Cybersecurity Use Cases

Cyber threat detection and response is wrought with challenges. Most contemporary solutions focus on alert-oriented data generated by rule based detection systems. These alerts are difficult to prioritize, however, because the systems providing them give little information about the context of an alert, the object it’s alerting on, and what that object relates to. All the way through the detection continuum analysts are left digging through log files and manually jumping from perimeter to Netflow to endpoint datasets in order to understand the narrative of an attack.

Sqrrl Enterprise’s capabilities are aligned to optimizing threat hunting and incident response. By empowering analysts to carry out these two critical processes, Sqrrl can help an organization effectively undertake the following use cases:

Threat Hunting Use Cases

  • Advanced Persistent Threat (APT) Detection: Sqrrl orients analysts towards finding adversaries that avoid traditional detection systems by assisting analysts with the detection of adversarial Tactics, Techniques, and Procedures (TTPs) along the kill chain.
  • Data Breach Detection: Using a combination of Sqrrl’s anomaly detection, TTP oriented detectors, and Behavior Graph, an analyst can easily identify where there is outward flow of data from their network.
  • Malware Detection: Sqrrl leverages User and Entity Behavior Analytics (UEBA) to determine patterns of behavior, such as malware beaconing, that indicate host machine compromise.
  • Insider Threat Detection: TTP detectors, including data staging and exfiltration detection, detect suspicious behavior whether it is being carried out by external or internal threats.

Incident Response and Investigation Use Cases

  • Alert Triage: Sqrrl’s comprehensive entity profiles provide a rollup of all the information that an analyst may need to determine the scope of an alert, including a risk score and related anomaly detection.
  • Incident Investigations: Through its Behavior Graph and risk scoring, Sqrrl is capable of empowering analysts to rapidly and effectively investigate the full context of an alert or a potential IOC.

Other Use Cases

  • Threat Intel Analysis: Sqrrl allows organizations to use TTPs instead of only simpler IOCs for attributing activity and monitoring campaigns against them.
  • Cyber Situational Awareness: Sqrrl allows unparalleled visibility across multiple datasets, including HR information, to keep track of these complicated moving parts. It also allows for analysts to prioritize specific assets as critical, and the Behavior Graph lets analysts easily evaluate the attack surfaces related to those assets.

An example of Sqrrl’s TTP focused Anomaly Detection

Sqrrl Enterprise is a system that security analysts can use to unify cyber threat detection and response. This involves ingesting and organizing terabytes to petabytes of diverse data into a common linked data model. These linked data structures are analyzed in order to provide actionable trailheads for cyber threat hunts. Incrementally exploring, or “hunting,” across multiple datasets powers faster root cause discovery and more effective, long lasting response. Sqrrl Enterprise works with a variety of data:

  • Network information from proxies, routers, and switches can be combined with system/host log information to attribute network activity with user behavior.
  • Diagnostic information from DNS, DHCP, and SMTP can add valuable context to the picture, including requests and state changes across these services.
  • User records from applications, endpoints, and email will allow for behavioral profiling of the actors using the network.
  • All of these sources can be further augmented with network packet capture (PCAP) and process call stacks to corroborate any hypotheses that may be gleaned from a higher-level view.
  • There is also a wealth of information being generated by monitoring tools, IDS systems, SIEMs, and open-source threat intelligence that relates to the datasets above.