Update

Perception Update - Improvement In Communication Mechanism

An update to the communication mechanism between the Perception Sensor and the Central Correlation Server (CCS).

This improvement allows more detailed meta-data to be stored in the data sent to the CCS from the sensors.  It increases communication reliability and transport bandwidth efficiency at higher data rates.  The improvement also speeds up the encode and decode times of the data on either end, improving communications speeds.  We have also implemented the ability for a sensor to send to multiple CCSs so customers can have redundancy for their CCS.

The core concept of Perception has always been gathering the best behavioural information from the network as possible.  Whilst vulnerabilities change and we discover new ways that businesses might find themselves exposed, it becomes vital that we add more ways of understanding behaviour on a network.  As a result of this gradual increase in information gathering, we start to put strain on the communication link between the sensor and the CCS.

This update could be seen as a group of fairly boring performance enhancements, however, these are vital changes that allow us to increase the capabilities of Perception even further in future.  Between an increase in reliability on extremely busy networks and the increase in decode/encode speed, this performance boost allows us to send much richer meta data, which means our analysts (and our AI-more on that soon) have better information to work from.

The importance of the redundancy capability also mustn't be underestimated.  Many customers work in mission critical environments and require 100% uptime for cyber security systems.  Adding the ability to control a main CCS and a failover is an absolute necessity for these businesses, and something we're delighted to be able to provide.

This update is CCS and sensor based, and will be pushed to all managed customers at the pre-agreed upgrade time.  Self-monitored customers can update their own sensors and CCS using the software upgrade process.  If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.com

Perception Update - Improvements to Behavioural Classifier

The identification of the ‘Communicating with many hosts’ behaviour has been enhanced to detect newer variations of this activity, as well as producing more metadata when it is identified.

The Communicates with Many Hosts classifier is typically used to identify behaviours associated with network discovery, fingerprinting, brute force attack or potential unwanted system use such as online gaming or torrent traffic.  Some of these behaviours are good indicators of compromise and are useful in understanding what hosts on your network are doing.

After some good feedback from our analysts, we have enhanced the classifier to look back further in time to identify the low and slow attack methodologies as well as significantly enhance the associated metadata to allow for easier attribution of behaviours to hosts.

The longer look back means that the behaviour cannot be hidden by taking a break in activity for extended period of time, or randomising/normalising fingerprinting periods to avoid detection by anomaly detection methods.  As a result we can discover this type of activity when we simulate it on our test networks regardless of the techniques we use to hide the behaviour.

The extra metadata enables the analyst to quickly identify behaviour of interest and understand what a host is doing more effectively.

This update is sensor based, and will be pushed to all managed customers at the pre-agreed upgrade time.  Self-monitored customers can update their own sensors using the software upgrade process.  If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.co

Perception Update - Anomalous Host and Session Scores

The anomaly score produced by the neural network on any session is now shown to the analyst

Utilising Perception’s statistics from the neural network, it is now possible to indicate to an analyst that a conversation between two hosts on the network is deemed to be outside of the norm. This information is now collated and presented to the analyst in the form of the hosts and sessions with the most and least unusual behaviours with a score given for each.

At Perception we believe that particularly unusual behaviour isn’t the be all and end all of cyber security.  We do think, however, that this information can sometimes be useful, and any data about particularly unusual sessions should be available to the analyst, so we’ve put statistics on unusual sessions on a separate screen on the UI. 

This information provides the analyst with additional metrics on which to base their investigation into a given host.  For example, if some unusual scanning behaviour has been detected for a specific host, then these statistics can be used to enhance the information to the analyst by indicating if any other anomalous behaviour has been detected.  As a result the analyst can build a broader or more detailed picture about a particular host to speed up or more accurately triage something of interest.

This update is CCS based, and will be pushed to all managed customers at the pre-agreed upgrade time.  Self-monitored customers can update their own CCS using the software upgrade processes.  If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.co

Perception Update - Internationalisation Support

Support for multiple sensors and multiple users in different time zones.

This feature enables events from multiple sensors located in different time zones to be correlated and presented to multiple users in different time zones with full representation of user’s local time and event origination times.

So what happens when you need two Perception sensors across multiple time zones?  Well the system works normally, but since multiple time zones have different working hours, the network may misunderstand what time different activities occurred.  Since clocks go back at different times during the year, step changes may occur in user behaviour on one sensor that doesn’t occur in another.  Perception is a system that needs to understand behaviour on a temporal basis so understanding time itself is vital.

To help understand how difficult this is, here’s a really useful video from Tom Scott on Computerphile:

Perception now supports multiple time zones on a single sensor network, so our customers with sensors in various international offices maintain the same high detection rates as those in a single time zone.

This update is sensor based, and will be pushed to all managed customers at the pre-agreed upgrade time.  Self-monitored customers can update their own sensors using the software upgrade process.  If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.com

You can see more videos from Computerphile here, and more from Tom Scott here

Perception Update - Multiple Ethernet Monitoring Interfaces

Support for multiple input Ethernet monitoring interfaces.

This feature removes the dependency on additional hardware required to aggregate multiple monitoring Ethernet sources into a single 10G input in order to be processed by the system.  Multiple 10G interfaces and multiple 1G interface can be supported.

Perception is designed to collect a feed from a central SPAN port or Network Tap.  We have several sites where the network architecture has resulted in two network cores, which means two feeds from two SPAN ports/taps, which means two Perception sensors.  Seeing that this doubled the deployment cost of Perception, we have changed how Perception sensors collect data so that a single sensor can take in multiple SPANs or network tap feeds.  In complex networks this can reduce deployment costs massively, which removes a financial hurdle from some of our smaller customers.

Some other customers may have a similar problem based on the equipment they use, rather than the network architecture.  It may not be possible to output all network data from a single SPAN port on all switches; this added capability fixes that issue too.

This update is a functional change in how we deploy the sensors themselves and therefore should have no impact on existing customers that we haven’t already contacted.  If we haven’t already contacted you and you feel that this change could reduce the number of sensors you use please feel free to contact your SOC point of contact.  If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.co

Perception Update - Unusual Data Movement Meta Data

Publishing of additional meta-data associated with the Unusual Data Movement classifiers.

This additional meta-data provides the analyst with a detailed picture of the individual transaction that led to the classifier firing.  This enables them to make a more informed decision as to whether this is expected behaviour or something potentially malicious.

Perception’s system is built around generating events for behaviours by analysing the raw packets on the network.  We have added valuable meta-data to help the system differentiate between behaviours of the same type.

The analogy we like to use is imagining that Perception is a security system for a small town, and having a window open is one of the behavioural classifiers.  The classifier would be created whenever a window was open, but that information alone would not be enough to confirm a burglary.  However, if the system gave a little more information, so we knew what time that window was opened, the ambient temperature when it was opened, whether it was opened from inside or outside, and whether it was forced open or a key was used, we’d be far more able to say whether it was a break in, or just someone getting some fresh air on a hot day.

Likewise, the unusual data movement behaviour has been updated to include more information about the data movement.  As we all know, data moving across the network at an unusual time, to an unusual destination, or of an unusual size isn’t likely to be threat like, however, now the system is able to gather more low level information about the transfer, the automated alerting systems and the analysts will be far better at identifying malicious data transfers amongst the legitimate.

This update is CCS and sensor based, and will be pushed to all managed customers at the pre-agreed upgrade time.  Self-monitored customers can update their own sensors and CCS using the software upgrade process.  If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.com

Perception Update - Central database manager incorporated into Correlation Engine

Control of the main system database has now been incorporated into the central correlation engine.

Moving control of the central system database to the central correlation engine has increased overall performance of the system and also allows events to be correlated over a much wider timeframe.

Up until now the databases have been managed by a separate process running on the CCS, which meant that in larger deployments the system database would be a large, processor hungry system separate from the main correlation processing, reducing query efficiency and limiting the timeframe and usefulness of lookbacks

As a result of moving the central database control to the same process as the correlation engine the system has become faster to use, as less total processing is required by each piece of hardware.  The net effect of this is that each correlation system is able to hold more data for longer, making the correlations more effective.

This update is CCS based, and will be pushed to all managed customers at the pre-agreed upgrade time.  Self-monitored customers can update their own CCS using the software upgrade processes.  If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.com

Perception Update - Statistics Dashboard

A new user dashboard displaying global statistics for the monitored network.

This feature provides the analyst with high-level information relating to the monitored network.  This enables them to spot unusual activity at the global scale and perform more detailed analysis on the individual hosts involved.

Threat analysis often comes down to using the time and resources available wisely to give you the best chance of finding something malicious or vulnerable.  Perception has always been specifically designed to help analysts focus on what’s important, so having a visual aid to help draw the analyst’s attention to certain aspects of a network is incredibly important.

The statistics dashboard itself is split into two halves; the left looking at the last hour, and the right looking at the previous 24 hours.  The data shown includes types of behaviour, frequency of behaviours, particularly noisy hosts, and the least common destinations outside of the network.  This interface is designed to help focus the analyst on hosts without having to jump out to a SIEM tool, saving valuable time and increasing Perception’s ease of use. 

Phil Andreotti, Head of Perception Service, said, “I typically switch between the events view, the ForensicAI view, and the statistics dashboard.  The statistics dashboard can show me exactly which boxes are demonstrating multiple types of a single behaviour, or multiple different types of behaviour which in certain combinations can be malicious.  Using this information I can quickly check up on a host to make sure the activity is legitimate before going on with the rest of my tasks.  The information about least common destinations outside of the network can immediately point me towards a host that is communicating with an unusual IP address, which can help pick out malicious behaviour limited to a single machine.”

This update is SOC based, and is now actively in use by all analysts working on monitored customers.  Self-monitored customers can update their own SOC boxes using the software upgrade process, and read the user guide to understand how to best make use of the statistics dashboard.  If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.co

Perception Update - Hostname Cache

Implementation of a Hostname Cache that holds DHCP Hostname events that can be used to enhance existing Host identification with the addition of more user friendly hostnames.

Hostname resolution enables the analyst to more easily identify hosts by their (typically) human readable name without performing an additional manual lookup. Having the hostnames available also assists in the identification of rogue devices and in the attribution of threats.  

Identifying hosts is key to any network security product.  Our hostname cache ensures analysts can track host activity regardless of dynamic IP.

Using this information we’re able to more easily pick up unauthorised, new, or forgotten devices connected to the network that may be vulnerable to attack.  This also enhances our ability to monitor lifecycles of potentially malicious behaviour especially if the malicious activity extends beyond the IP lease period for the network.

This update is sensor based, and will be pushed to all managed customers at the pre-agreed upgrade time.  Self-monitored customers can update their own sensors using the software upgrade process.  If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.co

Perception Update - Optimise DNS Classifier Performance

Enhance the performance of the DNS Policy Cache. Improvements have been made to allow many more lookups to be performed against the DNS blacklist.

Enables more fine grained control of the DNS blacklist by adding more lookup values without significantly increasing the amount of processing required.

Perception packs a huge capability into a small form factor, so we’re always looking for ways to do things either more efficiently or more effectively.  We’ve enhanced our DNS blacklist engine to increase the number of lookups while maintaining system performance.

As a result, the analyst can now rapidly identify more suspicious DNS lookups, focussing their attention on areas of concern.

This update is sensor based, and will be pushed to all managed customers at the pre-agreed upgrade time.  Self-monitored customers can update their own sensors using the software upgrade process.  If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.co