Threat hunting

Plixer One Security can enhance any team’s threat-hunting capabilities by providing them with centralized access to rich, contextualized data accounting for every host and conversation in a network.

Through Plixer Scrutinizer, Plixer One Security is also able to provide real-time alerts for generic malware and other anomalous traffic/activity, drive efficient workflows with its purpose-built UI, and integrate multiple threat intelligence functions. This gives teams the ideal starting point for their threat-hunting operations.

Overview

Plixer Scrutinizer plays two integral roles as part of a security team’s threat-hunting program:

1. Collects traffic and host data for the entire environment (including assets in the cloud), storing hundreds of thousands of data points for investigations

2. Provides centralized access to all available data through various contextual views and reporting functions

This allows SecOps teams to efficiently search through and analyze device-level behavior and host conversations to search for suspicious activity and potential threats. Historical data can also readily be accessed to hunt for indicators of attack (IoA).

Visibility and workflow enhancements

Security teams using Plixer One Security can leverage the following functions and features to hunt for threats:

Alarm Monitor

The Alarm Monitor provides real-time alerts for anomalous behavior and other network activity violating Plixer Scrutinizer Alarm Policies. It functions as both a monitoring view for suspicious traffic and an interface for drilling into activity timelines and individual Event artifacts, and more.

Customized reports

To further investigate Alarms/Events, users are able to run reports that can be tailored to their exact visibility requirements. These reports can also be used to drill deeper into specific data elements to identify infected hosts or malicious activity.

Configurable detection mechanisms

Configuration options for Flow Analytics algorithms and the Plixer ML Engine allow users to tailor Plixer Scrutinizer’s monitoring and detection functions to their specific requirements. This ensures that detections are always relevant and can greatly reduce investigation/response times for security teams.

Note

Plixer One Security includes additional detection techniques and mechanisms for security events.

Host indexing

With the Host Indexing FA algorithm enabled, a user is able to look up any IP address, find out whether or not the host has been seen on their network, and explore all activity associated with it. From the search results, the user can pivot directly to any applicable report and further investigate anomalous traffic originating from or targeting the host.

See also

For additional details on incident response workflows with Plixer Scrutinizer, see this use case.

Workflows

The following workflows are sample scenarios where the functions/features bundled with Plixer Scrutinizer are used in threat-hunting activities:

• Using host index to identify malicious IPs
• Reviewing Alarm Monitor for suspicious hosts
• Investigating off-hour network activity
• Identifying exfiltration outside business hours