Advanced Threat Detections
นิยามใหม่ของวิธีการตรวจจับและตอบสนองต่อภัยคุกคามด้วยแพลตฟอร์มการตรวจหาและตอบสนองแบบเปิดที่สามารถขยายเพิ่มได้ (Open XDR) ด้วยการรวบรวมข้อมูลในเครือข่ายและเชื่อมโยงความสัมพันธ์ข้อมูลที่เกี่ยวข้องกันกับข้อมูลความปลอดภัยที่มีความหลากหลายในแพลตฟอร์มเดียว อาทิเช่น ML IDS, NTA, FTA, UBA เป็นต้น การตรวจจับภัยคุกคามขั้นสูงนั้นดำเนินการโดยใช้ AI และความสัมพันธ์อัตโนมัติที่มีความแม่นยำสูง การทำงานอัตโนมัติด้วยข้อมูลเชิงบริบทและดำเนินการได้ทำให้การค้นหาและการตรวจสอบภัยคุกคามง่ายขึ้นกว่าที่เคย การตอบสนองแบบอัตโนมัติจะกำจัดงานซ้ำ ๆ ช่วยลดเวลาตอบสนองต่อภัยคุกคาม และช่วยลดต้นทุนโดยรวมในการป้องกันภัยคุกคามทางไซเบอร์
Starlight’s dashboard provides an overview of the entire cybersecurity kill chain and is based on a defense-in depth security design.
From reconnaissance to exfiltration, suspicious communications to internal and external actors, Starlight gives real time visibility of threat progression as it happens.
Starlight studies each data point to remove the noise and show only high fidelity, scored attacks and anomalies. Admins do not need to deal with thousands of noisy alerts but only a handful, relevant events on their dashboard.
Starlight’s panoramic view provides high fidelity attack and anomaly visibility of compromised or targeted assets and external bad actors, and correlates data across the cybersecurity kill chain.
Admins can easily trace the attacks that have taken place on an asset and identify which bad actors have contributed to the compromise. Starlight also gives admins the ability to locate where bad actors are coming from. With the single click of a button an admin can drill down to see the details of security events and determine the reason of behind an event.
Starlight is the most open and easy to understand, so use, security analytics platform in the world with huge difference…
Starlight’s Advanced Threat Detection view provides full picture of attacks and anomalies within a selected time period and categorizes them across the cybersecurity kill chain. As an example, an admin can quickly identify how many login failures have occurred on an assets in comparison to how many of them are anomalous login failures (less than 1%) and critical (even less). This is useful because all login failures are not necessarily malicious. In this screen shot here, you will notice over 35 thousands login failures captured but only 29 of them are anomalous and only 2 of them are critical. By combining this hyper-precision and prioritization with open, contextual data, Starlight enables admins to make the right decision at the right time with peace of mind.
Starlight’s defense-in depth design enables admins to catch malware downloads and allows them to see which machines have downloaded known and zero day malware.
From this view admin can quickly identify where the malicious activity is coming from through geo-location awareness, along with visibility into other relevant information like the MD5 hash of a file, its name and reputation. Lateral movement can also be spotted quickly to see the propagation of malware within the environment.
Starlight provides separate views for communications that are anomalies within the environment breaks the views down into relevant detection categories.
It includes a view where admins can find high fidelity firewall alerts thanks to its industry first and only ML-Firewall (TM) component. Stellar Cyber innovated machine learning on firewall data, to get rid of firewall log noise to provide a cleaner view of what is important and needs attention.
Starlight innovated the machine learned IDS feature. ML-IDS is a new design when compared to traditional Intrusion Detection Systems.
By combining best of bread IDS technology with machine learning, Starlight dramatically improves the elimination of IDS noise and false positives.
Starlight provides incredible visualization capabilities for admins to leverage existing views, customize templates and create completely new dashboards from the complete set of data that platform offers as Interflow™.
Each dashboard, whether it is from an existing or customized template, the platforms dashboards to be turned into PDF reports. Admins can also schedule these reports to be automatically emailed.
This gives admins an ability to create an unlimited number of reports to satisfy any business needs and turn repetitive reporting tasks to one time configurations in a snap.
With Starlights unique data collection and Interflow™ technology, the platform enables admins to perform threat hunting at ease.
Users can leverage any dashboard/report view as a template, click on data points to zoom in or out dynamically and even enter their own queries with a Google like search bar to get the bottom of any incident.
Each and every record has the contextual data to grasp the details immediately and Interflow™ has all the evidence that admins need to make their ultimate decision.
Starlight automates the way admin searches for threats and also automates response actions. The platform delivers huge time, human capital, and cost savings for companies.
Admins can create rules and queries to be run on a desired period and set up an alert via email, slack or webhook to notified admins of any new findings immediately.
An example, search for any login failures with the source country Russia and destination of an internal application every 10 minutes. If any record is found, alert the “Threat Hunting” group via Slack and also put 1 hour block rule to the relevant firewall in order to mitigate the possible attack until the event is fully investigated.
With the investigation view you can perform a “Google-like” search of every record that you have for the environment. Each filter or click takes effect immediately on visualization widgets as well as on detail records for easy threat hunting.
Starlight can capture data from all kind of sources like traffic, logs, etc. eliminates blind spots within your environment. Once the data is collected, it goes through a normalization process and then enrichment pipelines to fuse in contextual information like application info, IP reputation and geo-location, etc. to make it meaningful and its ultimate end output is called Interflow™.
Starlight enables comprehensive reporting capabilities including compliance reports.
Admins can leverage existing reports, can customize any of them to their needs and can create custom reports with unlimited data and visualization possibilities to satisfy their business requirements.
The Starlight platform also provides a scheduling function to send the reports via email on desired periods and timeline.
Starlight enables admins to respond to any incident immediately inside the platform.
It might be blocking the source or destination of the incident on the firewall until the investigation has concluded or taking a permanent action.
Starlight also integrates with other Security Orchestration, Automation and Response (SOAR) tools such as Demisto (Palo Alto Networks) and Phantom Cyber (Splunk) to trigger a response playbook.
Starlight provides a built-in case management system to enable workflows and ensure nothing gets lost during an investigation.
Admins can create cases from events, escalate tickets to others, and close cases when results are determined. All changes to cases are recorded for audit purposes as well.
Starlight also offers built-in integration with top tier security research partners to escalate a case for outsourced investigation.
Starlight delivers patent pending technology that turns the platform into a firewall controller. Any piece of information that platform records can be used to trigger a firewall policy. Administrators simply write a query and instruction the module to take firewall action if the query returns results. An example of its use could be, an administrator wanting to block all traffic coming from North Korea that has a source IP address reputation of being a Brute-Forcer.
The firewalls that are currently supported are: Palo Alto Networks, Fortinet, Checkpoint, Cisco, Hillstone, Sophos and AWS.
Network Traffic Analyzer
In Starlight’s Asset View you can easily find all assets discovered on your network and gain valuable insight into what each one is doing. Asset View detects the operating system running on a device, the hardware type, applications used by the device, history of the asset’s IP addresses, the network throughput, and even application performance over time.
Admins can approve or disapprove discovered assets to keep track of inventory and also to enforce the detection rules based on asset status.
With Starlight’s Service Visibility view, admins can easily see what applications are running within their environments, which IP addresses are communicating and how much data is being transmitted.
The view is categorized for private and public communications to let admins quickly grasp the picture on each segment and direction.
The easy to use user interface lets the user drill down, sort and filter on a variety of different things.
Starlight is also a great tool for network traffic analysis, such as commonly done with NetFlow collector tools. Because Starlight uses Interflow™ to capture L2-L7 flow telemetry we are able to visualize the performance of networks, servers, and applications. Admins are able to quickly identify performance bottlenecks, understand which applications are being used the most, and see if the server is causing any problems or if the network itself is at fault.