This webinar and presentation outlines the Infocyte HUNT threat detection and incident response platform, and how it enables state and local government organizations:
- Reduce risk across local, off-network, and cloud IT assets
- Expose and eliminate hidden cyber threats and vulnerabilities
- Streamline your overall security operations
- Achieve and maintain compliance
Using Infocyte, TIG can provide their customers with cost-effective, easy-to-manage, and on-demand cybersecurity consulting services (e.g. compromise assessments, incident response) and managed security services (e.g. managed detection and response).
Visit https://www.infocyte.com/ to learn more and request a demo, or request a cybersecurity risk assessment (Compromise Assessment) using the link below:
https://www.infocyte.com/free-compromise-assessment/
2. Defense alone doesn’t win games.
• Security industry focused on prevention and real-time detect
• Customer environments built with ever increasing complexity
and layers of defenses
• Threat landscape is progressing rapidly with more resources
than ever
• Even with great defense, best result is tie. Common result is
other team scores and you lose.
• Don’t settle for a tie and don’t wait to lose
3. Proactive Security is the Answer
• Proactive security identify and resolve threats and vulnerabilities
before they impact your environment
• Optimize security intelligence and cut across the silos (network,
endpoint, identity, cloud, application…)
• Leverage existing tools and augment with no disruption
• Automate complex security tasks
– Experienced security staff can scale; less experienced staff can
provide higher value with our integrations
– Backstop your team with detection & response experts
• Ensure compliance and mitigate risks on an ongoing basis
4. Proactive Security Advisories
•Source: IDC IR Marketscape, Gartner MDR Market Guide, NIST Adisory
Gartner:
IDC:
NIST:
“IT security and risk management leaders .. should use MDR services to
expand their investments beyond preventative security technologies to
address their detection, response and 24/7 monitoring gaps”
"Enterprises should make proactive incident readiness, response, and
resiliency a priority”
"Customers should conduct periodic risk assessments of systems and
applications determine threats and vulnerabilities ensuring monitoring
and response capabilities are in place”
5. What Infocyte does
Infocyte HUNT fills the gap between prevention and incident response
improving your Security Operations
• Independent: Infocyte HUNT gathers forensic data from hosts and
enriches it to deliver evidence vs alerts
• Efficient: The process is automated, agentless, cloud-based and simple
• Effective: Provide security insights that are easily consumed and
actionable
Infocyte HUNT proactively assesses your security state & posture, closing
gaps in your defense while driving compliance
6. Q2 Real World Network Findings
What We Inspected
● 582K Systems
● 100s of Customers
● 1000s of Network Segments
● 50% IR & 50% Proactive
● 12.4 M Artifacts
● 45K fileless code injects
● 339K User Accounts
● 161K Applications
System Findings Summary
● 5% advanced or multi-stage attack
● 22% encountered some element of
Ransomware in their lifetime with 43
days avg dwell time
● 72% have unwanted or Riskware
(800+ day average Dwell Time)
Threat Findings Summary
● 1% undetectable but suspicious and
found by analysts
● 4.6% Unknown to community / Intel,
but found by Infocyte Incyte ML
platform
● 32% Known bad but still able to
persist (Ryuk, Emotet, Fuery,
MereTam, Sality….)
● 63% Riskware including (risky admin
tools, Adware, Keyloggers)
Source: Infocyte Q2 Threat Report
7. Infocyte Spans the Lifecycle
Exploitation Installation Command & Control Lateral Movement Exfiltration Persist
Attack Post Compromise Response
Attack In Progress Attacker Dwell Time Recovery
NETWORK
BREACHED
INCIDENT
DISCOVERED
Reconnaissance
(actors living within the network)(actors identify
path in)
Mean Time to Detect
197 days
Mean Time to Respond
69 days
Hardening
Mean Time to Compromise
Minutes
Pre - Attack
Mean Time to Patch
12 weeks
(actors exploit
gaps)
Source: VDBR and Ponemon
8. Infocyte HUNT™
SaaS Threat Detection & Incident Response Platform Overview
Complete API – Clean & Efficient UI
Command
Premium Hunt & IR Support
IncyteTM Threat Intel
and Synapse ML
Agentless Agent-based
✓ Command Services leverage experts to alert you on top risks
or threats and recommends response actions
✓ Respond Faster - Automate forensics, timelining, and artifact
analysis to validate & scope incidents then take action.
✓ Identify Issues that matter - AI analytic and Threat Intel
provide context on threats and vulnerabilities
✓ Independent Inspection – forensic-based inspection, triage
and assessment across all your assets
✓ Easy deployment from the cloud via API, controller, or light
agent
Confidential
KPI DashboardActionable Insights
Exposures: Identity
& Vulnerability Activity Trace™
9. Agents
Infocyte Cloud
Architecture
HUNT™
Console
customer1.Infocyte.com
Controller Endpoints
/ Servers
Endpoints
/ Servers
Agentless
Security Operations
Center (SOC)
Adv. Hunt & IR
Augmentation
for “Command”- level
subscribers and partners
INCYTE
Threat Intel & Analytics
API
MSSP / SOC
AWS / Azure / GCP
Cloud Plugins
API & UI
Infocyte HUNT Agents can be installed on
unmanaged endpoints -- on-prem, in the
cloud, or at a coffee shop.
Cloud Plugins enable agentless
workload visibility and
interaction via IaaS API
Infocyte HUNT Controller discovers
endpoints and initiates scans
(deployed inside the firewall / network)
serverless* ∙ container* ∙ virtual machines ∙ datacenter ∙ headquarters ∙ retail/POS ∙ branch office ∙ mobile workforce (laptops)
Cloud Hybrid
Infocyte HUNT enables Managed Detection and Response (MDR) services across the entire ecosystem
Physical Workstations MobileVirtualized
10. Time to Detect +
Time to Respond
= Dwell Time
• Cost - $58k per day
• Average - 191 days globally (131 in US) in 2018
How are your Security Operations Performing?
• Infocyte accurately measures and helps reduce these metrics
• Measure performance and improvement of security operations
• Convey business impact – value of security operations
– KPI improvements = Downtime avoided and response costs reduced
– Businesses have up to 97% reduction in breach costs if contained within 1 day
Key KPIs
11. Outcomes with Infocyte
1. Become more proactive with discovering assets,
vulnerabilities and characterizing threats and risks
in your environment with proper context
3. Achieve compliance with unprecedented visibility
and reporting into network and application assets,
network hygiene, and auditing the effectiveness of
security controls.
2. Respond faster with automated incident response
triage, scoping, and patient-zero identification
14. Infocyte as a Platform
- Long Term Vision for Infocyte is as a comprehensive platform for
identifying, assessing and responding to risks and threats across your
organization
- Independent Risk and Threat Discovery → Reducing Risk and MTTD
- Application and OS Vulnerabilities (more focused than VA vendors)
- Broader Environmental Vulnerabilities (identity entitlements, etc.)
- Incident Response → Integrated into workflows to reduce MTTR
- Constantly Expanding Coverage: Cloud workloads, identity, OSX...
15. In Closing
• Shift your mindset and posture to Proactive Security
– play offense, don’t wait to lose
– Extend your existing security investments
– add forensic data to enable better incident response
– Enable your resources to be more efficient and effective
• Infocyte is the Easy Button
– Affordable: starts at $2/node / month
– Easy: fully managed, no business disruption
– Fast: evaluate in your environment, get results in hours
16. Leveraging as a Pre-Sales tool for Check Point
(Especially Sandblast Agent)
www.infocyte.com
18. How is it deployed?
• New cloud instance is created in console
• Controller (agentless) or agents deployed in environment
– and are discovered and enabled in console
• Service group and query are configured in console
– Service account is defined and configured
– Environment is enumerated
• Scan is initiated and forensic data is analyzed by Incyte
• Enriched forensic data is presented in console or report
Time start to finish for 100 hosts = <120 min
19. Detection: Response begins when you detect malicious or suspicious activity via real-time
monitoring, proactive hunting, external reports, etc.
1. Triage Determine scope of breach, gather
information for quick decision making
Infocyte automates full forensic
triage
2. Containment Initial response actions to mitigate active
threat
Automates ticketing workflows &
recommendations
3. Investigation Analyze evidence and determine root
cause
Activity Trace and automated
timelines makes this easy
4. Certification Verify control and clean state of network Infocyte enables and automates
this step.
5. Learning Implement new controls based on
lessons learned
Accurate RCA leads to better
decisions
Incident Response Steps
22. HUNT Command: Case Study
• Government network with
sensitive data (including PII & Court
Records).
• Customer started with core
protection tools but little hunting
or IR expertise
• First 3 months identified, resolved
and addressed root cause of over
80 threats or risky applications
• Organization now demonstrates
higher IR readiness and network
hygiene with significantly lower
mean time to respond
Month 1
Month 2
Month 3
Month 4
24. RECOVE
R
Recovery Planning
and Improvements
(RC.RP +IM)
RESPON
D
Analysis including
Root Cause
(RS.AN)
Mitigation, Contained
and Validated
(assist)
(RS.MI)
DETECT
Host Anomalies and
Events
(DE.RA)
Continuous
Monitoring of Hosts
(DE.CM)
Detection Processes
in Place
(DE.DP)
PROTECTIDENTIFY
Asset Discovery
(ID.AM)
Asset Vulnerabilities
Discovered
(ID.RA)
Infocyte 8 Core NIST Capabilities
25. HUNT Command: Infocyte 8 Critical Controls for Risk
Management and IR Readiness
NIST Category Critical Control My Score (0-5)
Identify Do I know all of my networked assets and where they are?
Identify What applications are installed in my network? Which are
vulnerable?
Detect Are protection and detection platforms deployed and
working properly?
Detect Do I have visibility on attacks that get through my security
controls?
Detect Can I characterize these risks when found?
Respond Am I able to reach ALL endpoints in the event of an
incident?
Respond How quickly can I triage, complete RCA and scope an
attack to contain and remediate?
Recover Once fixed, can I validate the network is clean and no
other backdoors remain?
27. Threat Detection
Managed Detection
• Proactively discover threats in your
network
– Forensically validate your security controls
have not been bypassed
Targeted Hunting (Analytics + Infocyte)
• Compliment security data (e.g. EDR, IDS,
Firewall) analytics
• Use Infocyte to investigate and confirm
leads by inspecting suspicious systems
28. • An automated solution to forensically triage
alerts from your SIEM, network or endpoint
security solutions
– Collects & analyzes targeted forensic triage data.
– Reduces the time and resources needed to
manually comb through volumes of false and
low priority data.
– Allows your security team to focus on
remediating real threats.
Incident Response (Forensic Triage)
29. When combined with the visibility and
orchestration provided by ForeScout
CounterACT,
Infocyte HUNT equips enterprises with
the ability to forensically evaluate the
state of an endpoint and create a
network compliance policy that ensures
that no compromised system enters the
network.
HOW IT WORKS
• CounterACT discovers and classifies an
endpoint as soon as it enters the network.
• If the endpoint has not been recently
inspected, CounterACT will initiate a hunt
with Infocyte.
• Endpoints that are found to be
compromised are out of compliance.
• Non-compliant endpoints can be
quarantined from the network or subject to
any other CounterACT enforcement action.
Network Access Control
Endpoints
3. Infocyte
verifies endpoint
state
1
2
3
4
2. ForeScout
Requests
Hunt
4. Infocyte
returns findings
to ForeScout
5
CounterACT™
HUNT™
31. Compromise Assessments
A proactive hunt across systems to detect threats that may
have evaded existing security controls
“Is this network clean or compromised?
• Effective at detecting presence of malware, remote access tools,
and other indications of unauthorized access
• Fast – Started in minutes, assess thousands of hosts an hour
• Affordable – A typical organization should be able to conduct it
proactively and regularly (i.e. quarterly/annually)
• Independent – The assessment does not rely on existing
detection solutions already in the environment
Infocyte is the only product optimized for compromise assessments and
trusted by teams like PwC, Specter Ops, Check Point, and many others.
APPLICATIONS
• Periodic Threat Hunting
• Incident Response
• Mergers & Acquisitions
• Third Party & Vendor Risk Management
• Security Program Validation / Audit
32. • Collects and analyzes initial forensic triage
data to determine scope of incident and
collect samples.
– Collects & analyzes targeted forensic triage data.
– Instantly recover in-memory inject samples
(unmapped from memory) for offline analysis
– Most flexible endpoint access options:
• Agentless (scan hosts within network from single entry
point)
– Server-side or Client-side Encryption of network credentials
• Agent (interact directly with host)
• Offline Scan (manual offline survey and upload results) Endpoints
Agentless: Target Network
Workstation or Server
becomes pivot system to scan
other systems within firewall
HUNT™
Agent: End-customer
installs agent to give direct
access to a hosts
Incident Response
33. cust2.infocyte.com cust3.infocyte.com
Service Delivery Models
MSSP1.Infocyte.com
- 100% Managed Customers
- Single Instance | Multiple Customers
- Customers should not access UI
cust1.infocyte.com
Customer 7
Customer 1
Customer 5 Customer 6
Customer 4Customer 3
Customer 2
cust5.infocyte.com
Customer 9
cust4.infocyte.com
Customer 8
Managed Co-Managed Private
MSSP or Partner manages a set of customers
in a single HUNT instance.
SOC / MSSP
- Co-Managed Instances
- Both end customer and SOC can
access individual customer
instance UI
- Individual private Instances
- GDPR & highly regulated
environments
35. Current State of Security
- Environmental Vulnerabilities continue to increase
- Increases in cloud and mobility have eroded the perimeter and increased the
attack surface
- Threat Landscape continues to get more sophisticated and have greater resources
- They will encrypt, destroy or exfiltrate your sensitive data
- 64% of businesses experienced major security incident last year
- Cyber attack ‘dwell time’ is 191 days in 2018
- Cost of breach is $400 to $700/endpoint or $3.5M
No Protection is 100%: Breaches happen.
- Proactive Security recognized as largest drivers to reduce breach exposure and
cost
Sources: Gartner, NIST, CVE Database, Ponemon 2018 state of endpoint security, Dark Reading, Infocyte Analysis
36. Cloud Security – What is collected?
• Endpoint forensic triage data is collected from
each host which includes:
– Process, executable, scripts, apps, and connection
metadata (hashes, IPs, digital signatures, etc.)
– Associated User Account metadata
– The results of volatile memory analysis -- small
segments of executable memory identified as
malicious
• Except in rare circumstances, executable-marked memory
regions do not contain PII or other sensitive data. Data-
marked regions of memory are excluded from collection.
• All raw data collected is available to users
through the interface and API integrations. Users
retain control over reducing the scope of
collected data in the interface as well.
37. Cloud Security – How is it protected?
Each instance of Infocyte HUNT has its’ own unique database that stores
customer-specific data. All access is constrained to those who have been
given explicit access to that instance.
Infocyte HUNT Command-level subscribers grant an analysis-level access to
the Infocyte SOC. All other customers have administrative access through an
Infocyte account which is used for maintenance, support, and password
resets.
Security Features:
• All infrastructure on Infocyte’s AWS Virtual Private Cloud (VPC) within US or
UK datacenters
• All employees and contractors with access to infrastructure are rigorously
vetted and utilize principles of least privilege
• Data Encrypted in transit (SSL) and at rest
• Regular Penetration Tests to identify and patch vulnerabilities
• Multi-Factor User Authentication (Coming Dec 2019)
• Audit (Activity) Logs monitored 24/7
Authentication
Infocyte HUNT authentication is
protected with the strongest industry-
accepted encryption and authentication
standards. Going above industry-
standard, we do not use cookies to
store session tokens in browsers.
Credential Manager
For Agentless collection, service
accounts and SSH keys may be utilized.
These credentials are encrypted and
stored within Infocyte’s credential
manager.
Options exist for both server-side keys
(provided by Infocyte) and client-side
keys (generated stored on-prem)
38. ROI of Proactive Detection and Response
Security Mindset:
• Reactive: Wait for Alert 🡪 Investigate
• Proactive: Find issues 🡪 Detect and
Resolve