Service behavior monitoring¶
Plixer One Enterprise addresses the limitations of traditional security technologies by applying AI and ML techniques to provide early, generic detections for activity associated with advanced persistent threats (APTs).
These detections rely on behaviors rather than signatures and give security teams an additional layer of defense against attempts to use common services to infiltrate, infect, and exploit network resources.
Overview¶
Plixer One Enterprise’s approach to anomaly detection relies on the Plixer ML Engine to turn the flow data collected by Plixer Scrutinizer into behavioral models that represent typical host activity. All incoming flow data can then be compared against these baseline models to proactively scan for potentially malicious activity and alert security teams in real time.
Configuring anomaly detection
The Plixer ML Engine’s anomaly detection functions can be adapted to any type of environment through its configuration:
Services/applications (protocol and port) whose behavior is modeled and monitored for anomaly detection
Hosts (by Exporter or subnet) being monitored for anomalous behavior
The tolerance for deviations from baseline service behavior for hosts associated with the inclusion
Defining dimensions and inclusions for the engine isolates traffic information to reduce the amount of “noise” and maximize the accuracy of detections. Organizations are also able to tune detections to their unique processes and workflows by adjusting the sensitivity for individual inclusions.
Hint
Low sensitivity is generally recommended for critical subnets (e.g., finance, HR, etc.) where all irregularities should be reported, while a High can be used for hosts whose security requirements are less strict.
Investigating anomaly detections
Once anomalous behavior is reported via an Alarm, the appropriate response can be determined using a combination of Plixer Scrutinizer workflows, including:
Drilling down into the Alarm (e.g., Plixer Security Intelligence, Lateral Movement Behavior, etc.) and checking the timeline to determine whether the detection is an isolated observation or an ongoing Event
Inspecting event Artifacts to see which hosts were involved and drilling into them to gain further insights from Plixer Endpoint Analytics
Reviewing activity via the Behavior tab when drilling into hosts from the Explore > Entities > Hosts view.
Running Source and Destination Reports on the hosts to check for traffic between them and external IP addresses
Hint
After running an initial Report, it can be refined directly from the output view to enable further investigation.
Workflows¶
The following workflow(s) show how Alarms related to anomalous service behavior are used to investigate potential cyber attacks: