar devices and whole network level – all built by Collective Sense ML) and other events in the network, we bring the unprecedented capability to raise a real security alert if the system detects anomalous behavior.  False positives and negatives are now far less probable.

As a real life example, consider the following:

In a customer’s network, we noticed two unusual events within a few minutes of each other:

• SSH connection from a previously unseen source
• Log describing a system service crash

Our security audit discovered one more interesting bit of information:

• Port 80 is open on a given device and the banner describes it as Nginx

The machine for which all of this was observed did not previously have a service running on port 80 (however other machines in the network run this service). Unseen sources of connection or a service crash are unusual, but sometimes they happen and are normal.  So, individually, these events do not provide enough evidence to raise a reliable alert (this depends on the network and is also configurable). However, when all three events were combined, the anomaly score was high and raised a real alert.