Service behavior monitoring

Plixer One Security addresses the limitations of traditional security technologies by applying AI and ML techniques to provide early, generic detections for activity associated with advanced persistent threats (APTs).

These detections rely on behaviors rather than signatures and give security teams an additional layer of defense against attempts to use common services to infiltrate, infect, and exploit network resources.

Overview

Plixer One Security’s approach to anomaly detection relies on the Plixer ML Engine to turn the flow data collected by Plixer Scrutinizer into behavioral models that represent typical host activity. All incoming flow data can then be compared against these baseline models to proactively scan for potentially malicious activity and alert security teams in real time.

Configuring anomaly detection

The Plixer ML Engine’s anomaly detection functions can be adapted to any type of environment through its configuration:

Dimensions

Services/applications (protocol and port) whose behavior is modeled and monitored for anomaly detection

Inclusions

Hosts (by Exporter or subnet) being monitored for anomalous behavior

Sensitivity

The tolerance for deviations from baseline service behavior for hosts associated with the inclusion

Defining dimensions and inclusions for the engine isolates traffic information to reduce the amount of “noise” and maximize the accuracy of detections. Organizations are also able to tune detections to their unique processes and workflows by adjusting the sensitivity for individual inclusions.

Hint

Low sensitivity is generally recommended for critical subnets (e.g., finance, HR, etc.) where all irregularities should be reported, while a High can be used for hosts whose security requirements are less strict.

Investigating anomaly detections

Once anomalous behavior is reported via an Alarm, the appropriate response can be determined using a combination of Plixer Scrutinizer workflows, including:

  • Drilling down into the Alarm (e.g., Plixer Security Intelligence, Lateral Movement Behavior, etc.) and checking the timeline to determine whether the detection is an isolated observation or an ongoing Event

  • Inspecting event Artifacts to see which hosts were involved and drilling into them to gain further insights from Plixer Endpoint Analytics

  • Reviewing activity via the Behavior tab when drilling into hosts from the Explore > Entities > Hosts view.

  • Running Source and Destination Reports on the hosts to check for traffic between them and external IP addresses

Hint

After running an initial Report, it can be refined directly from the output view to enable further investigation.

Workflows

The following workflow(s) show how Alarms related to anomalous service behavior are used to investigate potential cyber attacks: