GREYCORTEX RELEASES MENDEL V 2.6.1

In the newest version of GREYCORTEX MENDEL (2.6.1) we have implemented several new features to improve performance, including a new flow scheme. This new scheme will also store more flow data and metrics. Existing data will be automatically transferred into this new scheme to ensure its continued usability. This data transfer process will run in the background, allowing you to continue to work with new flow data. Depending on the amount of existing flow data, the transfer may take few days, but it will not affect system usability.

We have also added a new DHCP application parser. This means you can now use DHCP data to identify hosts by their hostnames, giving you better knowledge/information about hosts; for better and more effective action.

Additional Features

  • Added new aggregated flow structures and their visualizations to achieve better performance
  • Added an additional severity decision mechanism for outlier detection to better highlight larger anomalies
  • Added a new DHCP application parser
  • Added the capability to display unfinished flows
  • Added an additional metric:  UET – User Experience Time – to network flows

Improvements

  • Improved database query performance
  • Improved the precision of the Round Trip Time and Server Application Response Time metrics computation
  • Optimized the performance of the Peers graph for faster loading
  • Upgraded the database to achieve greater performance
  • Set default log interval in log reporting to 7 days

Bugs Fixed

  • Fixed SMB protocol identification
  • Fixed network services model calculation
  • Removed queries to root DNS servers
  • Fixed missing DNS server configurations, which occurred in rare cases
  • Fixed settings for RX queues in network drivers
  • Fixed timezone usage
  • Fixed filtering issues in Incident Management
  • Fixed data inconsistency between Peers and Hosts graphs
  • Fixed report generation where data fields did not display correctly
  • Fixed hyperscan support on non-Intel architectures
  • Fixed password escaping issue
  • Fixed custom server certificate handling
  • Fixed system monitoring data propagation
  • Fixed DNS server settings
  • Fixed ICMP event and flow pairing
  • Fixed MS-SQL protocol parser
  • Fixed time handling in False Positives for different time zones
  • Fixed color configuration for Port Sweep detection
  • Fixed flows search in Outlier events
  • Fixed issue with duplicate hostnames
  • Fixed flow search in limit events
  • Fixed network configuration calculation
  • Fixed Url Share functionality in the comments field in Incident Management
  • Fixed filtering issue in Incident Management
  • Fixed pagination in Incident Management
  • Fixed issue in Url Share
  • Fixed transfer data calculation in the Peers graph
  • Fixed firewall autoconfiguration when enabling Netflow source
  • Fixed events filtering by name
  • Fixed subnet traffic calculation
  • Fixed allow/deny configuration description
  • Fixed the “To Filter” button in Peers graph
  • Fixed port and service name filtering
  • Fixed other issues related to Incident Management
  • Fixed subnet icons in Events
  • Fixed vulnerability to CVE-2016-2183
  • Fixed empty service description editing
  • Fixed false positives value editing
  • Fixed ICMP flow filtering on services
  • Fixed the assignment of hosts into incorrect subnets
  • Fixed host information display in the Analysis module
  • Fixed invalid DHCP transaction IDs in individual flows
  • Fixed DHCP parsing issues on flows from the DHCP relay
  • Fixed the password warning message when the password is shown as invalid during installation
  • Fixed the event payload display in IDS events
  • Fixed issues with special characters during installation
  • Fixed an issue with filtering port number and service name together
  • Fixed an issue with flow duration calculation
  • Fixed cancel button functionality in Flows view
  • Fixed calculation of the number of subnets in Events
  • Fixed the use of an incorrect filter in subnet to filter function in the Events tab
  • Fixed the filling service in False Positive
  • Fixed traffic information in incident links

GREYCORTEX PROTECTS AGAINST WANNACRY

GREYCORTEX is happy to report that MENDEL, our network traffic analysis solution, affirmatively detects infection by the WannaCry ransomware, its possible variants/clones, and protects users more effectively than rule-based detection tools alone.

Because GREYCORTEX MENDEL uses advanced artificial intelligence, machine learning, and data analysis to identify network anomalies, it easily identifies threats like WannaCry, allowing network security teams to take rapid action and stop threats before they do damage.

In the case of WannaCry, GREYCORTEX tested the ransomware in our malware lab. It was found to engage in aggressive and anomalous practices, like port-scanning behavior on an SMB port (445), attempting to connect to over 4000 devices in 175 countries across the Internet in five minutes, and downloading TOR network software. All of these behaviors were identified by MENDEL’s advanced network behavior analysis.

MENDEL users are better protected from malware like WannaCry and its variants/clones than users of firewall, IDS, or other rule-based security solutions alone. Rule-based security solutions require a known malware signature in order to create a rule. This means an attack must happen before the signature of the attack can be added as a rule. MENDEL doesn’t need a signature to identify the attack. It’s network behavior analysis features detect the attack’s symptoms before it harms the network. This means security teams have the peace of mind to know that should an attack happen, they will see it, and be able to stop it before it does damage.

If you are concerned about malware attacks, either from WannaCry or from other ransomware or malware, you may benefit from a 30 day Proof of Concept (PoC) from GREYCORTEX. During the PoC, MENDEL automatically learns your network to identify threats which may exist, including ransomware which is lying dormant in your network, or unpatched applications, which may leave you vulnerable. Do not hesitate to contact your network security professional, or GREYCORTEX  directly to arrange a PoC.

 

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About GREYCORTEX
GREYCORTEX uses advanced artificial intelligence, machine learning, and data mining methods to help organizations make their IT operations secure and reliable.

MENDEL, GREYCORTEX’s network traffic analysis solution, helps corporations, governments, and the critical infrastructure sector protect their futures by detecting cyber threats to sensitive data, networks, trade secrets, and reputations, which other network security products miss.

MENDEL is based on 10 years of extensive academic research and is designed using the same technology which was successful in four US-based NIST Challenges.

KIWI.COM CASE STUDY

Kiwi.com (formerly Skypicker) is a fast-growing online travel agency. Founded in 2012, it has grown to over 1100 employees, and continues to grow rapidly. It serves millions of consumers every year by combining flights from carriers who do not offer route coordination. Kiwi.com administers a diversified network serving approximately 1,900 devices. The aim of the GREYCORTEX MENDEL implementation was to enable Kiwi.com to focus fully on their core business while keep their dynamically growing IT infrastructure secure and reliable.

Since its deployment in November, 2016, GREYCORTEX helped us immensely. We were able to find security policy breaches and performance problems, and link these to problems experienced by users that previous tools had not seen. We could see attacks as they were developing and take action. We have really strengthened our security posture and are very happy with the results.” (Josef Staša, IT Operations Manager)

CHALLENGES

While the business and team are growing quickly, Kiwi.com’s IT infrastructure and network are growing even faster.

Kiwi.com’s main reason for deploying MENDEL was to ensure that the goodwill and reputation which Kiwi.com had built through a reliable and secure IT infrastructure was preserved. It was critical to the day-to-day operations of the whole company that this be done effectively. Kiwi.com needed the ability to oversee their network’s technical infrastructure and network administration from an operational, performance, and security monitoring perspective.

Other challenges included:

  • Protection of customer data
  • Detection of modern threats and protection against attacks targeted at network users
  • Provision of a security-focused overview of network infrastructure behavior, including an automated analysis of normal behavior for individual network segments, devices, and individual users 
  • Monitoring Kiwi.com’s current security infrastructure configuration and effectiveness
  • Improved security policy enforcement
  • Easy scalability

 

ADVANTAGES

GREYCORTEX MENDEL includes several important features that benefited Kiwi.com’s IT team. The most important is a behavioral detection engine based on advanced machine learning and artificial intelligence. Outputs are integrated with an hourly updated list of blacklisted IPs and signatures. Because these tools are integrated, MENDEL can detect threats based not only on known signatures, but based on atomic-level symptoms of attack; for example, where an advanced persistent threat lies dormant, but communicates with its Command and Control. MENDEL also includes application performance monitoring capabilities, offering teams detailed data for business critical transactions, combined with security events for easy root cause analysis; all in real time, without slowing the network. Finally, MENDEL helped to enforce Kiwi.com’s existing security policies and maintain its compliance with government regulations.

RESULTS

GREYCORTEX MENDEL was installed quickly, and it immediately and automatically began to learn the network. Kiwi.com’s original security posture, while strong, was greatly improved with GREYCORTEX MENDEL and is now prepared for more advanced threats.

Among other results, MENDEL helped Kiwi.com achieve the following:

  • Better enforcement of security policies and quicker resolution of incidents
  • Complete network visibility
  • Discovery and analysis of network and application performance problems
  • Forensic analysis

View the case study in .pdf here.


About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About GREYCORTEX
GREYCORTEX uses advanced artificial intelligence, machine learning, and data mining methods to help organizations make their IT operations secure and reliable.

MENDEL, GREYCORTEX’s network traffic analysis solution, helps corporations, governments, and the critical infrastructure sector protect their futures by detecting cyber threats to sensitive data, networks, trade secrets, and reputations, which other network security products miss.

MENDEL is based on 10 years of extensive academic research and is designed using the same technology which was successful in four US-based NIST Challenges.

MENDEL 2.5 RELEASED

GREYCORTEX has just released MENDEL 2.5. In this most recent version, we have made several additions to further improve performance, including a new detection method for forbidden services, faster pattern processing for IDS rules (requires Intel architecture), and HTTPS traffic decryption capabilities (with imported private key). The full changelog for MENDEL 2.5 is provided below.

Additional Features

  • Added a new detection method for forbidden services
  • Added faster pattern processing for IDS rules (requires Intel architecture)
  • Added new traffic direction types for better filtering
  • Added system self-reporting for additional functionality support
  • Added HTTPS traffic decryption capabilities (with imported private key)

Improvements

  • System components have been upgraded to their newest versions
  • VoIP protocol parsers have been included for better performance
  • Improved system hardening
  • Improved query performance in the Flows tab

Bugs Fixed

  • Fixed IDS stability problems
  • Fixed IP address settings for new interfaces
  • Fixed disabling parsing IDS rules and DPI
  • Fixed issues with system log rotation, maintenance, and removal
  • Fixed truncated application requests within flow data
  • Fixed ICMP codes reporting in flow records
  • Fixed the reporting service type in outlier analysis methods
  • Fixed upgrade log downloading via the GUI
  • Fixed false positive matching for countries
  • Fixed issues in Incident Management
  • Fixed displaying colored, blacklisted IP addresses on the Peers tab
  • Fixed support for IPv6 filtering
  • Fixed computation functionality in the Peers graph
  • Fixed the computation of severity in the Toplists dashboard
  • Fixed invalid filter value handling
  • Fixed an issue with user rights in the reporting module
  • Fixed autocomplete in Host filtering
  • Fixed time limit for false positive application
  • Fixed status monitor event information
  • Fixed filtering by timestamp in event lightboxes
  • Fixed filtering false positives in “Table by Service or Port”

User Note

To further improve performance, it is strongly suggested that users turn off unused ports.

 

 

 

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About GREYCORTEX
GREYCORTEX uses advanced artificial intelligence, machine learning, and data mining methods to help organizations make their IT operations secure and reliable.

MENDEL, GREYCORTEX’s network traffic analysis solution, helps corporations, governments, and the critical infrastructure sector protect their futures by detecting cyber threats to sensitive data, networks, trade secrets, and reputations, which other network security products miss.

MENDEL is based on 10 years of extensive academic research and is designed using the same technology which was successful in four US-based NIST Challenges.

MS VULNERABILITIES EXPOSED BY GOOGLE

Google has disclosed the latest of several unpatched flaws in Microsoft software. GREYCORTEX MENDEL’s advanced machine learning and predictive analysis can identify these attacks.

Google’s “Project Zero” team recently disclosed a second unpatched Microsoft Windows security flaw, after Microsoft failed to fix the bug within Google’s set 90 day window. The vulnerability is identified as CVE-2017-0037, and is classed as a “type confusion flaw” in a module of Microsoft Edge and Internet Explorer. This flaw can lead to arbitrary code execution, and be used to crash IE or Edge, and allow hackers to execute code and gain administrator privileges on infected systems.

Advanced hackers may have either already exploited this flaw or they may soon exploit it. Network security solutions like GREYCORTEX that identify anomalous behaviour within your network are especially important in this situation. These solutions mean your IT team can identify malware by its anomalous movement within the network, and identify it as it replicates. GREYCORTEX MENDEL identifies such anomalous behavior, offers deep network visibility, and differentiates between human and machine behavior, meaning you can find infected devices within your network and secure your company’s data and reputation even without relying on Microsoft to fix vulnerabilities in its browsers.

You can read more about the vulnerability here: http://thehackernews.com/2017/02/google-microsoft-edge-bug.html