ARES Next-Gen Risk Management Platform
2 likes913 views
The ARES next-generation risk management platform by Superlative Technologies integrates threat intelligence with continuous monitoring to prioritize and mitigate vulnerabilities in IT environments. It employs advanced analytics to score and correlate threats, enabling automated identification of exploitable assets and actionable insights. The platform's architecture is scalable and built on open-source technologies, enhancing performance in data processing and threat assessment.
ARES Next-Gen Risk Management Platform
- 1. ARES Next Generation Risk Management Platform July 2015 Superlative Technologies, Inc. | www.suprtek.com 1
- 2. 2 CND analysts are inundated with data that promise to help them better defend our networks … Superlative Technologies, Inc. | www.suprtek.com Thousands of vulnerabilities and findings Millions of devices Thousands of threat intelligence reports What threats to investigate? Which vulnerabilities and findings to remediate first? Which devices to patch? Which indicators are relevant and reliable?
- 3. 3 The Sweet Spot lies at the intersection of threat intelligence and continuous monitoring datasets … Superlative Technologies, Inc. | www.suprtek.com
- 4. • Collect, fuse, and correlate threat intelligence from multiple sources with information on your internal IT landscape collected from continuous monitoring, e.g. hardware and software inventory and sensor findings such as compliance results and vulnerability exposures • Analytics that focus on the proactive elements of threat intelligence such as the threat campaigns that are relevant to your organization, the threat actors perpetrating these campaigns, the TTPs that they use and the weaknesses and vulnerabilities that they exploit • Score and prioritize threat intelligence that are most relevant and critical to your organization • Extract actionable information such as tactics, techniques, and procedures (TTPs) and exploit targets that are used by threat actors • Identify targeted assets and develop specific preventive courses of action to thwart these TTPs 4 ARES separates the signal from the noise to provide Relevant, Prioritized, and Actionable insight … Superlative Technologies, Inc. | www.suprtek.com Next Generation Risk Management Platform
- 5. 5 ARES is built on a scalable architecture using open source technology and standards Superlative Technologies, Inc. | www.suprtek.com • High performance and scalability • Based on open standards such as SCAP, ARF, ASR, STIX • Built on open source components of DISA’s CSAAC/RDK architecture
- 6. 6 High speed data ingest using Apache Storm Superlative Technologies, Inc. | www.suprtek.com Threat Intelligence SW Inventory HW Inventory Findings Vulnerability Alerts Security Policies Ingest Topologies ARF XCCDF ASR ASR XCCDF Multiple formats
- 7. 7 Extraction of exploit targets from threat intelligence Superlative Technologies, Inc. | www.suprtek.com "The CK Vip Exploit Kit is an exploit kit that allows a remote attacker to compromise systems by attempting to exploit multiple vulnerabilities. It is a multiplatform attack, utilizing exploits for Windows and Android platforms. The CK Vip exploit kit leverages vulnerabilities in products such as Oracle’s Java, Adobe Flash, and Internet Explorer’s ActiveX controls. Infection typically occurs by visiting a malicious URL pointing to the exploit kit or by visiting a compromised website which redirects to a server hosting the exploit kit." With the recent addition of the Android exploits in the last year, this Exploit Kit is poised to wreak havoc in the mobile market. MD5s associated with malware served by this Exploit Kit: d7826d3a9d1ca961e5c989c980507087 ad760c37c4198449b81b4992a3f2d561 4a562094a9d2771507e50faf08a6ca79 URLs associated with this Exploit Kit: http://count11.51yes.com/click.aspx?id=115861800&logo=7 http://count19.51yes.com/click.aspx?id=193675419&logo=1 IP addresses associated with this Exploit Kit: 222.191.251.98 58.215.76.136 98.126.71.38 CVEs associated with CK Vip Exploit Kit: CVE-2014-6332 CVE-2013-0634 Blog posts covering this Exploit Kit: http://www.cysecta.com/tag/ck-vip-exploit-kit/ Extract Exploit Targets Vulnerabilities, weaknesses or misconfigurations that are exploited by the attacker to compromise the systems
- 8. 8 Analytics to compute vulnerability exposure and patch compliance Superlative Technologies, Inc. | www.suprtek.com • Installed/removed software • Installed patches • Identified using Common Platform Enumeration (CPE) • Affected software • Required versions • Prohibited versions • Required patches • IP address • MAC address • Other identifiers • Operational metadata CPE expressions Evaluate CPE expressions over collected software inventory data Scalable Map/Reduce- based algorithm
- 9. 9 Correlation of exploit targets with findings and identification of exploitable assets Superlative Technologies, Inc. | www.suprtek.com Threat Intelligence Findings Vulnerability Alerts Exploit Target Exploitable assets (hardware & software) Correlation analytics using graph-based algorithms
- 10. • Score findings based on known threats that utilize the weakness, vulnerability or misconfiguration in each finding as exploit targets. 𝑠𝑐𝑜𝑟𝑒 𝐷 = 𝑖=1 𝑛 𝑇𝑖 𝑎 × 𝐾𝑖 + 𝑏 × 𝑈𝑖 Enhanced risk scoring based on threat intelligence D = Defect check being scored n = Number of threats that have defect check D as an Exploit Target Ti = Weight of Threati Ki = Number of assets that are known to be exploitable by Threati Ui = Number of assets that are potentially exploitable by Threati a = Weight applied to K, constant value greater than b b = Weight applied to U, constant value less than a • An asset is known to be exploitable by a threat if it fails all of the defect checks required for exploit by that threat. E.g. if a threat requires failures in three defect checks for exploit and the asset fails all three defect checks, then that asset is known to be exploitable; or, if a threat requires a failure in any one of the defect checks for exploit and the asset fails one of those defect checks, then it is also known to be exploitable. • An asset is potentially exploitable by a threat if it fails some of the defect checks required for exploit by that threat.
- 11. • Automate the analysis of threat intelligence and continuous monitoring findings to separate the signal from the noise • Extract proactive elements of threat intelligence to take preventive actions before indicators even appear on your networks • Prioritize actions based on exploitable assets that are the most mission critical • Identify and act on the most relevant and critical threats and findings at cyber speed 11 Enabling you to focus on the Sweet Spot of threat intelligence and continuous monitoring datasets … Superlative Technologies, Inc. | www.suprtek.com
- 12. For more information on ARES or to request a demo, please contact the SuprTEK Advanced Technology Group at ATG@suprtek.com. 12Superlative Technologies, Inc. | www.suprtek.com