Senseon Labs: Automated response with Senseon Reflex
At Senseon, we pride ourselves on developing technologies that will transform how the industry deals with cyber threats. Although Senseon’s threat detection platform has been on the market for some time now, we recently released our threat response capability: Senseon Reflex. Furthering our mission to protect our customers in an evolving threat landscape, Senseon Reflex allows threats to be rapidly isolated on endpoints before they impact operations.
In writing this blog, I wanted to share the benefits of Senseon Reflex not just at an organisational level, but also for the individual members of security teams. Through a comparison with traditional single-point endpoint and network threat detection and response methods, I will show how Senseon Reflex augments analysts’ abilities to protect their organisations, whilst at the same time makes their lives easier.
I myself have been an analyst for around a decade. During my time as a Security Operations Manager and Threat Discovery Manager, I deployed and managed multiple tools from many of the world’s leading vendors, many of which were immensely frustrating to use. It has become my personal mission to develop capabilities that improve the lives of analysts and security professionals so that they can avoid the difficulties that I experienced and move beyond the limitations of conventional tools.
It is at Senseon that I get to see my mission become a reality.
I now have the opportunity to turn my frustrations into positive outcomes that provide analysts with interesting threat investigation opportunities, many of which continue to inspire me to love my role in cyber security.
Senseon Reflex vs WannaCry: from detection to response in just 8 seconds
Background
Traditional approaches to cyber AI threat detection and isolation fall into two broad categories: network and endpoint. Some excel at isolating threats on the network layer, whilst others are dedicated to isolating them on endpoints. I’ll first discuss network tools, and then move onto endpoints. It might get a bit technical, but bear with me, and I’ll try to make it as interesting and as informative as I can!
Brad goes phishing
Network-based IDS and IPS
So, the first thing to know is that there are two main categories of tools operating on the network layer: IDS and IPS. Whereas an IDS (Intrusion Detection System) is designed merely to detect threats as they enter an organisation, an IPS (Intrusion Prevention System) is designed to actually prevent them. In many ways, you would be right to think that this makes an IPS a lot more useful, but as we shall see this is not necessarily the case.
An IDS will not drop or manipulate traffic, and is in many ways quite limited. An IDS is often only deployed at a network’s perimeter, making it ineffective at detecting malicious lateral movement within an organisation. Furthermore, IDS solutions don’t protect devices outside of the network, making them ineffective for travelling workforces.
By only looking at traffic from one point of view, they can’t build up the context necessary for accurate threat detection, meaning they have to err on the side of caution when creating alerts.
This has a knock-on effect for other parts of an organisation’s security capabilities, as time is taken up investigating the false positives alerts they produce.
IPS solutions were created to prevent harmful communications. An IPS has greater capabilities than an IDS inasmuch as it can both detect threats and then respond to them. However, an IPS, being single-point like an IDS, suffers from many similar issues, such as not working for devices outside of the corporate network and raising far too many false positive alerts. The automated response capabilities of an IPS mean that its false positive alerts are far more damaging than an IDS false positive. Whereas an IPS will shut down a system, an IDS will merely create another alert. Since these devices are in-band, then every time a false positive is detected, the system will shut down and all communications will fail. Developers began to look at devices that would work out-of-band, which led to TCP resets.
Late nights can often mean missing social plans
Application isolation on the network
TCP resets are, of course, useful for stopping TCP-based communications. The TCP reset packet, which claims to be from a legitimate sender, is sent to one of the hosts and asks for the connection to be reset. This causes the TCP to reset and restart, breaking the communication and forcing the hosts to re-establish the connection with a three-way handshake. Because TCP resets are out-of-band, they don’t shut down an entire system.
Whilst not always guaranteed to be successful, TCP resets can be useful for isolating some threats on the network layer, particularly for devices that can’t have endpoint agents installed on them, such as IoT devices.
There are a variety of ways that suspicious sequences within packets can be detected and result in a TCP reset. Field Programmable Gate Array (FPGA) devices are utilised for very high speed traffic analysis, whilst a Switched Port Analyser (SPAN) port or network tap provides a copy of its traffic to a network traffic analysis system.
However, network traffic analysis systems can take a lot of time to ingest and analyse traffic, load into memory or write it to a database, run analytics, make a decision whether or not to block the connection, and then utilise a TCP reset. Even on the most high performing system, this may be an unacceptable delay, even in optimal conditions. This problem is exacerbated by global workforces.
Even if a company utilises the fastest corporate network connections and has a robust system architecture, there will still be additional delays in receiving data and sending out TCP resets due to the physical limits of how fast information can move over long distances.
Of course, whilst the clue is in the name, not every protocol in modern enterprises relies on TCP/IP. Consider UDP and ICMP traffic, which includes VPNs and DNS. These are extremely fast, connectionless protocols, allowing communications to be completed in milliseconds. TCP resets of course have no effect on ICMP or UDP traffic. It is also worth considering that today most web pages are loaded in under a second, a speed matched by most malicious communications, including malware connecting to a Command and Control server or downloading a payload.
In addition to suffering when traffic is particularly fast, TCP resets only provide protection when the target user is on the corporate network. Many corporate users will work outside of the traditional corporate network, for example, whilst travelling. TCP resets rely on sending spoofed packets that pretend to come from the source of the destination. However, many ISP filters prevent spoofed packets from being sent over the internet, which prevents TCP resets from working. Tools such as Unicast Reverse Path Forwarding (uRPF) or Bogon filtering are utilised for exactly this purpose. This means that customers who want to use blocking tools such as uRPF need to expose themselves to the risk that their TCP resets will not work as expected.
Finally, protocols such as IPSec that have been designed to prevent tampering end up stopping the TCP reset. Such protocols take steps to prevent external manipulation of TCP flags, meaning that if the communication uses IPSec, then TCP resets are unable to prevent communications. This ensures that attackers can’t use TCP resets for malicious purposes, yet also prevents the legitimate purpose of TCP resets from being carried out.
With these points in mind, companies are likely to think that having TCP reset capabilities in every part of their network is rather risky, regardless of how devastating the potential consequences of an attack may be. Instead, companies might look towards an alternative approach that can lead to a more assured automated response.
Application isolation on the network layer is one such approach. This creates a safe space within which an application from the Internet can run, ensuring that any potential damage is limited to that specific, isolated, and virtualised portion of the system. One obvious example of this in action is the browser tab, which is easily destroyed after use. Some other vendors have commercialised this technology very well, and many security professionals are no doubt also familiar with the method whereby files are executed before reaching the endpoint within a sandbox.
While application isolation provides a good way of detecting attacks and protecting the user, attackers will always innovate.
Malware authors have long been aware of the need to detect these sandboxes, and have built in protective mechanisms to prevent their malware detonating should they find themselves in these environments.
Endpoints threat isolation
There are advantages and disadvantages to having assured automated response capabilities on endpoints. Endpoint security solutions come in two flavours: ones that identify and stop malicious processes before they execute, and ones that isolate, or ‘sandbox’, applications.
The first of these, those that can quarantine malicious programs generally, includes Endpoint Protection Protocol and AntiVirus. These look for known rules and signatures, such as snippets of code already identified as being malicious, or even use machine learning models to stop most of these executables before detonation.
The second is an application isolation tool that is based on largely the same principal as ‘sandboxing’ on the network layer, but is miniaturised and used on the endpoint device itself within specific applications. This can take various approaches ranging from separating each tab of a browser into its own separate isolated process, or even a step further by employing micro-virtualisation solutions that isolate applications within their own mini-virtual machine.
However, many versions of sandboxing at this level only work with very particular versions of hardware. The reliance on certain chipsets means that the sandboxing will occasionally not operate as expected, with the result that, regardless of its security capabilities in theory, it can be less than optimal at dealing with heterogeneous enterprise IT estates of varying different hardware types. This means that the underlying threat detection capabilities necessary for isolation aren’t deployed widespread enough to guarantee full safety for an organisation.
This wasn’t the sandbox Brad’s son was expecting…
Foundations of automated response
The purpose of successfully deploying a modern automated response system is, of course, to have highly accurate detections beyond the capabilities of single-point tools. It is essential not to chuck out false positives and cause the automated response to activate when merely legitimate user or device behaviour has been detected. This is more difficult than it sounds, and we don’t want to go back to the days when we tried to deploy legacy Intrusion Protection Systems (IPS) but quickly turned them off because of the disruption caused to our businesses.
I believe that we are moving into a future where highly accurate threat detection will support and augment already overstretched security teams.
We will see a platform that through its intelligent in depth understanding and knowledge of company environments will have the confidence and trust of security operations teams to carry out precision automated response actions on a business’ behalf.
With threat isolation naturally relying on accurate, timely threat detection, the market is calling out for a new solution that looks across both endpoints and networks to build and develop a contextual understanding of threats. It was to address the issue of false positives overwhelming security teams that the Senseon platform was created, and Senseon Reflex is the latest development in our mission to make the lives of security teams easier. This is where it gets exciting.
Alarming statistics of the reality for security professionals
Rising to the challenge
Senseon Reflex was designed to tackle the industry’s problems head on. The platform offers organisations a practical alternative to fill in the gaps left by traditional single-point endpoint and network solutions, which lack contextual awareness and as a result often make poor decisions about isolating threats. Senseon’s AI-led threat detection and response technology isolates threats on the patient zero device, surpassing the capabilities of traditional intrusion detection and prevention systems that are hindered by their limited viewpoints.
Senseon Reflex is intended to meet present and future threats and to provide a framework upon which yet further solutions can be deployed.
We built the Senseon platform from the ground up to ensure that it has the solid technical foundations necessary for enabling better and more effective threat detection and response even as the threat landscape continues to change.
The platform autonomously isolates high velocity, high impact threats before they have a chance to cause serious damage within an organisation, and does so with great accuracy.
The technology
At the heart of the Senseon platform is an advanced system known as AI Triangulation. This technology blends together its senses across endpoints, networks, and Investigator Bots, enabling Senseon to detect even the most subtle and complex of threats. Senseon observes threats from multiple perspectives, pauses for thought, and learns from experience, enabling the platform to think and reason like a human analyst, and to automate the process of investigation.
Senseon Reflex builds on AI Triangulation’s ability to accurately detect malicious activity. Conventional automated response tools that lack context or produce high levels of false positive alerts can be very damaging to organisations.
Just because a behaviour is unusual or new, does not mean that it is malicious and should be stopped.
Senseon Reflex’s ability to understand context and differentiate between unusual behaviour and malicious activity ensures that the platform is able to isolate genuine threats without needlessly impacting legitimate business operations.
Senseon Reflex halting an in progress crypto ransomware attack
Benefits for analysts
Businesses today face an unprecedented volume and sophistication of attack techniques that are capable of evading detection and crippling systems within minutes. Response time is critical, but traditional tools and human security teams are often too slow to respond. Senseon Reflex is a cost-effective solution that helps companies deal with the challenge of fast moving attacks by automating the process of threat response and taking appropriate action on behalf of their security team. In operation 24/7, Senseon Reflex works tirelessly to respond to threats, halting the progress of attacks before they become a problem, for example, by removing devices from the network.
The future of automated response
The role of AI in threat detection and response has dramatically changed over the last five years. We are now at a point where this technology can provide real, tangible value to businesses and analysts alike. Traditional endpoint and network threat detection and response solutions made admirable attempts to utilise AI in protecting organisations against malicious actors.
However, innovative solutions must always be sought in order to stay ahead of constantly changing and adapting attacker techniques.
Senseon Reflex takes a different approach to its predecessors through its innovative ability to constantly adapt and stay ahead of the changing threat landscape. The platform’s use of AI Triangulation enables it to automate threat response with great accuracy, ensuring only genuine threats are isolated and business operations aren’t needlessly interrupted. Our mission is to build technology that will improve the lives of security professionals, something I hope you’ll agree has happened with Senseon Reflex’ automated response capabilities.
I look forward to continuing our work in expanding Senseon Reflex’s automated response framework and building features that I hope will bring you as much pleasure as they bring me. I find nothing more thrilling than helping Senseon enhance its capabilities. Truth be told, Senseon is the product I wish I’d had whilst running SOCs in my past, and it’s genuinely really exciting to be able to bring it to others.
Click here for a more in depth demo of the Senseon platform.
Thanks for reading!
Brad
About the author
Brad is an expert in his field, with over a decade’s experience conducting nationally significant cyber security investigations across the critical national infrastructure and telecommunications sectors. Drawing on his extensive industry experience and knowledge, Brad leads the threat analytics team at Senseon, and specialises in finding and uncovering advanced actors deeply embedded within clients’ infrastructure.
