Real-Time IoB Threat Hunting

The Problem

Modern threat detection requires data – lots of data – typically from multiple sources. This brings with it a number of interesting data engineering challenges, especially when we want to materialize that data into a single view and execute analysis in a timely and cost-effective manner. Finding indicators of behavior (IoBs) in real time amplifies already significant challenges: processing enough of the right kind of data from multiple sources in a timely fashion is beyond the capability of most systems.

The Solution

Quine + Novelty Detector together cover all aspects of real-time, automated, behavior-based threat hunting: Quine is used to detect known patterns (STIX) and emit scripted playbook responses (CACAO), while Novelty Detector uses patented categorical anomaly detection techniques to identify emerging threat patterns that are eventually fed back into Quine as new IoB patterns.

Quine Enterprise provides commercial support and licensing for both clustered Quine and Novelty Detector, meaning you can easily add real-time, behavior-based threat hunting to your stack easily.

‍

Key Value Take Away

• Quine + Novelty Detector detect both known and emerging behavioral patterns in a single workflow.
• STIX Compliant, real-time detection of Indicators of Behavior (IoBs) and generation of STIX message events
• Joins multiple data sets to enable real-time identification of IoBs across domains
• Automate STIX indicator additions via API, as well as CACAO Playbook event triggers for remediation
• Native support for categorical data simplifies operations and provides human-readable alerts for analysts