LiveAction enhances ThreatEye to help security teams identify behavior in encrypted traffic streams
LiveAction has released the next generation of ThreatEye, the company’s Network Detection and Response (NDR) platform. The latest release continues to build on the company’s advanced AI-driven Anomaly Detection capabilities with packet-based behavioral fingerprinting to identify behavior in encrypted traffic streams, and host-based behavioral detections.
It includes a new User Interface (UI) to deliver simplified management of the threat investigation lifecycle, allowing Security Operations Center (SOC) analysts to correlate sets of findings and policy violations to track the state of incidents, delivering enhanced workflow capabilities that speed threat identification and remediation.
In addition to the new UI, ThreatEye now includes Predictive Threat Intelligence capabilities in its threat intel feed that tracks domains and IP addresses not yet active but registered by threat actors and associated malware campaigns.
This allows network security analysts to identify when a user is communicating with previously unknown threat actor infrastructure before malicious campaigns are launched. Additionally, leveraging LiveWire’s fully integrated “intelligent packet capture” capabilities provides forensic insights for single-click visibility to reduce mean time to resolution (MTTR).
The ThreatEye NDR platform was purpose-built to secure an organization’s network from core to edge to cloud. The platform offers visibility that helps SOC teams detect threats that other solutions miss, decrease the time needed to investigate and remediate threats, and ensures network compliance.
The new UI delivers an integrated approach to searching, collaborating, and alerting, that further lowers MTTR and reduces the cost of investigation by categorizing and classifying findings into incident states, conditions, and techniques.
“For SOC analysts, the time it takes to investigate an incident is often too long because they don’t have the full contextual information needed to resolve an incident. By the time they identify the threat, the damage is often done. The new UI in ThreatEye was built by SOC analysts for SOC analysts, and auto-enriches and correlates disparate data sources so they can respond to threats in real-time and accelerate triage,” said Bill Cantrell, General Manager of ThreatEye at LiveAction.
“When combined with ThreatEye’s additional new capabilities – including Predictive Threat Intelligence, advanced AI-driven Behavioral Anomaly Detection, and our integrated packet capture features – SOC teams get a powerful network detection and response platform that dramatically speeds threat identification and remediation, while reducing downtime and costs.”, Cantrell continued.
Key benefits and updated features of ThreatEye:
- AI-driven Detections and Discovery – The pervasiveness of encryption across corporate networks is decreasing the effectiveness of MFA and other security solutions. ThreatEye’s AI-powered behavioral fingerprinting uncovers activity within encrypted connections by tracking multiple vectors of information, including but not limited to Producer-Consumer-Ratios (PCRs) and Sequence-of-Packet-Length-and-Time (SPLT). This session-based fingerprinting is coupled with host-based behavioral analysis to infer when a threat actor is active in an environment. Additionally, the ML-driven device discovery allows enterprises to identify IoT and rogue devices that may be compromised. ThreatEye creates a historical inventory of traits and behaviors, and uses fingerprinting, mapping, and asset profiling, a technique that works equally well with both encrypted and unencrypted traffic.
- Dedicated UI for SOC Analysts (built by SOC analysts) – Workflow capabilities support SOC analyst workflows with integrated packet analysis insights. The UI delivers enhanced collaboration across teams by auto-enriching and correlating disparate data sources, including but not limited to geography, passive DNS, MITRE techniques, and threat intelligence. ThreatEye’s multi-stage pipeline analysis further layers on detailed findings, risk scores, and MITRE ATT&CK labeling. SOC analysts can respond in real-time to attacks and accelerate triage with integrated packet analysis.
- Enhanced Predictive Threat Intelligence – Identify when a user is communicating with threat actor infrastructure before campaigns are known to be active. Threat intelligence feeds are curated by the ThreatEye team to provide up-to-date indicators for active threats in the wild. Included in this feed are predictive threat intelligence and campaign tracking, revealing IPs and domains associated with threat actors before they are activated. Tailored and predictive threat intelligence sets off alarms when users are connecting to threat actor infrastructure before campaigns are known and indicators of compromise (IOCs) are shared across the community.
- Full Continuous Packet Capture and Intelligent Packet Capture and Intelligent Retention – ThreatEye now delivers full and continuous packet capture, which is crucial to threat investigations. However, when payloads are encrypted and cannot be decrypted, maintaining the full payloads in packet capture can stretch resources. To solve this problem, ThreatEye offers Intelligent Packet Capture, which allows organizations to drop encrypted packet payloads while keeping all other header and metadata information. This results in longer storage retention and reduced rack space requirements. Furthermore, ThreatEye offers Intelligent Retention, which allows a team to assign different retention rates to different types of applications. This is extremely important inside compliance regulated organizations that need to maintain information (such as DNS) for a certain amount of time. Simply assign what application gets what type of traffic and the rest of the traffic is passed.
“It’s critical that our team works together to prioritize threats and remediate them intelligently and collaboratively. ThreatEye’s new UI and behavioral analysis capabilities drive this collaboration and streamline the workflow for our analysts providing them with a level of visibility we previously didn’t have,” said the Director of Information Security at a Financial Services organization.
“Furthermore, the last thing we need is another tool that collects data and works separately from other systems, and ThreatEye works hand in hand with our other SIEM, SOAR and threat intelligence tools to help our team fill visibility gaps and speed threat identification and remediation.” he continued.