What is our primary use case?
The primary use case for this solution is to reduce Mean Time to Detect and Mean Time to Recovery, proactively hunt for threats in the internal cyber network with correlated high fidelity threat intelligence feeds -automatically.
The solution allows clients to conduct Automated Threat Hunting which close the gap of cybersecurity skillset in the market and the high requirements of knowledge required to do such analysis.
How has it helped my organization?
The product has significantly reduced the mean time to detect (MTTD). Usually banks can detect cyber attack way months after an incident happened. This solution allows us to see cyber attack in near real time basis. The advantage is that the response time is much quicker because banks can carry out a prioritized and directed mitigation effort. It closes the gap and saves the bank a lot of money because cyber incident can be proactively prevented & response mitigation can be carried out much earlier.
What is most valuable?
The most valuable feature is the automatic correlation of all internal cyber activities with the cyber threat intelligence. Threat Hunting Framework provides real-time correlation on all the cyber events and checked against Group-IB Threat Intelligence database. Customer can easily conduct automated threat hunting to assess if their system is susceptible to targeted attack by cybercrime syndicates.
What needs improvement?
The nature of the system means it has to be implemented throughout the organizations. You need to implement it on the network layer, the email layer, the web proxy layer, and also the endpoints. Nevertheless, endpoint monitoring is very challenging due to the lack of automated method to install the endpoint agents. In one of our customer case, we have about 40,000 endpoints and we need to have a simplified method of deployment if we're going to implement the endpoint monitoring effectively. Product features also need some improvement in creating custom signatures for detection because that is not open to customers.
For how long have I used the solution?
What do I think about the stability of the solution?
Because the system requires an appliance, reliability and stability can become an issue because we are looking at network point of failure and at the OS point of failure as well. So in terms of reliability, these kind of systems needs to have been placed in a high availability deployment. This solution is the most sensitive in terms of reliability or availability issues. If things are not going well, you need to reboot the systems because of certain issues on the OS for example. So I might say reliability is around 90 to 95%.
The solution requires preventive and corrective maintenance. You have to pay attention to storage usage of the sensors before it becomes an issue, because if we don't do preventative maintenance, the system is unable to process once it reaches a certain level of storage. Maintenance and support is pretty intense with this type of solution, because sometimes the update is run on a fairly small bandwidth in the environment and we get a system error and have to reboot or do some troubleshooting.
What do I think about the scalability of the solution?
Scalability is good because the single instance can support multiple sensors. So we can have big sensors that cover around 10 gigabytes per second traffic ingestion and that can be scaled up to hundreds of gigabytes. The solution is also implemented on the ISP level to provide the visibility on the ISP network, which is typically hundreds of gigabits per second traffic ingestion. In terms of scalability, there is no doubt that the system could be scaled up. The number of users is not a limiting factor. We can create as many users as we want, at implementation we only had about 10 users that could access the system concurrently.
How are customer service and technical support?
We have direct communication with technical support so it's real time support and we don't have to open a ticket number and wait several hours to get a response. They are very prompt and responsive.
How was the initial setup?
Whenever we deploy, we have to deploy at least four appliances and these appliances cannot be simplified because each is for different purposes. One serves as a sensor, another works as the satellite information platform, a sandbox, and another as the main platform to correlate all the information. Then we need to deploy these multiple sensors and that is quite resource intensive.
We need three to four staff to manage the deployment effectively. It also requires a project manager to align with the network division, cybersecurity division, probably endpoint division, and also email. In these big organizations, there are usually different personnel that handle each of these functions. Deployment is a big project and can take around three to four weeks, minimum.
What's my experience with pricing, setup cost, and licensing?
The solution is provided on a subscription basis. In terms of pricing, there are several options offered depending on company size, whether it's a a high tier or low tier bank, so a smaller organization can also afford this kind of solution if combined with a hybrid deployment. There is also an MSSP model for the solution meaning we only deploy a single sensor and have the instance running on a private cloud.
Which other solutions did I evaluate?
The company checked many different technologies before choosing this solution including all sorts of sandboxing technologies. Once they saw Threat Hunting Framework, the whole direction shifted to that approach because it contains the whole monitoring aspect rather than requiring separate pilot products that work on their own.
What other advice do I have?
Framework is essentially one of the highest orders of cybersecurity to my mind. The idea of Threat Hunting Framework is to understand the cyber path that is affecting the organization. It's not as simple as running a firewall because you need people who understand types of attacks and how they move into the organization on their network, their email, or their proxy.
Apart from the technical functionality limitation and those challenges, this solution could easily be one of the best in the market, but there are certain challenges in maintenance and its resource intensity. I rate this solution a nine out of 10.
Which deployment model are you using for this solution?