REPORT

SANS 2021 Ransomware Detection and Incident Response Report

In this report, we will address ransomware attacks head-on. These are a different type of attack and thus require that we approach incident detection and response differently.

Read Now

Cloud Detection and Response

AI Security for Actionable Outcomes

Cloud-Native and Security Integrations

Get continuous cloud-native security, visibility and compliance for AWS, GCP, Azure and OCI —with asset inventory and misconfiguration, and 1 Sec or faster threat detection. Blue Hexagon dramatically improves your cloud security posture with its agentless, accurate and actionable solution—powered by deep learning

Continuous Threat Detection with Deep Learning

The rapid migration change to the cloud comes with several challenges. Many organizations are struggling to translate the policies and protections from their traditional on-premises networks to their new cloud-based environments. In addition, the skills shortage in cloud developers and the agility in deploying workloads and bringing up new networks and regions is leading to mistakes in configurations that allow a path in for attackers.

Attackers themselves are getting more sophisticated and organized in their tactics. Threats have proven that they can evolve faster than traditional signatures, intelligence feeds, and sandboxes can deliver defenses. As a result, security teams are in the unenviable position of trying to take security tools that are increasingly outdated even in the traditional architecture, and then try to migrate them to a completely new architecture that the tools were never designed for.

Blue Hexagon’s Cloud Security Platform provides organizations with a path forward. The solution allows the customer to both harden their cloud (cloud visibility, cloud compliance, misconfiguration detection) as well as to detect active threats

(workload threats, storage threats, and network threats) without relying on outdated signatures, IOCs and threat intelligence feeds.

Blue Hexagon provides sub-second identification of both known and unknown threats with near 100% accuracy, and natively works with cloud infrastructure for visibility and enforcement.

Instead of trying to bolt on the old security model to the cloud, organizations can adopt a new generation of security that works naturally with the new generation of infrastructure. Blue Hexagon connects to your cloud assets using CSP APIs in minutes to deliver an agentless, cloud-scalable SaaS solution for multi-cloud organizations.

Securing the cloud is not possible with just point-in-time periodic checks. Organizations cannot guarantee a perfectly hardened cloud with no misconfigurations at all points in time. Combining continuous threat detection with misconfiguration detection is the only way to limit overall risk to your cloud assets.

They both go hand-in-hand and need to exist together in the same platform for effective risk prioritization and mitigation.

“Blue Hexagon provides a real-time platform utilizing deep learning and artificial intelligence that really helps us keep up with existing and emerging threats.”

—CIO of a US Financial Service Company

AI Security for Actionable Outcomes

Blue Hexagon’s cloud security platform connects to your cloud infrastructure in an agentless manner in minutes using Cloud Service Provider’s native APIs to collect raw data ranging from resources in every region in every account, their configurations, cloud control plane activity, network activity, storage activity, and serverless packages.

This raw data is then analyzed by the Blue Hexagon platform in the center with proprietary deep learning models to detect Windows and Linux malware, command and control, beaconing as well as behavior analytics algorithms to uncover unusual patterns of behaviors in the cloud control plane and data plane. Deep learning models also provide early access to threat intelligence around IOCs and IOBs which are also applied to the raw data being analyzed. Finally, the platform also allows SecOps teams to write their own detection-as-code (e.g. to uncover specific MITRE ATT&CK behaviors) to bolster or correlate with the native detections from the platform.

This ingestion, analysis, indexing and deep learning verdict on the raw cloud data leads to six concrete outcomes for DevOps and SecOps teams.

Blue Hexagon provides visibility into asset inventory and cloud activity, detects several hundred misconfigurations in more than a 100 different services across AWS, Azure, GCP and OCI and aids in compliance with multiple standards like CIS, HIPAA and PCI. Blue Hexagon provides coverage for 12 out of the 20 CIS-recommended controls.

Blue Hexagon provides sub-second identification of both known and unknown threats with near 100% accuracy, and natively works with cloud infrastructure for visibility and enforcement. By applying deep-learning to network traffic, storage activity and workloads, BlueHexagon is able to identify both known and unknown threats with >99 % accuracy in network traffic, and cloud storage, usually in less than a second.

“With Blue Hexagon, visibility across our multiple Cloud Providers has given us a significant, measurable advantage over other solutions.”

—CISO at a major healthcare company

Cloud Native and Security Integrations

Blue Hexagon’s cloud security platform connects to your cloud infrastructure, in an agentless manner, within minutes using cloud-native APIs to collect data for security analysis. For example in AWS, Blue Hexagon will continuously ingest all AWS CloudTrail data, VPC Flow Log data, VPC Traffic Mirroring data, configuration data, and transactions to and from S3.

This raw data is enriched, aggregated and indexed in a single SaaS portal to enable visibility, hunting and alerting across multiple clouds, multiple regions and multiple accounts.

Output from the system, such as misconfigurations and security findings, can then be routed to a variety of response tools.

SIEM: Security findings and associated raw metadata can be sent to platforms like Azure Sentinel, Splunk or AWS Security Hub for further analysis or correlated with other tools.

Perimeter: IOCs derived from security findings like malicious IPs, domains or hashes can be provided as rules to perimeter security tools.

Workflow/Collaboration: Security findings can be added to ticketing systems such as Jira for further investigation or remediation or to collaboration systems like Slack. Cloud-native response automation is also possible by sending security findings to a serverless function and taking action in the function based on the findings.

Endpoint: Security findings around infected assets, malicious or network entities can be shared with EDR or EPP tools for prevention.

Real Time Threat Intelligence

Threats Infiltrate from Anywhere
Applications and users process files from a variety of trusted or untrusted sources. Scanning these artifacts to identify threats is critical for enterprise security. In order to effectively respond to and contain threats, enterprise SOC and IR teams seek to analyze payloads obtained from endpoints, networks, data repositories, customer uploads and SaaS applications; and must get accurate and timely verdicts and novel threat intelligence. Existing solutions such as signature-based antivirus tools or sandboxes with shallow ML are ineffective at providing the timely cyber threat intelligence necessary for effective response.

Blue Hexagon Real-time Threat Intelligence
Blue Hexagon is the world’s fastest and most accurate threat detection service for detecting threats embedded in files [Miercom report]. Since verdicts are available instantly, applications can use the Blue Hexagon Real-time Threat Intelligence service to prevent threat infiltration and lateral spread.

This service offers direct access to Blue Hexagon’s proprietary HexNet™ Deep Learning AI engine, and is delivered as a global REST API-based SaaS service with regional Points of Presence for low latency, scalability, and data governance.

The service provides:

Real-time Verdicts: detect malware in over 100+ different filetypes and content (hash), including unique file format analysis to identify obfuscated files
Ransomware Threat Feed: IOCs for the latest malware / ransomware families and campaigns, often several hours to days in advance of public feeds
AI-predicted Neural Threat Archetypes: e.g. ransomware belonging to the ryuk family
AI-predicted IOBs: Indicators of Behavior (IOBs) mapped to the MITRE ATT&CK™ framework to explain the possible behaviors of the payload were it to activate in the customer environment
Contextual Malware Report: Full contextual malware report including network, file, registry, and process IOCs (Indicators of Compromise)
Monthly Top Ransomware Package: Full contextual malware reports for top 50-100 ransomware samples every month curated by Blue Hexagon Labs
Privacy: If requested, samples sent over are deleted after analysis. Samples are never shared with third-parties

Try Blue Hexagon in your Cloud

Within literally a few minutes you can install Blue Hexagon and be ready detect cloud threats in runtime, continuously. And, protect your cloud workloads, network and storage.

Get Started