DATASHEET

 

SQRRL ENTERPRISE USE CASE: CYBER HUNTING

Proactively uncover hidden threats through cyber hunting The days when Security Operations Center analysts could sit back and wait for alerts to come to them have long passed. Breaches and attacks at large companies and government agencies have shown that traditional measures like firewalls, IDS, and SIEMs are not enough. While these measures are still important, today’s threats demand a more active role in detecting and isolating sophisticated attacks.

Hunting is the practice of searching iteratively through your data to detect and isolate advanced threats that evade more traditional security solutions. In other words hunting trips are designed to proactively uncover threats hidden in a network or system.

The Sqrrl Enterprise Edge Sqrrl Enterprise is a real-time, unified platform for securely integrating, exploring, and analyzing massive amounts of data from any source. By creating visual models using linked data, Sqrrl is able to generate a clearer contextual picture for analysts

Sqrrl Enterprise powers cyber hunting via the following features:

• Enables a hunter to filter and prioritize Big Data, employing advanced data science techniques • Allows pivoting in real time between disparate datasets and distinct parts of a network • Facilitates iterative question chaining, which streamlines the process of response and investigation • Generates advanced visualizations consisting of weighted, directional nodes and edges that can provide

compact representations of complex, dense datasets

Example Advanced Persistent Threat Hunting Use Case

ABOUT SQRRL

Powering the Hunt | Page 2

Sqrrl was founded in 2012 by creators of Apache Accumulo™. With their roots in the U.S. Intelligence Community, Sqrrl’s founders have deep experience integrating and analyzing complex petabyte-scale datasets. Sqrrl is headquartered in Cambridge, MA and is a venture-backed company with investors from Matrix Partners, Atlas Venture, and Rally Ventures.

125 Cambridge Park Dr Cambridge, MA 02140

www.sqrrl.com @SqrrlData

p: (617) 902-0784 e: info@sqrrl.com

                       

Leveraging Data Science

Making sense of Big Data is no easy task, and your enterprise is will want to keep as much data as it will be able to store. To actually capitalize on terabytes or even petabytes of information, you will need a smart and effective way of making sense of it all. Modern machine learning and statistical tools have the potential to multiply the effectiveness of a hunter's powers by automating common tasks such as producing activity summaries or finding the “weird” entities in a dataset. Hunters need tools, like Sqrrl Enterprise, that provide data science without requiring the users to be data scientists.

Question Driven Investigations

Hunting trips should start with questions and hypotheses, not necessarily specific indicators. A question, or a hypothesis you start with might be something like “Is data exfiltration happening?” or “If there is data exfiltration happening, it’s most likely going on through this part of the network.” A hunter would then check to see whether any exfiltration going through that subnet, and try to figure out what protocols might be used. There are often multiple ways you can look for the answers to these questions, but having some hypotheses helps figure out what data you need to examine and what analytic techniques might be most fruitful. Sqrrl Enterprise’s query language makes asking these questions easy.

Keep on Pivoting

Hunting consists of spending a lot of time searching for something that is elusive by nature. To locate entrenched threats, your hunt needs to be dynamic and adaptable. Plus, you need to be able to easily pivot from one dataset to the next to evaluate the full context of the attacker’s digital footprints. This might include moving from operating system events to Netflow data and then to application logs. Sqrrl Enterprise is able to support this kind of nimble data exploration.

Mapping Your Terrain

Knowing the lay of the land and where attackers may hide is a key element to hunting. Kill chain mapping provides a useful framework to plan your hunting trips for maximum impact. Typically, you will want to focus on the last two phases of the kill chain (Command and Control and Act on Objectives) first, since the farther along the kill chain the adversary is, the worse the incident is for you. Sqrrl Enterprise provides the capability to annotate investigations with kill chain mappings.

.

Advice from a Hunter

"Organizations are realizing that their existing traditional security solutions, such as firewalls and SIEMs, are not finding everything that they need to find. On the detection side they’re doing well for what they do, but the problem is that signature-based or even intelligence-based network monitoring systems are limited. Attackers are virtually unlimited in what they can do. Adversaries are very flexible and agile, so that's what we have to be."

-David Bianco, Sqrrl's Security Architect; former Manager of Mandiant’s Hunt Team