Frequently Asked Questions

WHAT MAKES PERCEPTION DIFFERENT?

When adding a more modern capability such as Network Behavioural Monitoring to existing legacy network security suites, understanding the benefits that Perception brings is incredibly important. Below are some factors that will improve security by integrating Perception into a network security tool suite:

SITUATIONAL AWARENESS

Due to the way Perception is located within the core of the network it gets full 100% visibility of the traffic, not just at the perimeter where you see data going out to the internet. This positioning allows Perception to identify lateral movement and long term persistence in the network where perimeter devices offer very limited or no capability in this area.

PASSIVE ANALYSIS

Perception has been designed from day one to passively monitor your network, this means it does not need connections to the cloud to operate and can just as easily work on an air- gapped network as a connected network. Perception was designed specifically to not trust 3rd party data from sources such as Active Directory, Signatures, and Log Collection Agents etc. If it needs information it will decode it directly off the wire. This means that it can identify the real behaviours without the risk of the data being interfered with.

UNDERSTANDING YOUR NETWORK BEHAVIOUR

From the very first days of Perception it was understood that hunting for malware was only part of the story, you need a platform that can not only identify malware, but also identify misconfigurations and vulnerabilities (which the attackers will be able to exploit) and unusual network activity such as new devices entering the network or new services appearing that have not been seen before. This type of network situational awareness allows the organisation to take pro-active steps to securing the network before the attacks are made, rather than reacting to attacks that have already taken place.

POST INCIDENT FORENSICS

Perception’s KnowledgeBase capability is a powerful way to understanding the threat life cycle. Often the hardest question to answer is how or why a device has behaved in a certain

way and if there are any other devices behaving similarly. Perception’s KnowledgeBase capability has been developed to specifically allow for this type of deep dive analysis.

HIGH PERFORMANCE PROCESSING AND SCALABILITY

Perception has been designed to scale from a small business all the way up to a multinational organisation, all the while minimising the impact on an analyst’s time. This means that you can cover more of your network with less hardware and fewer analyst hours, saving money and improving detection capability without expanding your analysis team.

WHAT BEHAVIOURS DOES PERCEPTION LOOK FOR?

Perception includes a suite of classifiers designed to look for a range of potentially threatening behaviours, these include but are not limited to:

• Beaconing
• Scanning and Reconnaissance
• Brute Force Login Attempts
• Data Movement including Egress Data Loss • Ransomware
• DNS Misuse
• Device Misconfiguration
• Legacy Protocols Use
• Unexpected Devices, including IoT Devices

These behaviours may be malicious or benign and are fed to a higher layer for correlation to determine potential threats to the network. The analyst can perform searches at multiple layers across the data collected by the system. At a low-level the analysts can perform complex searches over network data presented as a set of session statistics complete with a rich set of additional meta-data. At the next level up, the analyst can search through the pre-classified behavioural events automatically generated by the system based on the network traffic being monitored. At the highest-level the analyst can search through the correlated events again automatically generated by the system based on collections of behavioural events and other interesting data.

HOW IS THIS DIFFERENT FROM EXISTING ANOMALY DETECTION SYSTEMS?

There are a number of anomaly detection systems on the market, and Perception was designed in various different ways to avoid the inherent problems they face:

ANOMALOUS ≠ DANGEROUS

Typical anomaly detection systems rely on scraping statistics from a network, and analysing them to identify the most anomalous activity, and producing an alert. Perception goes a level beyond this and uses an Expert System to identify whether an anomalous activity is something you really care about. By doing this, the high false alarm rate typically associated with anomaly detection systems is avoided, as Perception will not alert to benign anomalous behaviour.

DANGEROUS ≠ ANOMALOUS

Unfortunately, not all malicious activity is anomalous enough to be identified by pure anomaly detection systems. Perception solves this problem by running an Expert System against even normal and less-anomalous data. By doing this, Perception identifies subtle malicious activity that would not be alerted on by pure anomaly detection systems.

DESIGNED BY ANALYSTS, FOR ANALYSTS

Perception was designed and built hand in hand with network security analysts. By building a product around the end user, Perception has become a tool that is simple to be trained on and operated by anyone with network analysis experience, and packed with targeted useful features that they will find useful every-day. As a result, Perception is void of any hyped user interface gimmicks that fill many anomaly detection products, instead focussing on a useful user experience.

SCALABLE TO ANY ORGANISATION

Anomaly detection is a famously processor- intensive activity, resulting in most anomaly detection products being difficult to scale within an Enterprise. Perception is designed to scale from the bottom up. It is currently in use on enterprise scale networks performing correlation across worldwide networks containing hundreds of thousands of hosts, as well as on small, <50 host SME’s.

100% PASSIVE

Most anomaly detection tools require host-based agents or some other reliance on 3rd party information sources. Versions of host-based agents aren’t available for all devices, especially IoT devices, meaning that some devices will not be seen at all by these anomaly detection systems. Perception is a passive network monitoring product that will only report what it sees, not what it is told by 3rd party sources, for example removing the risk of being misled by advanced malware or malicious users. Perception also doesn’t automatically block any traffic, ensuring a human is always in the loop, and avoiding the massive frustration of organisation down-time as a result of authorised traffic being blocked.

FOCUS ON NETWORK UNDERSTANDING

All existing anomaly detection systems will alert to unusual behaviour, but be limited on why this anomaly is a cause for concern. Perception is about assisting you in understanding what a behaviour on your network is, not just showing you that something is unusual. Perception will give you the reasoning as to why a particular behaviour has been detected, this is invaluable in allowing a user to understand whether they need to do something about it.

HOW IS THIS DIFFERENT FROM A SIEM TOOL?

SIEM tools are about aggregation, Perception is about targeted threat detection. SIEM tools will try to ingest everything from logs and as such be very expensive to scale, Perception will record what is important for analysis of network traffic where the behaviours are easier to spot. KnowledgeBase gives the ability for the Analyst to perform threat hunting and reporting abilities in timely manner without waiting for long periods of time for the answers.

SIEM tools typically rely on log ingestion. Not only do logs not contain the richness of information gathered by analysing live traffic directly from the wire, but you can't always trust what is in the logs, they can be modified and breadcrumbs can be deleted.

WHAT IF THERE ARE PRE-EXISTING THREATS INSIDE THE NETWORK WHEN PERCEPTION ‘LEARNS’ ITS NORMAL PATTERN?

Perception has been designed specifically to not use threat classification/training using ‘known- good’ as a technique to identify anomalous behaviour. Instead we decided to develop bespoke algorithms that will identify a number of the most anomalous behaviours in a network. These behaviours are then processed by expert systems to determine if these anomalies are really something that an analyst should be concerned about. As a result, regardless whether a threat is new or matches a normal pattern, threats will always be picked up by Perception.

CAN PERCEPTION BE RUN IN AN AIR- GAPPED NETWORK?

Yes, although Perception can also be offered as a managed service with analysis help from the Chemring SOC, a suitable analysis team can run Perception completely autonomously, meaning no data has to leave the network. This ensures an organisation maintains sovereignty over their data. Software upgrades are typically managed with the end user to ensure that the system is kept up to date.

Your Perception account manager will help you with any specific deployment questions you have, and find suitable solutions to any security restrictions that may be in place.

WHERE DO I POSITION PERCEPTION IN MY NETWORK?

Perception offers greatest value with maximum visibility. Networks can be very distributed making it difficult to gain visibility of all communications, in these cases it is important for an organisation to define their critical assets, whether these be services or data stores and ensure that traffic to these devices is monitored as a minimum.

HOW LONG IS DATA STORED FOR/HOW LONG IS THE LOOKBACK?

Data retention periods can vary based on deployment and load of data. As a default, it is intended to store a minimum of 30 days but on busier networks this may be reduced and quieter networks may store many months. This is user configurable and would be defined during installation and reviewed periodically.

DOES PERCEPTION WORK WITH ENCRYPTED DATA?

Perception monitors behaviours and as such, will work with encrypted data. The behaviours; session data, volumes, durations will be available and presented to the analyst.

HOW MANY SENSORS WILL I NEED? HOW MANY USERS/MACHINES/DATA THROUGHPUT ETC. PER SENSOR?

For hardware deployments, each sensor will typically support up to 500 users. However, network usages may vary between different types of organisation. If our virtualised appliance options are selected, this will depend largely on the host machine provided. During the evaluation phase of Perception, our team will identify the necessary requirements for your particular network.

HOW OFTEN IS PERCEPTION’S SOFTWARE UPDATED?

Perception software updates are typically made available every 4-8 weeks, however it can be more frequent if necessary. The product is continuously being developed and improved with new features and capabilities to ensure accurate detection and reporting of incidents.

DOES IT REQUIRE AN EXTERNAL CONNECTION/INTERNET ACCESS?

No, the CCS can be deployed within an air- gapped environment.

HOW LONG DOES IT TAKE TO BUILD A MODEL OF THE NETWORK?

Perception starts generating some behavioural alerts immediately, since some behavioural analysis does not require a network learning model. The remainder of the behaviours start to become active from 24-96 hours depending on the network and training period chosen.

IS THE PRODUCT TRAINABLE? DOES IT REACT TO USER INPUT? CAN A USER, FOR EXAMPLE, HIDE EVENTS THAT REGULARLY OCCUR?

Certain behaviours can be whitelisted by using Exceptions in the Settings menu. The model of the network used by the anomaly detection system will also improve over time, changing with your network parameters.

CAN THE SYSTEM CONSUME NETFLOW STATISTICS? IS THIS MORE EFFICIENT FOR SEPARATE SITES?

NetFlow information doesn't contain a rich enough mix of information for Perception to be able to understand many of the behaviours on your network. The Perception sensor sees all network traffic and uses that full network visibility to produce actionable information. Additionally, the use of NetFlow information would make it impossible to capture network packets making attribution more difficult.

DOES THE SYSTEM REQUIRE THE USE OF CLOUD SERVICES?

No Cloud services are required by Perception, although cloud-deployed variants are available.

DOES PERCEPTION REQUIRE A 24/7 MONITORING CAPABILITY?

Some customers use Perception in a 24/7 SOC environment, However, Perception is intended to identify unusual and potentially threatening behaviours on your network by performing analysis over days rather than hours in many cases. Monitoring Perception in Normal Office hours still offers a very good coverage of the threats that are present.

HOW IS THE PRODUCT LICENCED?

Perception is licenced based on number of sensors, CCSs and users. It is available either as a managed service or self-monitored, the former is charged based on number of users.

I’M AN MSSP, DO I NEED A SEPARATE CCS PER CUSTOMER?

No, multiple sites can use the same CCS and each CCS can support multiple separate deployments.

WHAT IS THE IDEAL SIZE OF ORGANISATION FOR A DEPLOYMENT?

Perception has been developed for any size of organisation, Perception is fully scalable from very small office networks right up to multi- region enterprises.

HOW MUCH TIME DO I NEED TO SET ASIDE FOR PERCEPTION TO BE INSTALLED?

10-60 minutes is all that is required to set up the platform. Further time may be required if issues are identified with the network feeds that the customer has provided.

HOW EASY IS IT TO INTEGRATE PERCEPTION WITH MY CURRENT SOC TOOLS/PROCESSES?

Perception will output Syslog and CEF events as standard. These can be ingested by all modern SIEM tools.

HOW IS PERCEPTION PRICED?

As a product designed to complement rather than replace existing toolsets, the pricing is very good value compared to tools such as firewalls.

I NEED REFERENCES TO PROCURE NEW PRODUCT, ARE THESE AVAILABLE?

Yes, of course. Our customers love Perception and will be more than happy to talk about it. Please make contact with your account manager for more information