LiveAction adds new SOC-focused features to ThreatEye NDR platform
Written by Michael Hill, UK Editor, CSO
A SOC-specific user interface that supports analyst workflows and enhanced predicative threat intelligence capabilities are among the new features.
End-to-end network security and performance visibility vendor LiveAction has announced new security operations center (SOC) focused updates to its Network Detection and Response (NDR) platform, ThreatEye. In a press release, the firm stated that the platform features a new user interface (UI) designed to enhance the ability of SOC analysts to correlate findings and policy violations to track incidents.
The platform offers enhanced predicative threat intelligence capabilities that allow SOC analysts to identify and track domains and IP addresses not yet active but registered by threat actors and associated malware campaigns. It also includes packet-based behavioral fingerprinting to identify behavior in encrypted traffic streams and host-based behavioral analysis, LiveAction added.
New SOC-specific UI designed to support analyst workflows
ThreatEye’s new UI has been designed to support SOC analyst workflows with integrated packet analysis insights, LiveAction stated, delivering an integrated approach to searching, collaborating, and alerting. Built by SOC analysts, the UI delivers enhanced collaboration across teams by auto-enriching and correlating disparate data sources, including geography, passive DNS, MITRE techniques, and threat intelligence, the firm added. “ThreatEye’s multi-stage pipeline analysis further layers on detailed findings, risk scores, and MITRE ATT&CK labeling,” according to LiveAction.
Alan Freeland, SOC manager at DigitalXRAID, tells CSO that a good UI that supports deep packet inspection is a key component that allows SOC analysts and teams to identify and mitigate threats quicker and more effectively. “By giving analysts this capability, you improve the chances of spotting major threats to the organization, such as ransomware and data leaks.”
Proactive threat intelligence a “great help” to the SOC function
As for the platform’s enhanced predictive threat intelligence features, LiveAction stated that ThreatEye now has the capability to identify and flag when a user is communicating with threat actor infrastructure before campaigns are known to be active. This includes revealing IPs and domains associated with threat actors before they are activated. Such proactive threat intelligence allows analysts to identify potential indicators of compromise before they become threats to an organization.
This is a growing area of “great help” to the SOC function, Freeland says. “By integrating these tools into an analyst’s workflow, it helps them to push through up-to-date threat intel data that allows clients to be prepared for attacks before they happen. Many of these tools can be integrated into automated workflows so that it does not require a user to update tooling with this information.”
Elad Menahem, director, head of security research at Cato Networks, concurs. “Platforms that appropriately incorporate threat intelligence can ease the SOC’s work effort and reduce the analysis time significantly, as most of the common threats have observables already known in the wild,” he tells CSO. In addition, classifying the source of encrypted traffic, e.g., using TLS attributes analysis so that analysts can correlate between the source (Client Type) and the destination (IP/Domain), helps them to respond accordingly to incidents that originated from a browser versus bots unknown to their network, which might imply a new bot or suspicious application in the environment.
Behavioral fingerprinting uncovers activity via multiple information vectors
A third new feature added to ThreatEye is the platform’s “AI-powered” behavioral fingerprinting, which LiveAction said has been designed to uncover activity within encrypted connections by tracking multiple vectors of information, including producer-to-consumer ratios (PCRs) and sequence of packet length and time (SPLT). This session-based fingerprinting is coupled with host-based behavioral analysis to infer when a threat actor is active in an environment, the vendor added, while machine-learning-driven device discovery allows enterprises to identify devices that may be compromised.