Deep Node, Inc. The Ultimate Threat Hunting Platform

Sophisticated Hackers Cutting Through Traditional Security Defenses, Evading Detection Until It's Too Late

How Do You Stop "Unknown Unknown" Cyberattacks?

q  Targeted, stealthy, and persistent

q  No prior threat intelligence exists

q  Exploits zero-day, new attack vector

q  Does not generate alert or event

q  "Authorized" / internal access

q  Operates within statistical norms

Traditional Defenses

ü  SIEM

ü  IDS/IPS

ü  NGFW

ü  Endpoint

Critical Data

"Unknown Unknown" Cyber Threats

100 – 200 Days Industry estimate for time-to-detection of a cybercrime CISCO 2016 Annual Security Report

“The trend lines between time-to-compromise and time-to-discovery plainly show attackers are getting better/faster at what they do at a higher rate than defenders are improving their trade. This doesn’t scale well, people.” Verizon 2014 Data Breach Investigations Report

We Enable Analysts to Cut Through the Blinding Complexity of Cyberspace to Catch the Most Sophisticated Threats

Go Threat Hunting with Deep Node to Discover "Unknown Unknowns"

THE ULTIMATE THREAT HUNTING PLATFORM

Screenshot:  An  ac&ve  covert  channel  and  exfiltra&on  in-­‐progress  discovered  by  an  analyst  using  Deep  Node  

²  3D VISUAL ANALYTICS AND PATTERN RECOGNITION

²  AI-ASSISTED ANOMALY DETECTION AND BEHAVIORAL ANALYSIS

²  REAL-TIME SITUATIONAL AWARENESS

²  UNLIMITED SIMULTANEOUS FEEDS à WIRE DATA, SIEM, IDS...

²  CYBER-COMBAT MANEUVERING & INSTRUMENTATION

Elevate Analyst Productivity à Hunt Down the Hackers Already Inside the Network à Engage in Real-Time Cyber Operations

Our Value Proposition to Security Operations

Analyst Productivity Threat Hunting Cyber Combat

Find  answers  faster   Discover  "unknown  unknowns"   Counter  the  adversary's  tac8cs  

Improving  Core  Performance  Metrics  and  KPIs  

§  Incident  and  event  inves&ga&on  speed  §  Ticket  clearance  rate  /  &me-­‐to-­‐close  §  Time-­‐to-­‐detec&on  of  hidden  threats  §  Time-­‐to-­‐mi&ga&on  and  containment    

Incident  Resolu9on  on  a  Common  Opera9ng  Picture  

Report,  review,  and  replay  incidents  using  video  capture    from  Deep  Node  to  bridge  communica=on  across  shi>    rota=ons  and  facilitate  discussion  across  all  stakeholders,    from  analyst  to  manager,  CISO  to  CEO,  MSSP  to  client.    

Go Hunting Inside Critical Data Streams to Reveal Anomalous Patterns, Suspicious Simultaneity, and Hidden Correlation

Connecting-the-Dots to Catch What Doesn't Want to be Found

Screenshot:  Inves&ga&ng  IDS  alerts  at  cri&cal  assets    in  context  to  concurrent  network  traffic  (wire  data)  

Myriad  Data  Sources  and  Feeds...  

ü  Network  traffic  (wire  data)  

ü  SIEM  events  and  logs  

ü  IDS  alerts  

ü  SCADA  /  Internet-­‐of-­‐Things  

ü  NetFlow,  PCAP,  syslog  

ü  Threat  intelligence  

Live  and  Real-­‐Time  

Incident  /  Inves9ga9on-­‐related  

"Big  Data"  or  Historical  

...From  Any  Time,  Past  to  Present  

Our Patent-Pending "Timewell" Allows Analysts to Look Into the Past to Investigate Anomalous Patterns and Behaviors

How It Works

(Above) Investigating the communication pattern between two hosts in context with all other host activity on the network

When you look into the screen, you look back in time at a record of activity for the time period and feed(s) selected

Watch Deep Node in Action

Detec&ng  a  Covert  Channel   Connec&ng-­‐the-­‐Dots  on  SSH   Stopping  a  Brute  Force  AJack  Hun&ng  for  a  hacker  embedded  in  the  network;  ac&ve  exfiltra&on  in-­‐progress  

Seeing  suspicious  simultaneity  in  network  traffic  flows  to  catch  lateral  movement  

Taking  ac&on  in  real-­‐&me  to  counter  a  common  aJack  strategy  

hJps://www.youtube.com/watch?v=ABit2JIUWpE   hJps://www.youtube.com/watch?v=TCpL8cgZJPs  

Click on Links Below to be Redirected to YouTube

hJps://www.youtube.com/watch?v=x7LFd7ufHf0  

Does  not  require  replacement  or  reconfigura&on  of  any  exis&ng  security  technology  

Complements  all  future  security  investments  (e.g.,  new  threat  intelligence  feeds)  

Will  not  interrupt  opera&ons–an  enhancement  to  current  workflow  when  needed  

Vendor-­‐agnos&c—Ingests  and  visualizes  data  feeds  from  any  and  all  vendors  

Fast  and  easy  deployment;  op&onal  appliance  or  local  installa&on  

Affordable, Easy to Deploy, and Providers Immediate Gains in Advanced Threat Hunting and Faster Event Investigation

A Low Risk, High Reward Investment

Immersing Threat Hunters Inside Cyberspace to Capture Economies-of-Intellect and Unlock the Power of Collaboration

Vision of the Future

Security Operations Director / Commander

John  

Jane  

Jim  

Packet  inspec&on  

PaJern  analysis  

Asset  monitoring  

step into cyberspace...