Click Analytics

Click Analytics for Security Threat Analysis

Click Analytics are the lifeblood of the Click security threat analysis solution. They ingest, assimilate, and analyze big data security-related information for discovery of unusual patterns or connections that underlie attack activity. Analytics work singularly and collectively as a security analysis tool to enable analyst force multipliers.

Complex diagram: Click security analysis tool-set converts big data security threat analysis into security visibility

Example: Log Analytics

Log analytics process discrete syslog feeds from stand-alone products like IPS/IDS, Web Proxies, and Windows Authentication servers.  These analytics provide rich contextual insight into activity associated with “actors” by contextualizing flow, authentication, access, and security event data.  Examples include: 

  • Top N stats for alerts
  • Identification of beaconing via repeating network connections
  • Detection of Domain Generation Algorithm (DGA) domains
  • Failed Login Analysis (including)
    • Multiple IPs per Username
    • Multiple Usernames per IP
    • Logins from different Geo-Locations

Example: Network Analytics

Network Analytics provide rich, deep insight into unknown and unwanted activity in the network that often does not register with traditional security products, but can be highly meaningful to analytics capable of processing complex event strings.  Network analytics are driven from data capture / processing tools like p0f (passive OS fingerprinting), Bro network security monitor, Snort intrusion detection, and FPC (full packet capture).  Example analytics include:

  • False User-Agent Strings - Detection of software specifing a User-Agent and not behaving like it
  • HTTP Anomalies - Looking for HTTP traffic that deviates in structure both from the RFC and from what is "normal"
  • Dynamic DNS - Alerting around HTTP, SSL and DNS traffic that has a Dynamic DNS Domain associated with it - In addtion, all traffic that is destined to an IP address that is the result of a DynDNS hostname resolution
  • HTTP DriveBy - Find exploit kit and watering hole information based on behavior, and not just known-bad files
  • Non-standard Traffic - Be aware of traffic being sent to non-routable IP blocks (bogons) external to your organization
  • Various known malware and RAT signatures

Example: Artifact Analytics

Artifact Analytics delve into actual network traffic, looking for unknown or malicious file artifacts.  Through a set of workers, files are intelligently processed with Click-written file parsers, and can be extended and customized with open source or customized tools for addional profiling or analysis for additional indicators. New tool integrations or analytic lessons learned are built into new workers and provided to the user base automatically. Files can be uploaded by either a user or programmatically uploaded for automated analysis. We currently support an integration with Bro for automatic upload. For supported file types we will parse the file format, look for abnormalities, search for obfuscated variable values, and detect and emulate shellcode. File types supported include:

  • ShockWave Flash (SWF)
  • PDF
  • Gzip
  • Zip
  • Machine Object (Mach-O)
  • RAR
  • PCAP
  • Java Class
  • Microsoft Office
  • RTF
  • Portable Executable (PE)
  • MIME HTML (mhtml)
  • Checks ran against all files (including un-supporte types)
    • Yara
    • ClamAV
    • XOR encryption search
    • NSRL hash check

Cross-Context Analytics for Security Threat Analysis

Cross-context analytics assimilate anomalies and malicious activity in a broader context than analytics designed around a data source family or functional focus. They form an even tighter web of detection that point analysts to activity that would be otherwise quite difficult to detect without laborious, time-consuming data science effort.  Examples of this security threat analysis include:

  • Authentication Anomalies
  • Passive HTTP Redirect Chain Analysis
  • Behavioral Profiling
  • Actor Health Scoring
  • Timing Anomalies
  • Suspicious Event Sequences
  • IIS/OWA Spam Detection