Incident Detection and Analysis: Essentials on BluVector Cortex

It was at Northrop Grumman that the idea of ​​the BluVector Cortex platform was born ten years ago. In some ways, it can recall the offers of DarkTrace or FireEye. Kris Lovejoy, CEO of BluVector 2015 – and before that director of the managed security services division of IBM -, also readily recognizes that it is to these two actors that she is most often faced in terms of competition.

The Cortex platform, one of the finalists in the RSA Conference 2018 Innovation Sandbox, was designed to detect the most advanced threats to infrastructure as quickly as possible, with a high level of trust, while integrating capabilities remediation.

Multiple analysis engines

For that, explains Kris Lovejoy, Cortex runs in parallel nine detection engines, in containers, some of which are proprietary and covered by patents. This is the case of the first one, based on a model established by supervised automatic learning and dedicated to the detection of polymorphic malware hidden in files. To develop this model, “we worked for ten years with the intelligence and defense community.” Everything goes from classic desktop files to APK packages for Android apps or macOS DMG virtual disks. The training was not only on infected files, but also on healthy samples. Kris Lovejoy points out that the model is not monolithic and that each type of file – detected by analysis, and not just established on the basis of the extension – has its own classifier. Of course, the learning engine is regularly trained and any evolution of the model is pushed to the instances deployed at the customers.

Limit false positives

A second engine performs a speculative execution of the code. This is to detect so-called fileless malware in network traffic: “shell code and scripts are extracted from the stream and we emulate their behavior in case of execution. This makes it possible to evaluate the malicious potential and detect, almost in real time, the attacks without files with a very low level of false positive. In the laboratory, it is close to zero, “explains Kris Lovejoy.

The other seven drivers include behavioral analysis through machine learning, anomaly detection, and correlation between network flow analysis and threat intelligence.

The results produced by the nine engines “are transmitted probabilistically: it ensures the correlation and orchestrates the collection of contextual data – we speak of targeted logging and a patent covering the process has been granted to us”. A probability score is then established, informing about the malicious nature or not of the event treated.

Mid-sized companies can rely on Cortex to monitor their infrastructure, integrate threat intelligence flows – in STIX / TAXII formats – and even perform remediation operations, such as containment, automatically when the malicious nature of the event appears clearly established.

Broad integration capabilities

But for large groups, Cortex exposes APIs for multiple integrations, with threat intelligence management, incident response orchestration, and security information and event management (SIEM). For the latter, the platform behaves like an analyst who has provided the first degree of triage and investigation.

In terms of remediation, Cortex can integrate with dedicated platforms, but also directly address isolation or blocking requests to firewalls, network access control systems (NACs), or incident response on workstations (EDR).

In the latter area, the integration is naturally bidirectional to enrich the analysis BluVector Cortex. A technological partnership has been established with Carbon Black.

Leave a Reply

Your email address will not be published. Required fields are marked *