Recans NR-SIEM

How It Works

SIEM comes with a built-in library of plugins that feed data into the system from a variety of sources. SIEM then classifies, normalizes, and analyzes the data according to customized defense models and the MITRE ATT&CKTM framework, using patented technology only available in SIEM.

1. Data Sources
   The integrated SIEM empowered by Elastic collects all types of IT data including security logs, security intelligence feeds, OS logs, servers and application logs, network flow data and more, by using a range of available data source plugins.
2. Deciphering Attacker Intent
   empow’s security analytics engine identifies cause-and-eect relationships between the collection of deciphered intents, grouping them together and prioritizing the real attack stories and compromised entities in the organization. This engine emulates human security expert processes, identifying the real attacks out of all the noise and deciding, according to the attack intent, which investigation policies are required, and which proactive response policies to employ.
3. Cause-and-Eect Intelligence
   empow’s AI and unique NLP (Natural Language Processing) algorithms and Adaptive Expert Engines classify attacker anomaly behavior and intent into the MITRE ATT&CK common language. Three main types of malicious intent classifications are done: User entity anomaly classification, network traffic anomaly classification and security events classification.This process runs continuously and automatically, with virtually no human involvement, and marks the logs and events with intent metadata which is indexed into the Elastic DB. Examples of intent classification include: Internal recon, external delivery types, local and remote privilege escalation, PII data scraping, financial data scraping and ransomware and more MITRE classes.
4. Response Orchestrion
   empow’s Contextual Orchestration Engine dynamically identifies and selects the best available products and network tools to execute the investigation and response actions. This translates into fast and optimal incident response, while at the same time simplifying security operations and eliminating maintenance overhead.

SIEM – built on Elastic

SIEM platforms need to collect large volumes of IT data from installed sensors in the organization, process it and provide rapid access into it. To streamline this process RECANS has partnered with Elastic, the leader in data search with over 300 million users. empow’s patented technology, integrated into the Elastic framework,allows unparalleled database search capabilities, on top of a long-term retention data lake. Customers can take advantage of the full Elastic Platinum Node features (including alerting, monitoring, reporting, machine learning, canvas, Elastic Search SQL, graph algorithms & others) included by RECANS as part of SIEM.

In the figure below, we show how SIEM takes advantage of Elastic's Logstash, Beats and Kibana tools to create a more eective SIEM solution. Beginning at the bottom of the pyramid, RECANS enriches every security event with the attacker intent during data ingestion. A fter processing, these enriched logs are then stored in Elasticsearch, allowing analysts to conduct much more efficient investigations and forensics operations. SIEM then applies cause & effect intelligence, which automatically correlates all classified events and prioritizes the attacks and entities as real risks. At the top of the pyramid, RECANS utilizes the Kibana framework to clearly deliver visualizations and dashboards of high risk attacks and entities, allowing easy drill-down into the most relevant data. This integrated combination delivers automation, predictive analytics, and long-term retention to enterprises and service providers in a scalable, security-optimized solution. The overall solution provides a top-down analysis experience for identifying attacks, all without manually generated rules.

Defense Models

SIEM provides pre-built, customizable, defense models that allow organizations to define what risks and compliance requirements are in focus, enabling SIEM to optimally detect attacks with the relevant malicious intents, and orchestrate investigation and response accordingly. SIEM enables users to define models by using the MITRE ATT&CKTM language, making classification unified and translatable.

Security Models can be easily downloaded from empow’s security use cases library and implemented in minutes. Pre-built models cover both basic and advanced security use cases including: Insider threats, data exfiltration, privilege escalation, identity theft and account take over (ATO), phishing and social attack campaigns, various investigation flows, and more. Each model is capable of detecting and responding to advanced threats, including:

1. Ransomware
2. Phishing & social attack campaigns
3. Identify Theft & account take over
4. Insider threat
5. Intelligence gathering
6. Data-leak