In my experience, today’s security analytics fail to detect advanced, targeted attacks. What is needed is something built from the ground up to detect threats that traverse multiple tactics and entities over long time horizons. PatternEx’s concept of ‘virtual analysts’ does exactly that, and has helped improve our SOC efficiency."

Thomas Whang, Impelix

Virtual-Analyst-Diagram.png

How a Trained AI is Like a
"Virtual Analyst"

A new AI is like hiring a fresh graduate from college—full of potential but it must be taught your enterprise's unique security environment.

Training the AI happens when the AI presents a set of alerts to human analysts, who review the alerts and define them as attacks or not. The analyst applies a label to the alert which trains a supervised learning model that automatically adapts and improves. This is a trained AI.

A trained AI acts like a virtual analyst, having captured the intelligence of the analyst through labels, and then adds the power of machines: it's always-on (24x7), it can analyze huge volumes of data in real time, and it finds patterns in hyper-dimensional space.

Request a Demo     Read More

Product Architecture

PatternEx transforms log data from multiple sources into behaviors, and then has "AI Pipelines" analyze that data in near real time. 

PatternEx leverages Spark Streaming, high performance file systems, and distributed compute and data tiers. The entire solution uses RESTful APIs for easy integration. 

The UI is designed to enable your analysts to determine if a behavior pattern is malicous or not, and then capture that input to further train/tune the AI models. 

Request a Demo     Read More

architecture-diagram.png
AI2-Diagram.png

Artificial Intelligence x Analyst Intuition

The AI2 process facilitates communication between the artificial intelligence platform and the human analyst.

Raw data is ingested, transformed into behaviors, and run through algorithms to find rare events for an analyst for review. After investigation, an appropriate label is attached to each event by the analyst. The system learns from these labels and automatically improves detection efficacy.

Data models created though this process are flexible and adaptive. Event accuracy is continuously improved. Historic data is retrospectively analyzed as new knowlege is added to the system.

 Request a Demo     Read More

 

AutoCorrelateTM

PatternEx AutoCorrelate reduces the time it takes to investigate a threat by 20x by automatically discovering new correlations and displaying the entity relationships in an intuitive graph.  

Once an entity has been determined to be bad or compromised, PatternEx AutoCorrelate automatically investigates thousands of relationships to identify a chain of suspicious entities that an analyst needs to navigate while investigating the vector of an attack. These relationships may span multiple entity types, threat tactics, and time. 

 

Request a Demo     Read More

PatternEx AutoCorrelate
PatternEx Custom Analytics

Custom Analytics

PatternEx Custom Analytics, gives users the ability to do deeper analysis or extract complex analytics from raw logs.  Analysts can:

  • Use SQL queries to query logs 
  • Use Python or Scala to build complex analytics 
  • Save these analytical queries  as notebooks
  • Share notebooks amongst analysts to enable collaborative threat hunting.

Request a Demo     Read More

Sources of Behavioral Data

Your attack surface is broad and is changing. Your application, identity and access management, and traditional security data sources are all important for analysis. Data models can be made up of any combination of endpoint, network, access, and identity data.

Additionally, threat intelligence data and existing labeled attack data also can be incorporated into the analysis.

While you can get started by capturing only a few data sources, the more data sources you include, the larger the variety of attacks that can be detected.

 Request a Demo     Read More

behavioral-data-Diagram.png

PatternEx Sample Use Cases (Mapped to MITRE ATT&CK Phases)

MITRE Phase:
Initial Access

AI model example:
Social engineering domains

This AI model speeds up detection of social engineering domains using 10+ simultaneous analytics. These analytics include, among others, the lexicographic characteristics of the domain name (length, digit ratio, vowel ratio, etc..), the domain age, and its popularity.  The benefit is that the time between detection and remediation will be much shorter than waiting for published blacklists.

Learn More

MITRE Phase:
Defensive Evasion

AI model example:
TOR connections

This AI model detects TOR connections using bridges, and thus where IP’s are not listed publicly so blacklists will not work. This model looks at log footprints to see where bridges may be used to avoid detection.

 

 

 

Learn More

MITRE Phase:
Command & Control (C2)

AI model example:
Domain Generation Algorithms (DGA)

This AI model detects DGA’s (used by C2 systems to exfiltrate data and/or receive commands).  We have shown this model to identify DGAs before the corresponding signatures are reported in VirusTotal - reducing the risk of data exfiltration or lateral movement.



Learn More

MITRE Phase:
Exfiltration

AI model example:
Exfiltration via DNS queries

This AI model uses 10+ DNS analytics to identify stealthy data exfiltration strategies. Most enterprises do not monitor DNS in this way, and thus this model fills a vital gap in threat detection.




 

Learn More
PatternEx Virtual Analyst Platform

PatternEx Virtual Analyst Platform Architecture

Learn how PatternEx dynamically accepts security analysts feedback to create predictive models that continuously adapt to detect new and existing threats. Using this feedback PatternEx is continuously trained to improve detection accuracy. Download the white paper to learn more.

Download Now