BluSapphire
  • 01_Introduction
  • 02_Unified Cyber Defense Platform
  • 03_The Stack
  • 04_Features and capabilities
  • 05_Operations
  • 06_Architecture
    • Architecture - Version 3
    • Architecture - Version 4
  • 07_Integration
    • Cisco pxGrid Integration
    • Threat Intel Sources
  • 08_Use cases
    • SIGMA Rules
      • SIGMA Detection Attributes
      • Understanding SIGMA Rule
      • Creating SIGMA Rule
  • 09_CaseHub
    • Events
    • Cases
      • Case-Templates
    • Event-Rules
    • Reflex Query Language (RQL)
    • Input Configuration
      • Credentials
      • Agents
      • Field Templates
  • 10_Active-Defense-Services
    • Services (ADS - LIADS)
      • Network Services
      • Database Services
      • Web-Apps
    • Tokens (ADS - Tokens)
  • 11_Data-Pipeline-Manager (DPM)
    • Basic Concepts
    • Getting Started
  • 12_Deployment / Log Forwarding
    • Log Forwarding (on-prem) - How To
      • Fortimanager
      • Fortinet
      • Cisco ASA with FirePOWER services
      • Cisco ASA
      • Cisco VPN 3000 Concentrator
      • Cisco IOS Switch
      • Cisco ASA using ASDM
      • Cisco Router
      • Cisco Sourcefire
      • Cisco Ironport
      • Cisco Nexus Switch
      • Cisco VPN Concentrator
      • NetScreen Firewall
        • Configure/Enable Syslog Messages for Netscreen Firewall device using CLI Console:
      • Palo Alto Firewalls
        • Configure Syslog Monitoring
        • Configure a Syslog server profile
        • Create a log forwarding profile
        • Configure security policy rule action as log forwarding
        • Configure syslog forwarding for System, Config, HIP Match, and Correlation logs
      • Juniper
        • Using J-Web
        • Using CLI
        • Using J-Web
        • Using CLI
        • Configuring to send Syslog Messages directly from Sensor
      • Sonicwall
        • Configuring SonicWALL To Direct Log Streams
        • Configuring SonicWALL Logging Level
      • Checkpoint
        • R80.20
        • R80.10
        • R77.30
      • Blue Coat Proxy Logs
        • To Forward Blue Coat Logs Using Web Interface
        • To Forward Blue Coat Proxy Logs Using CLI
      • Tipping Point
      • FireEye
        • To Forward Fireeye NX Alert Logs
      • UBUNTU
      • CENTOS-RHEL
      • Citrix Access Gateway
      • SYMANTEC AV
      • DarkTrace
      • Nutanix
      • SAP
      • Cisco Meraki Firewall
      • Zoho Vault Integration
      • Zoho Analytics Integration
      • Sophos EDR Integration
      • PowerDMARC Integration
      • Perception Point Integration
      • MS Intune Integration
      • AWS-Cloudtrail & AWS-Cloudwatch integration
      • Dell PowerEdge Log Integration
      • HPE ProLiant DX380 Gen10 Log Integration
      • Lenovo ThinkSystem SR650 Log Integration
      • Aruba-3810M-L3 Switch
      • Cisco HX220C-M5SX Log Integration
      • Aruba-6200F-48-Access Switch
      • Brocade & Ruckus Switch Log Integration
      • Cavera L2 Switch Log Integration
      • CentOS & RHEL Log Integration
      • Cisco L2 Switch Log Integration
      • Cisco L3 Switch Log Integration
      • Dell EMC Switch Log Integration
      • Dell Powervault ME4 & ME5 Series Log Integration
      • HCI_CISCO_HX 240C_M5SX_CIMS(Intersight)
      • IBM AIX Log Integration
      • IBM Storwize Log Integration
      • Lenovo L2 Switch Log Integration
      • Lenovo Think System Storage Log Integration
      • lenovo_think_system_manager_851
      • Netgear M4300 Switch Log Integration
      • Net Gear Ready NAS 314 & Net Gear Ready NAS 428
      • qnap storage log integration
      • Ruckus SmartZone 100 Wi-Fi Controller Log Integration
      • Seqrite Endpoint Security 7.6 Log Integration
      • Suse log integration
      • Ubuntu log integration
      • Vcenter log integration
      • Microsoft SQL DB integration
      • Vios log integration
      • Cisco SF/SG 200 & 300 Series Switches
      • oracle db integration
      • lenovo thinksystem storage
      • F5 BIG-IP Load Balancer (11.x - 17.x)
      • Seqrite 76
      • Seqrite 82
      • Aruba switch log integration
      • Windows FIM
        • FIM Integration with GPO
        • FIM Integration without GPO
      • Sophos Firewall
        • Sophos XG Firewalls Syslog
          • Netflow Configuration To Verify
      • SAP
      • Integrating Forcepoint Web Proxy (or) Email Security
      • MicroAgent - Winlogbeat & Sysmon
        • Deploy Micro-Agent/Sysmon via GPO
        • MicroAgent manual installation
      • Microsoft’s IIS Integration
      • vios log integration
      • aruba switch log integration
      • oracle db integration
      • Cisco SF/SG 200 & 300 Series Switches
      • microsoft sql db integration
      • seqrite 82
      • seqrite 76
      • List of Supported Log Sources
        • 17.x)
    • Cloud Log Forwarding
      • Azure Sentinel
      • AWS Cloud Logs
        • Collecting CloudWatch Logs
        • Collecting Cloudtrail Logs
      • Configuring Mimecast for Log Collection via API
      • Cisco Umbrella
      • Cisco Duo
      • Cisco AMP
      • Cisco CES
      • SOPHOS AV
      • CROWDSTRIKE
      • Microsoft Defender ATP
        • Enable SIEM integration in Microsoft Defender ATP
        • Assign permissions to the WindowsDefenderATPSiemConnector application
    • BluArmour Pre-Deployment Checklist & Roll out Process
    • Deploy BluArmour via SCCM
    • BluGenie GPO for Service Account, WinRM and WMI
    • Mirror / SPAN port configuration
    • Average LogSize by LogSource
    • Windows Package Installation
    • Linux Package Installation
  • 13_MITRE ATT&CK
    • MITRE ATT&CK Coverage by Tactic
    • MITRE ATT&CK Coverage by Technique
    • Rules mapping - MITRE ATT&CK
  • 14_BluArmour Endpoint Protection
    • BluArmour For ICS / AirGapped Networks
  • 15_BluGenie
    • Manual
    • How To Guides
      • BluGenie Intro
      • How To Run
      • How to Use Help
      • Running Localhost & Remote commands
      • Get-BluGenieChildItemList
      • Invoke-BluGenieYara
    • Enable-BluGenieWinRMoverWMI
  • 16_Best Practices
    • Windows Logging Recommendations
      • Windows Security Log recommendations
      • Windows General Log Recommendations
      • Windows Advanced Auditing Recommendations
    • Lateral Movement Logging Recommendations
    • Best Data Sources for Detection
    • Cloud Incident Readiness
  • 17_Threat Hunt
  • 18_Taxonomy
    • Categories
    • Web Security Gateway
    • Cloud AWS
    • Windows
    • Linux
    • Endpoint Detection
    • NGFW (Firewalls)
    • Email Gateway Security
    • Network Access Control
    • Auth (IDAM)
    • Alert Data
    • Web Security Gateway
    • Endpoint Protection
    • DHCP
    • Cloud AWS
    • Wireless Access Controllers
    • Windows
    • Load Balancers (LB)
    • Linux
    • Active Defence (Deception)
  • 19_Product Videos
  • 20_M-SOC_Self Service Portal
    • Registering as a Customer (Regulated Entity)
    • Digital Contract Signing Process
      • RACI Matrix
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux Package Installation
    • RPM Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Incident Management Workflow(M-SOC only)
    • Troubleshooting Installs
    • MACOS Package Installation
  • Customer Self Service Portal
    • Registering as a Customer
    • Registering as a Partner
    • Digital Contract Signing Process
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux deb Package Installation
    • Linux rpm Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Troubleshooting Installs
  • Appendix A
  • 21_Incident Response
    • Cloud Incident Readiness
Powered by GitBook
On this page
  • Detection and analysis
  • Response and remediation
  • Threat hunting (passive and active hunting)
  • Threat intelligence
  • Forensics
  • SIEM and UEBA Capabilities (ODP Platform)

04_Features and capabilities

The stack that forms the unified platform

Previous03_The StackNext05_Operations

Last updated 8 months ago

BluSapphire has agentless architecture which consist of sensor, master and ODP. The stack sensors sit right behind the firewall or any other channel you want to tap in looking at the copy of traffic which is SPAN/MIRROR. We not are sitting in live or causing any production issue, we are just sitting on SPAN port, observing copy of the files for any malicious activity and the master is sitting inside of your system or console it is taking care of flow data.

At the sensor, we look at static and deep packet inspection, which comprises of looking for intrusions, anomalous communications like tunneling over plain text protocols, looking for command and control traffic. while we do that, we also extract the several file type of interest that we believe could be malicious and feed them for further analysis to our master console.

BluSapphire is bundled with an "Open Data Platform" that leverage the new age Big Data technologies providing horizontal scalability, flexibility and raw on-demand analytical capabilities. Our ODP provides Instant search results, even across terabytes of data. It also enables infinite storage capabilities with near zero maintenance and management.

Fig 3: BluSapphire process flow

BluSapphire can respond to these threats in seconds and take automated actions like Quarantine, Suspend Process, Clean and collect forensics, using agentless response module, that does not require any prior deployment. It can also hunt across your environment for threat indicators and locate dormant stealth malware that has not been activated yet. BluSapphire’s Intelligent Cyber Defense Platform, does the heavy lifting for you by detecting threats early, and responding using automation methods without disrupting your normal operations, reducing your operational costs and improving your efficacy

BluSapphire operates across entire cyber defense stack I.e. detect, analyze, respond and remediate into one unified platform while being completely agent less.

Detection and analysis

Deep packet inspection

Deep packet Inspection means different things to different vendors. BluSapphire uses DPI to detect C&C activity and pick up botnet activity without relying on Threat Intelligence. This helps detect threat actors C&C even if they use valid sites like Google or Amazon. Detection relies heavily on Signal Intelligence techniques to pick patterns of activity.

Static analysis

BluSapphire performs real time static analysis on the packets, which includes IDS, signature matching, looking for indicators of compromise, command and control network traffic and environment traffic.

Behavior analytics module

BluSapphire platform comprises of advance behavior analysis module, which is similar to sandbox, but built in house from the scratch. Behavior analytics module focus on understanding attacker activity to revile the payload.

Looking at the behavior really helps us understand the attacker techniques eg:

  • Memory for credentials

  • Stealing tokens

  • Becoming admin

  • Escalating its privileges

  • Process Injection

  • Disk Persistence

  • Download stage 2, 3 etc.,

  • Command control traffic – maintain control

  • Registry Hiding and Persistence

  • DLL injections

  • Anomalous traffic

  • Misused protocols

  • File system changes

  • Abnormal data transfers

  • Abnormal account activity

  • Irregularities in the processes

Please check out the MITRE ATT&CK Whitepaper for full list of detections.

AI and ML based detection

Multiple machine learning models we will identify malicious activity; our machine learning models go beyond conventional models. Threat detection at faster rate.

Our model has high detection rate of 99.8% of detection rate which is highest in the industry because of our feature. Currently we monitor over 40 different file type looking for malicious activity. The result organizations to detect with accuracy and, hence reducing false positives.

Static Binary Analysis

Akin to Reverse Malware Engineering on the fly at wire speed, BluSapphire enables rapid detection of malicious zero-day malwares or Ransomwares even without ever executing them. What usually takes days and weeks can now be achieved at wire-speed.

Network Behavior Anomalies

Whether its data exfiltration over DNS, SSH or HTTP(S) or an attacker looking for vulnerabilities, BluSapphire’s advanced machine learning models can detect these network anomalies immediately and contain the threat using native agentless response and remediation. BluSapphire can also immediately enquire the endpoint that is causing the behavior and gather context around the suspicious activity in seconds. Armed with activity and context, BluSapphire can quickly identify and remediate these threats in real-time.

Response and remediation

Agentless response

One of the very important features of BluSapphire is its capability to respond and remediate etc. Response usually is in the form of quarantine the end point, suspending the processes or cleaning up the affected end points.

BluSapphire can also work with Industry standard tools to orchestrate a response based on customer requirements.

Dashboard & historical data, UIs

BluSapphire empowers Level I analysts to extend their scope of work and operate at the efficiencies of Level III Analysts giving then super cow powers, thanks to the advanced ML and threat response automation it provides. Our Easy-to-Use interfaces, and simple analysis layouts enable rapid adoption by your Level I analysts – without the need for additional training in most cases.

Threat hunting (passive and active hunting)

BluSapphire supports agentless Threat Hunting across the enterprise. Threat Hunt, Pro-Active by nature enables Analysts to find specific artifacts that he is made aware of either due to Threat Intel sources or something Analysts notices on client’s network.

BluSapphire performs Live (Real-Time) Agentless Threat Hunt, instead of just hunting through logs. Problem with hunting the logs, is that NOT all data is logged. There are many artifacts that are never logged by any SIEM. Live Hunting overcomes these limitations and enables Analysts to get better insight into the environment.

Threat intelligence

BluSapphire consolidates threat intelligence from the sources mentioned in Appendix B, de-duplicates and disseminates the Threat Intel to all its customers on customizable schedule. The default schedule is every hour.

Currently used Open Threat Intel feeds are listed in Appendix A. Apart from that MISP and any STIX, TAXII and CSV formatted threat intel sources are supported.

Forensics

BluSapphire use agentless approach for collecting forensics from endpoint systems. By default, BluSapphire collects

  • Currently active process names, hashes and path

  • Current services list

  • Current startup locations (including hidden ones like registry, Roaming Cache, many more

  • Current Scheduled tasks list with execution path and hashes

  • Current network connections

  • OS version and patch details

  • Recently executed process/files.

  • USB devices used.

BluSapphire’s agentless forensics also supports gathering of random artifacts on the fly.

SIEM and UEBA Capabilities (ODP Platform)

Open Data Platform (ODP) is an integral part of the BluSapphire platform and is its USP. It can augment or replace your existing log management, SIEM and UEBA systems with a highly efficient Big Data Platform. It is built on top of elastic search and enables response automation, machine learning and advanced data analytics, all within a self-contained Big Data Platform.

ODP provides all the functionalities of a traditional SIEM, and augments it with ML based detection models, Predictive Analytics, ATT&CK Matrix mapping and more, transforming it into a Next Gen SIEM platform.