October 27, 2023

Analysis of security events in Sycope NSM

Sycope is a network monitoring system designed to detect network anomalies and security threats based on Netflow and pcaps

Sycope is a network monitoring system designed to detect network anomalies and security threats based on Netflow and pcaps using the Sycope Probe collector, as well as to respond to the detected incidents. Sycope may be classified as network detection and response software (NDR), which is a crucial system for every Security Operations Center.

Each NDR class system should encompass functionalities that facilitate the incident handling process - from detection to mitigation and collection of evidence. Sycope was designed to cover all stages of security incident handling process.

Screen 1. Incident Response Steps

Sycope's network anomaly analysis can be done in a number of ways:

• Analysis based on defined dashboards (power of dashboards)

• Analysis based on a threat’s category (ATT&CK MITRE)

• Data context analysis

• Alert table analysis.

Analysis based on defined dashboards (power of dashboards)

This type of analysis begins by focusing on the standout indicators (spikes, high values, high deviations, unusual combinations, etc.)

Based on the Threats Analysis dashboard, we are able to analyse correlations among IP addresses related to detected anomalies or threats.

This allows us to focus on hosts that are the source or target of many anomalies, so the analytical triggers in this case revolve around deviations of the data in the charts.

Screen 2. Threats Analysis

Another example are dashboards that highlight correlations among IP addresses, groups, or countries, where we can focus on unusual traffic characteristics in the context of these parameters.

Screen 3. Groups correlations

Quick and effective analysis is possible due to the capability for quick navigation between dashboards (1), the ability to filter based on critical fields (2) or jumping to the table with events (3).

Screen 4. Countries Correlations

The most expressive case of top-down analysis are dashboards dedicated to managers, e.g. SOC & KPIs. Within these views it is possible to perform drill down analysis after clicking on specific values, which facilitates data analysis.

Screen 5. SOC & KPIs

Analysis based on a threat’s category (ATT&CK MITRE)

Sycope’s alerts are matched with the ATT&CK (knowledge base of tactics and techniques), which makes the wide range of threats detected in Sycope consistent with the nomenclature of the most popular threat dictionary, and reduces the risk of a misinterpretation of threats.

Screen 6. KPIs

This type of analysis allows you to focus on specific tactics or techniques, e.g. exfiltration. By doing so, analysts can filter out all other threats, resulting in a more comprehensible data analysis

Screen 7. Filtering by tactics and technique is possible in almost all security dashboards

Data context analysis

Data context analysis is possible thanks to the data filtering functions, including favourite filters and tags.

Favourites filters allows you to quickly analyse threats by context, but also helps in the threat hunting process. For example, among many threats, external or internal threats may be prioritized.

Screen 8. Favourite filters (External Threats, Internal Threats)

Another example of contextual analysis can be searching for threats tagged as CTI (Cyber Threat Intelligence). These types of events correlate with threats detected using the IoCs (Indicators of Compromises), such as IPs, Hostnames or Hashes from Malware, Spam, Scanner, Phishng, TOR, Proxy and Cryptomining categories.

Threat Intelligence is a very important element of the architecture of threat detection mechanism in Sycope’s security monitoring system.

Screen 9. Favourite filters (CTI Alerts)

Filtering alerts by tags empowers security analysts and threat hunters to quickly locate specific events.

Screen 10. Alerts Map

Alert table analysis.

The analysis of events in the alert table, in addition to handling alerts through the ACK or False Positive flags, allows you to view all original data (raw) that triggered a particular alert.

Screen 11.  Alerts Table

Summary

The ability to track suspected activity using flexible dashboards with a multitude of data analytics supporting functions, makes working with the system effective, fast, and pleasant for every system user, regardless of whether they are an experienced security engineer or a novice SOC analyst.

Thanks to the well-thought-out architecture of the Sycope system, incident handling is simple, yet the possibilities of deep analysis are extensive, which makes it a key system for every SOC.

Get a monthly dose of blog posts, tips and tricks

Sign-up for the newsletter and be updated about Sycope.

Sign-up for the newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.