Real-Time IoB Threat Hunting

Real-Time IoB Threat Hunting

Quine and Novelty Detector make it possible for modern threat hunting to focus on real time behavior analysis.

The Problem

Modern threat detection requires data – lots of data – typically from multiple sources. This brings with it a number of interesting data engineering challenges, especially when we want to materialize that data into a single view and execute analysis in a timely and cost-effective manner. Finding indicators of behavior (IoBs) in real time amplifies already significant challenges: processing enough of the right kind of data from multiple sources in a timely fashion is beyond the capability of most systems.

The Solution

Quine + Novelty Detector together cover all aspects of real-time, automated, behavior-based threat hunting: Quine is used to detect known patterns (STIX) and emit scripted playbook responses (CACAO), while Novelty Detector uses patented categorical anomaly detection techniques to identify emerging threat patterns that are eventually fed back into Quine as new IoB patterns.

Quine Enterprise provides commercial support and licensing for both clustered Quine and Novelty Detector, meaning you can easily add real-time, behavior-based threat hunting to your stack easily.

Key Value Delivered

  • Quine + Novelty Detector detect both known and emerging behavioral patterns in a single workflow.
  • STIX Compliant, real-time detection of Indicators of Behavior (IoBs) and generation of STIX message events
  • Joins multiple data sets to enable real-time identification of IoBs across domains
  • Automate STIX indicator additions via API, as well as CACAO Playbook event triggers for remediation
  • Native support for categorical data simplifies operations and provides human-readable alerts for analysts

Learn more about Quine Enterprise and Modern Threat Hunting

If you are interested in learning more, read this article that delves into the challenges and capabilities of Quine Enterprise. Or if you are interesting in getting a live demo, get in touch and our solutions architecture team will be in touch.

Read the blog