Inline Real-time Correlation

Today’s attacks on your network are hard to detect. Attackers try to hide in seemingly harmless communication to prevent detection by your next-generation firewall and other network security systems. The only way to detect the latest generation of cyber threats is to analyze the behavior of the network in depth. Machine learning methods can detect subtle changes in the communication. Correlating all traffic flows and their associated events, by detecting the relationship and inter-dependencies between seemingly unrelated events in the network, also point to threatening behavior. Analyzing all logs on the firewall, a correlation engine can discover related events in the network traffic across time and across multiple, seemingly unrelated flows. Once relationships between seemingly unrelated events are discovered, they can be analyzed further to discover if they contain any threats or abnormal behavior which can be the indication of an attack.

Today correlation is done offline by security information event management systems (SIEM) with a time lag that can range from a few minutes to a few days. However, what is really needed is a correlation engine that is inline and real-time to detect and stop attacks before they unfold and cause major damage. For the first time, cognitix has developed a high-performance inline correlation engine that can analyze millions of flows and packets in real time and detect and correlate relationships between seemingly unrelated events regardless of whether those events are occurring in real time or have happened in the past.

Inline Correlation

With the cognitix correlation engine, you can build scenarios of multi-staged policies to detect similar or related events in all current and historic network flows. All scenarios are evaluated for each network flow and no traffic can pass through the firewall without being handled by the correlation engine and its scenarios.

Below are some use-cases that inline real-time correlation can be used to:

  • Reduce the false positives of an intrusion prevention system (IPS) engine by providing IPS policies that are enforced only, and only if, several IPS events are detected for the same host or group of hosts in a pre-determined period of time.
  • Quarantine a host if it has visited a low-reputation website and has established SSL connections to a country with which it has never previously communicated before.
  • Isolate a host that is accessing a website of high-risk and low-reputation and afterwards initiates outgoing connections with the typical decentralized communication protocols such as IRC or TOR.
  • Quarantine a host if it had contact with a “malicious” host within the network and the malicious host was accessing a URL with bad reputation in the minutes preceding the communication.
  • Isolate a host attempting a high number of connections to different hosts within a short time. This behavior is typical for an infection trying to spread or an attempted denial-of-service attack.
  • Isolate a host that attempts a high number of connections on different ports to the same host within a short time. This indicates a port scan to search for vulnerabilities.
  • Isolate all hosts involved when more than one host transmits a file with a specified name or name-pattern to a certain country.
  • Shape the throughput of RDP sessions when more than two clients establish RDP sessions to the same server.
  • Isolate the client when a host is detected that is using DNS-tunneling.
  • Isolate hosts that established an SSH connection to outside machines within 24 hours after visiting a website with bad reputation and then downloading an .exe-file.
Read the paper to learn more