CYBER SECURITY

PAC K E T W O R K E R
N E T W O R K S I T U AT I O N A L A W A R E N E S S
Every connected
asset is a potential
target.
ŸŸ The global median dwell time from
compromise to discovery in 2018 was 78
days.
ŸŸ 38% of the organisations surveyed were not
aware that they had been compromised.
ŸŸ >50% of breaches are carried out by well-
funded and organised crime groups.
ŸŸ Insider threats increased from 20% in 2014 to
~30% in 2018
ŸŸ Motives are not just financial in nature.
It includes espionage, grudge, fun and,
shaming.
Sources: Industry analysts and market data, March 2019

Buyers want better threat detection - cutting

hacker dwell time once they get inside. data
science techniques such as Machine Learning
allows use of predictive models for network
and application traffic analysis enabling
prompt threat detection to improve business
confidence.

Index
PacketWorker for Network Situational Awareness 05
Case Study - Banking 10
Case Study - Manufacturing 18
Case Study - Telecommunications 24
Case Study - Critical Infrastructure/Government 30
Case Study - Energy & Utilities 36
PacketWorker Appliances Datasheet 41
White Paper 45
Machine Learning as employed by PacketWorker 52
 Vehere PacketWorker is an effective cyber
threat detection and response solution
that helps organisations minimise risk by
accurately detecting cyber threats and
enabling swift response. It facilitates efficient
resolution of identified security incidents
with relevant context, concrete evidence,
actionable intelligence and response work-flow
integrations.

PacketWorker for Network Situational Awareness

offers meaningful insights from comprehensive
monitoring of networks, enabling security
practitioners implement efficient, cost-effective
and predictive threat-detection technologies
besides permitting time-travel to effectively
respond to security incidents.

We are able to give organisations an advanced

threat detection solution that removes many
of the shortcomings that make ‘air-gapped’
environments vulnerable and inefficient for
teams to manage.

02 - Vehere Cyber Security

Who What What sets Where we
we are we do us apart are present
We are a young Our products and PacketWorker We are present in three
product company services enable technology can continents with offices in
developing organisations to identify an attack the United States, South
strategic and detect threatening early enough to Africa, Singapore and India.
tactical solutions for abnormalities ensure that an
law enforcement emerging across the incident doesn’t
and national network in real time, escalate and become
security (LENS) including insider a problem.
agencies and threats and ‘unknown So, it helps defends
Network Situational unknowns’, enabling your most critical
Awareness for cyber the security team to assets.
security and risk disrupt attacks before
managers. they can cause any
harm.

Vehere Cyber Security - 03

 Working off full packet
capture or flow-records,
PacketWorker’s self-
learning starts from
day one, detecting
anomalous and
suspicious behaviours
on the network.

PacketWorker for Network

Situational Awareness

Vehere Cyber Security - 05

 PacketWorker for Network
Situational Awareness

06 - Vehere Cyber Security


Increased risk of exposure
It may come as a surprise to some, but the
fact is that <10% of all known vulnerabilities
have actually been exploited so far. This
leaves the security and risk practitioners
with a daunting task of ensuring that the
assets under their watch stay protected.
With a dearth of security skills, adoption
of advanced strategies and expensive
technology is beyond the feasibility of most
organisations.
For all practical purposes, the network is
a perpetual source of data for proactive
and predictive analytics that can enable
monitoring of almost all possible attack
vectors.
Security and risk practitioners are well
aware that cyber-security has a significant
impact on accomplishment of business
goals. To better defend their organisation,
it’s imperative that they start automating
analytics tasks on network data to identify
threats and risks.
Improved Network Situational
Awareness
It’s known for a fact that advanced malicious
actors test and validate effectiveness of
their craft against the same set of tools that
enterprises use for defending their assets.
Besides, advanced automation techniques
are actively being employed by malware
factories to improve code quality and
evasion techniques resulting in repetitive
success against well-fortified targets.
NetSA
Organisations looking at improving
their defenses can benefit by employing
automation techniques to anticipate and
respond to security risks.
Vehere PacketWorker is an effective cyber
threat detection and response solution
that helps organisations minimise risk by
accurately detecting and enabling swift
response to cyber threats. It facilitates
efficient resolution of identified security
incidents using concrete evidence,
actionable intelligence and response work-
flow integrations.
Working off full packet capture or flow-
records, PacketWorker’s self-learning starts
from day one, detecting anomalous and
suspicious behaviours on the network. Key features
PacketWorker enables security practitioners
to monitor the current state of the network Comprehensive rules, frameworks
in aid of their security posture assessment. and Machine Learning algorithms
Retention of raw packets and metadata automate detection of security risks in
enables historical analysis to probe into real time.
root-cause or past trends that find use in
predictive analysis.
Deep packet and payload inspection
PacketWorker reduces dwell time from days helps detect thousands of protocols
to hours when it comes to investigating and applications to provide precise
security issues. It enables security managers contexts.
to free up human resources quickly to
attend to important business imperatives. Powerful visualisation platform
PacketWorker’s user interface offers an easy- enables threats to be analysed and
to-use and customised dashboard to gain investigated intuitively to help reduce
situational awareness using data enrichment mean-time-to-detect and mean-time-
that eliminates the need to refer to third- to-respond.
party correlations and look up sources.
Session replays and reconstructions
facilitates better assessment of
security risks using third-party tools or
human analysis.
Detects IPv4 and IPv6 traffic in VLAN,
MPLS encapsulation and tunnelled
traffic to support deployment for
most environments.
Vehere Cyber Security - 07
 Packet broker
Data store User interface
Response
actions
Full Packet
Network tap
Capture
DATA Rules UNIFIED
ENRICHMENT framework INTERFACE
Port mirror Northbound
integrations
Forensics
Advanced
Flow automation
Flow record
configuration

Provisioning Acquisition Context Automation and integration Action

08 - Vehere Cyber Security

 NetSA
Network Situational Awareness About PacketWorker
Full packet capture: Integration with
network packet brokers and taps to support
non-disruptive setup in any network. Available as ISO image and purpose-
built appliance.
One box and one hour to install:
Everything is contained in a single
appliance. Setup is easy with built-in Installed, configured and deployed in
configuration wizards. less than an hour.

Bundled DPI and ML algorithms: This

ensures that the system is up-and-running
in any environment (including air-gapped
networks) without the need to look up
external sources of threats. The system
leverages Machine Learning and human
knowledge to detect cyber risks.
User interface accessible using a web
browser.
‘Standard’ and ’Extended’ support
options to suit different service-level
agreements.

Accelerated results: PacketWorker provides

useful results from the very first day. Quality
insights into cyber activities and proactive
threat detection enables improved
assessment and effective responsiveness in
the face of security risks.
Incident response and professional
services to assist with product use
optimisation.

Capabilities
ŸŸ Capture, classify and index all
communications on the wire at line-
speeds.

ŸŸ Detect, analyse and, dissect traffic across

all ports and protocols.

ŸŸ Use mathematical modelling to classify

encrypted communication.

ŸŸ Detect threats, policy and compliance

violations using out-of-the-box
automation.

ŸŸ Integrate with existing security

ecosystem tools such as SIEM, sandboxes
and trouble-ticketing systems.

Vehere Cyber Security - 09

 Case study #1

Banking

10 - Vehere Cyber Security

PacketWorker’s innovation has turned it into an

Banking
essential device for security teams attempting to
comprehend the scale of their network, observe activity
levels and detect potential shortcomings. Machine
Learning plays a key role in defending assets from
cyber-criminals and malicious insiders.
Summary

Industry/Organisation
Banking

Challenges
ŸŸ Comply with regulatory and audit
requirements

ŸŸ Attain comprehensive visibility

ŸŸ Secure organisation from breaches,

data thefts and malware/zero-day
attacks

ŸŸ Reduce complexity with security

analytics adoption

Solution
PacketWorker 10G (combined with
professional services)

Benefits
ŸŸ >50% improvement in detection
efficiency

ŸŸ >60% time optimisation for

investigations

ŸŸ >30% reduction in risks associated

with data breaches

ŸŸ >90% reduction in compliance

efforts

Vehere Cyber Security - 11

 “Insider threat is one of the most serious
threats a company can face. We knew we
needed to prioritise, reduce, and manage
cyber security risks to address the needs of
our business.”
- Name withheld, R1

12 - Vehere Cyber Security


Background
The contemporary world is witnessing
customer expectations, technological
capabilities and regulatory requirements
join forces with demographic and economic
factors to bring about radical changes. This
has caused banking institutions to look
for ways and means to get used to these
changes and adopt a proactive approach
towards security. Financial institutions will
always be prime targets for cyber-criminals,
making their security requirements
extremely complex.
This case study focuses on a large global
bank and will be referred to as R1 for the
sake of anonymity. The bank’s intelligence
data was facing significant cyber threats
from multiple sources. However, despite
implementing multiple security protocols,
R1 continued to suffer security lapses. The
bank’s business operations were getting
impacted each time such an incident was
happening.
Business challenges
Due to a growth in its customer base
and burgeoning data usage, R1’s ability
to respond to these increased risks from
malicious insiders and unknown vectors/
exposures, had been severely hampered. R1
needed to manage this ever-growing, ever-
changing array of risks from across the globe
while ensuring adherence to stringent
regulatory requirements. The challenges
included:
ŸŸ Preserving customer trust by protecting
data privacy.
ŸŸ Maintaining strong security without
impeding business operations.
ŸŸ Ensuring compliance with regulatory
requirements.
ŸŸ Adding new devices and introducing
services to networks devoid of security
monitoring or any understanding of
exposure.
ŸŸ Accommodating bring-your-own-
devices and guest end-points without
compromising on security.
ŸŸ Combining existing security tools into
cohesive solutions that accelerate
incident-response times and reduce
vulnerabilities.
Banking
Regulations regarding technology and
information security are far-reaching and
include areas such as e-mail, SWIFT-coded
payments, cipher suite strength, domain
name systems, core banking solutions and,
back-office applications. R1 recognised a
need to proactively defend its sensitive
information across the technological value
chain. Therefore, R1 undertook a decisive
initiative to implement technologies that
could help it make sense of the ‘unknowns’
and provide tangible answers during
investigations.
If there was a targeted attack and R1’s
computers were to become affected, it
would have resulted in business disruption
and potentially lead to privileged
information getting leaked. R1 needed
to urgently respond to incidents that
required sourcing specialists from external
agencies to assist it with time-consuming
and risky processes. Thus, the impact of any
incident could have amplified. R1 needed
an integrated solution that would allow it
to maintain staff productivity, ensure threat
detection and facilitate rapid response and
recovery.
Vehere Cyber Security - 13
 “PacketWorker’s technology gave us visibility into
potential implementation differences and policy
discrepancies. Leveraging its technology, we were
able to identify and remedy these differences before
connecting the two networks, mitigating potential
integration risks.”
- Name withheld, R1
14 - Vehere Cyber Security

Solution – PacketWorker 10G
Traditional tools that are programmed to
spot known threats are no longer sufficient.
Modern network border defenses, such as
firewalls, perform an important function.
However, insiders often escape restrictions
imposed by these perimeter security
controls.
Limitations posed by legacy
approaches
ŸŸ Perimeter controls are dependent on
signatures, rules and heuristics and,
hence, are likely to miss attacks at points-
of-entry.
ŸŸ End-point security controls rely on
signatures and fall short when it comes
to detecting rogue behaviours or
detecting unknown attacks.
ŸŸ Sandboxes are side-stepped by modern
attacks, which recognise when they are
in a fake space and delay the execution
of malicious activities.
ŸŸ Log tools and security information and
event management databases require
inordinate amounts of manual effort
to ensure data is consistently collected
across the entire organisation and
matched against the security team’s
predictions of threats. Besides, not every
actor needs to target assets holding the
‘crown jewels’, they wish to simply exploit
the chain of trust.
To combat these challenges, R1 deployed
PacketWorker 10G at the core and
peripheries of its network. After a prompt
installation and using the deep packet
inspection and analytics capabilities of
PacketWorker 10G, R1 gained complete
visibility of its entire infrastructure, including
IoT and non-sanctioned devices. Using
PacketWorker 10G, the security team was
able to identify anomalous activities and
disrupt them early, before any damage was
done.
PacketWorker 10G’s innovation has turned
it into an essential device for security teams
attempting to comprehend the scale of
their network, observe activity levels and
Banking
detect potential shortcomings. Machine
Learning plays a key role in defending assets
from modern cyber-criminals and malicious
insiders. The technology detects threats and
abnormalities emerging across the network
on a real-time basis, including insider threats
and ‘unknown unknowns’, enabling the
security team to disrupt attacks before they
can cause much harm.
Whenever any anomalous behavioural
changes happen within the environment,
PacketWorker identifies them and alerts
the organisation. Changes that are not
real threats are fused into PacketWorker’s
evolving understanding of normality. The
arithmetic inside PacketWorker makes it
uniquely equipped for featuring noteworthy
potential threats without burying them
beneath numerous unimportant or
repetitive alerts. Going beyond setting
down simple rules applicable for
network traffic, it can correlate numerous
inconspicuous trends isolated by type
or time to sniff out real emerging threats
and ensure that security analysts are not
burdened with false positives.
Benefits - visibility and
answers
Equipped with Vehere PacketWorker,
R1 can autonomously defend itself
against pernicious cyber-criminals
and insider threats. Since it does not
rely upon any prior assumptions of
what ‘bad’ entails, the self-learning
solution is also uniquely capable of
identifying hitherto unseen threats.
PacketWorker empowered R1 to
deal with cyber threats on a real-
time basis. It allowed the security
and risk management teams to
proactively assess cybersecurity
postures and lay down rules to
detect malicious behaviour besides
using advanced predictive analytics
to spot ‘unknown unknowns’
without disrupting ongoing
business processes.
Vehere Cyber Security - 15
 “R1 has been able to maintain stringent compliance
with industry regulations since PacketWorker was
implemented. The platform provides real-time
anomaly detection capabilities and unprecedented
visibility that is simply unmatched by any other
vendor in the industry.”
- Name withheld, R1

16 - Vehere Cyber Security

 Banking
Results Vehere PacketWorker
ŸŸ Faster detection of internal breaches and
compromised customer.

ŸŸ Reduction in incident response times.

ŸŸ Fewer resources required to manage and

act on risk assessment.

ŸŸ Seamless detection of unknown and

Search Automation Machine Custom Integration
insider threats.
Learning Analytics
With PacketWorker 10G, R1 managed to
speed up triage from an average of five
days to less than six hours. By simplifying
an analyst’s interaction with network data
and using an easy point-and-click interface
Packet capture Flow data
to lay down complex behaviour-based
rules, enabled the security operations team
was imbued with the ability to deliver
predictable and repeatable outcomes
(irrespective of the skill set of the user),
maximising efficiency and significantly
reducing dwell-times.

Over time, R1 was able to identify and

alleviate threats with greater productivity
compared to the same period during the
previous year.

PacketWorker facilitated simplification of

implementation of big data-led security
analytics in security operations by
leveraging readily-available structured data
from the source of truth – packets on the
Data enrichment
network.

“We no longer live in an era where cyber-attacks are

limited to the desktops or servers. PacketWorker’s
Machine Learning fights the battle before it has
begun.”
- Name withheld, R1

Vehere Cyber Security - 17

 Case study #2

Manufacturing

18 - Vehere Cyber Security

 Manufacturing
Summary

Industry/Organisation
Manufacturing

Challenges
ŸŸ Lack of consistency and accuracy
in cybersecurity monitoring of
organisational assets

ŸŸ Inability to detect anomalous

events

ŸŸ Inadequate context when it came

to analysing security events

ŸŸ Absence of monitoring of IT-OT

integration for real-time risk
detection and response

Solution
PacketWorker 1G

Benefits
ŸŸ 100%-visibility into cyber activities
of organisational assets

ŸŸ 70% improvement in network/

security issue triages

ŸŸ Real-time detection of anomalous

events and activities

Vehere Cyber Security - 19

 “Many manufacturing powerhouse companies fear
disruptive attacks the most, regardless of whether it is
done by internal or external attackers.”
- Name withheld, Client

20 - Vehere Cyber Security


ICS and SCADA
ICS is an umbrella term covering many historically different types
of control systems such as SCADA (supervisory control and data
acquisition) and DCS (distributed control systems). Also known as
IACS (Industrial automation and control systems), they are a form of
operational technology. In practice, media publications often use
‘SCADA’ interchangeably with ‘ICS’.
Manufacturing
Background
Cyber attacks against industrial control
systems (ICS) weren’t noticeable till about
recently, and were purportedly less frequent
than IT attacks because numerous ICS
attacks don’t get revealed. However, ICS are
presently among the top targets of cyber
threats and attacks worldwide. Malware
infection, ransomware and other attacks, on
ICS assets can have serious ramifications.
With IT-OT integration, the risks of cyber-
attack on ICS endpoints are expanding.
Interconnections between control systems
and public networks deliver important
business benefits. However, without
appropriate security measures, it can
compromise control system availability and
cause service disruptions.
A 2017 industry report found that attacks
targeting ICSs have increased by >110%
compared to the previous year. While, a
2018 SANS study found that 69% of ICS
security practitioners believe threats to the
ICS systems are high or severe and critical.
Business challenges
Traditional solutions don’t work in ICS/
SCADA environments. The customer needed
technology to monitor their enterprise IT
and SCADA networks as coherent entities of
the enterprise network. Given the mission-
critical nature of assets deployed in ICS
environment, enhancing or upgrading these
systems with preventive security controls
was deemed unacceptable.
Vehere Cyber Security - 21
 “The energy sector has The threat to the energy/manufacturing
sector is serious and it’s becoming
become a major focus increasingly difficult to guard against lateral
for targeted attacks movements as a result of integration of IT
and is among the with operational technology (OT) systems.
This integration offers attack vectors the
top-five most targeted chance to seep into OT networks, which
sectors, worldwide”. were unmonitored and unprotected, leaving
- Name withheld, Client the company with little technological help
to effectively respond to such risks.

The client’s in-use tools offered little or no

visibility into network traffic and the security
operations were found to be inadequately
prepared to manage never-before-seen
threats in SCADA environment. The
client required a solution that would give
comprehensive visibility into the network,
and also lower some of the burden their
security team was carrying.

22 - Vehere Cyber Security


Solution – PacketWorker 1G
Following a tightly-guarded security
event whose remnants were detected
by PacketWorker during a later proof-of-
concept trial followed by a pragmatic policy
review cycle, the company decided to
adopt PacketWorker 1G for their IT and OT
networks.
PacketWorker demonstrated the inherent
value of its self-learning threat detection
abilities, which is uniquely capable of
forming an understanding of normal and
abnormal behaviours without any prior
knowledge.
ICSs confront various cybersecurity threat
vectors with varying degrees of loss
potential, ranging from non-compliance to
disruption of operations, and beyond.
Cost of post-event mitigation is significantly
higher, not to mention the financial loss.
Hence, it is a prudent strategy to ‘efficiently
detect and respond swiftly’ to security
threats in ICS networks to keep costs low.
PacketWorker is a fundamental innovation
that views data from an ICS network in real
time and sets up a developing pattern for
what is normal for operators, workstations
and automated systems within that
environment. With PacketWorker’s Machine
Learning, organisations can distinguish
and react to emerging threats in real time.
Advanced behavioural analysis can detect
even previously unseen novel or custom-
fitted attacks, regardless of whether they
originate in the corporate IT or OT domains
or navigate between them.
Total prevention of all cyber compromises
is not a realistic goal, but, if identified
early enough, threats can be alleviated
before they become full-blown crises.
PacketWorker’s technology can be deployed
across both IT and OT environments to
provide full coverage to an organisation.
Manufacturing
“PacketWorker has added
another dimension
of refinement to our
defense systems and
productively identified
threats with the potential
to disrupt our networks”.
- Name withheld, Client
Benefits
PacketWorker has rapidly turned
into an essential part of client cyber
security strategies, because of its
one-of-a-kind methodology and
capacity to detect emerging threats
before they have the potential to
cause significant damage.
On deploying PacketWorker, the
organisation was immediately
alerted of potential intrusions
inside its systems that had already
bypassed its other security tools.
Following an easy implementation
process, it now currently utilises
PacketWorker to persistently analyse
the overall health of its system
and to spot sporadic activities that
have a high likelihood of being
pernicious, hazardous or non-
compliant.
The advanced cyber defense
technology allows clients to
secure themselves from the most
deceptive attacks that endanger
critical infrastructure systems,
regardless of whether those threats
originate from within or outside the
organisation.
Vehere Cyber Security - 23
 Case study #3

Telecommunications

24 - Vehere Cyber Security

 Telecom
Summary

Industry/Organisation
Telecommunications

Challenges
ŸŸ Gain visibility into what’s
happening on the network

ŸŸ Speed up triage – reduce time to

respond to security incidents

ŸŸ Comply with regulatory mandates

ŸŸ Protect the system from

constantly-evolving threats

Solution
PacketWorker 10G

Benefits
ŸŸ Real-time insights into
applications, actors and, actions

ŸŸ Prompt incident response

and discovery by leveraging
comprehensive indexing and
searching capabilities

ŸŸ Improved performance of
application monitoring and
network behaviour analytics for
non-standard management-plane
traffic

ŸŸ Reduction in total cost

of ownership for security
implementation

Vehere Cyber Security - 25

 “We needed to ensure compliance with regulatory
requirements and enhance visibility with respect to
management-plane applications.”
- Name withheld, Client

26 - Vehere Cyber Security


“Vehere’s PacketWorker is extremely powerful when
it comes to detecting abnormal activities that can
threaten our cybersecurity framework.”
- Name withheld, Client
Telecom
Background
The security leadership of a leading
telecommunications company was looking
to curtail costs and improve the efficiency
of the cyber threat detection solution that
was deployed for their management-plane
networks. The incumbent vendor’s solution
was at its end-of-life stage and the cost of
refreshing the technology was proving to be
higher than budgeted.
Gaining visibility into the
network
Burgeoning growth in terms of customer
base and data usage had meant that the
company’s network had become more
complex and the throughput had exceeded
10 gigabytes per second across majority of
their router interfaces. Adding to their woes
was the fact that the solutions available at
their disposal did not really have much to
offer in terms of detection for management-
plane applications. Subsequently, the
company began to look for a technology
that could help them make sense of the
‘unknowns’ and provide a response to
the questions that were being raised as a
result of the security incidents they were
encountering. The company was found to
be lacking the ability their sectoral peers
had in terms of discovering and triaging a
security incident. Not only did this indicate
the waning power of the company’s risk
management framework but also its
potential inability to deal with a material
attack, if and when it happened. There was a
strong likelihood that the company was on
the verge of inviting customer ire because
of the aforementioned failings.
Vehere Cyber Security - 27
 “We have ensured stringent compliance with
established sectoral regulations ever since
PacketWorker was installed.”
- Name withheld, Client

28 - Vehere Cyber Security


Solution – PacketWorker 10G
By leveraging the deep packet inspection
and analytics capabilities of PacketWorker,
the company gained incisive insights into
their management-plane traffic and by
utilising signature-less techniques they
were able to detect security risks and shield
the network from sophisticated cyber
threats. PacketWorker is an effective cyber
threat detection and response solution
that helps organisations minimise risk of
expensive breaches by accurately detecting
and enabling swift responses to thwart
cyber threats. PacketWorker facilitates the
efficient resolution of identified security
incidents using concrete evidence,
actionable intelligence and response
workflow integrations. The solution is true
big data architecture that is built around
a search engine to speed up retrieval of
information and execute complex analytical
tasks such as identifying instance of spikes
and slow and low-flying traffic, correlating
them across multiple activities and finding
similar patterns to tell normal and malicious
behaviour apart.
Visibility and answers
PacketWorker empowered the company to
get cyber threat alerts on a real-time basis.
PacketWorker’s unique ability allowed the
company’s security and risk management
teams to proactively assess security postures
and formulate detection rules and use
advanced predictive analytics to detect
Telecom
unknowns. Capitalising on a powerful
deep packet and payload inspection,
PacketWorker offered full visibility into
network traffic along with the ability
to analyse encrypted communications
using mathematical models. Security
analysts leveraged the visual play-book
and time-travel capabilities to determine
root causes of incidents and retrieve
actionable intelligence – from session
correlations and graphic analyses – to
improve the organisational security posture.
Furthermore, all this was done without
disrupting ongoing business processes.
Accelerated resolutions
With PacketWorker, the company managed
to trim their incident resolution time from
days to hours and simplified an analyst’s
interaction with network data. An easy
point-and-click interface was used to lay
down complex behaviour-based rules,
which enabled the security operations
team to deliver predictable and repeatable
outcomes, irrespective of the skill set of the
user. The result: maximised efficiency and
reduced dwell-time. PacketWorker used big
data analytics to eliminate considerations
pertaining to events or log rates and
obviate the need for deploying collectors
for different applications and processes. The
platform ran on readily-available structured
data that it gathered from the source of
truth – packets on the network.
Vehere Cyber Security - 29
 Case study #4

Critical infrastructure/Government

30 - Vehere Cyber Security

 Critical Infra
Summary

Industry/Organisation
Critical infrastructure/Government

Challenges
ŸŸ Concerns about the prevalence of
fast-moving, automated attacks

ŸŸ Adopt a proactive approach to

cyber defense

ŸŸ Attain comprehensive visibility

into critical infrastructure stations

ŸŸ Secure itself from breaches, data

thefts, malware/zero-day attacks

ŸŸ Too many false positives

ŸŸ Insider threats

ŸŸ Surfeit of reactive and lack of

proactive measures

Solution
PacketWorker 10G and professional
services

Benefits
ŸŸ 100%-network visibility including
in ICS protocols

ŸŸ Improved response time by >100%

ŸŸ Reduction in cybersecurity risks,

data losses and subsequent costs
of restoration

ŸŸ Compliance with contractual and

regulatory obligations

ŸŸ Detection of automated attacks in

real time

ŸŸ Increased efficiency with proactive

alerts

Vehere Cyber Security - 31

 Critical infrastructure owners need more
resilience, with fewer siloes and the
competency to detect, scrutinise and
respond to issues in real-time – as they
occur.
“A wide range of risks are now being played out in
the cyber domain and pose a real and growing threat
to the energy and utilities industry.”
- Name withheld, Client

32 - Vehere Cyber Security


“Disruption of
critical infrastructure
has tremendous
psychological impact as
large-scale disruption to
civilian facilities leave a
profound impact”.
- Name withheld, Client
Background
As an integral part of national critical
infrastructure, cyber security has been
a priority for the client (a public sector
enterprise) for some years. However,
recent high-profile attacks on operational
technology uncovered significant gaps in
security posture. With the threat landscape
rapidly advancing, and mounting cost
of mitigating security breaches, a new
approach to cyber defense for Industrial
Control Systems became an urgent
requirement. As attacks continue to increase
in volume and sophistication, critical
infrastructure owner had to evolve.
The client acquired significant cyber threat
and risk intelligence data from multiple
sources. However, despite application of
available intelligence to various security
controls, client continued to experience
security incidents.
Critical Infra
Business challenges
In the context of an increasingly
sophisticated threat landscape, the client
was essentially worried about impact of an
attack on its rather infrequently-updated
and under-protected SCADA network.
Specifically, it was concerned about
fast-moving and automated threats, like
ransomwares/cryptwares, that have the
potential to jeopardise operations at the
earliest opportunity. With a security stack
that primarily depended on border defense
based on rules and signatures, the client
was unable to take a proactive approach
when it came to cyber defense.
In addition to confronting evolving cyber
threats, the client was affected by tight
budgets and lack of resources, complex
processes, and a need to stay up-to-date
with latest regulatory mandates, attack
methods, and technologies.
Additionally, client felt it lacked visibility
into its internal network. It wanted a
solution that could provide insights into
the behaviours of users, devices, and the
network as a whole. Keeping resource
constraints, training and integration needs
in mind, the client set out to identify an
easy-to-deploy solution to combat next-
generation threats, including zero-day and
advanced persistent threats, to supplement
legacy security defenses across the
corporate infrastructure.
Vehere Cyber Security - 33
 “PacketWorker’s Machine Learning technology has
proven instrumental in terms of providing visibility of
devices we didn’t even know we had on our network”.
- Name withheld, Client

34 - Vehere Cyber Security


Solution – PacketWorker 10G
Following a quick installation, security
analysts were able to identify abnormal
activities and disrupt exploitative actions
in the early stages, before any damage
was done. It also provided the client with
total network visibility. From day one,
PacketWorker started to analyse users,
devices and network behaviours, in real
time and, detecting anomalies pertaining to
cyber risks.
PacketWorker demonstrated the inherent
value of its self-learning threat detection
abilities, uniquely capable of forming an
understanding of normal and abnormal
behaviours without any prior knowledge.
PacketWorker proved to be an effective
cyber threat detection and response
solution that helped the client respond
swiftly to cyber threats. It facilitated efficient
resolution of identified security incidents
with concrete evidence, actionable
intelligence and response workflow
integrations.
Machine Learning is a principal ally in terms
of defense of assets from cyber-criminals
and malicious insiders. The technology
detects the slightest of abnormal
behaviours across network in real time,
including ‘unknown unknowns’, enabling
the security team to detect and respond to
attacks before any harm befalls.
Critical Infra
Benefits
With PacketWorker’s Machine
Learning abilities, the client re-
established trust in its security
operations to defend itself
from evolving and increasingly
automated attacks. Since the
solution prioritises detection
outcome by potential gravity, it
enables security professionals
to optimise their resources for
increased effectiveness.
PacketWorker allows the security
and risk management teams to
proactively assess security postures
and then sets up detection rules to
maintain their edge over malicious
behaviours besides using advanced
predictive analytics to detect
unknowns. All this is done without
any disruption to ongoing business
processes.
Exemplary performance and
detailed contextual availability
enabled the cyber security team
to focus on responding to threats
quickly, minimising operational and
business impact.
Over time, the client was able to
identify and alleviate threats more
efficiently compared to the previous
year.
Vehere Cyber Security - 35
 Case study #5

Energy and Utilities

“We have a lot of suspicious communication that we don’t

necessarily get time to analyse but PacketWorker helps
focus our efforts just on the riskiest ones and enables us to
safely investigate their true nature and intent”.
- Name withheld, Client

36 - Vehere Cyber Security


Summary
Industry/Organisation
Energy and Utilities
Challenges
ŸŸ Need to improve detection rates
without impacting business
continuity or taking excessive
measures to lock down machines
ŸŸ Enhanced compliance posture
ŸŸ Long and tedious operations and
security investigations lacked
visibility
ŸŸ Concern about prevalence of fast-
moving, automated attacks
Solution
PacketWorker 10G and professional
services
Benefits
ŸŸ Gained real-time operational
visibility
ŸŸ Reduced operational disruption
and remediation costs
ŸŸ Consolidated intelligence and
reporting
ŸŸ Ensured immediate and significant
drop in attacks
Energy &
Utilities
Background
Cyber security and compliance continues
to be a challenge for many energy sector
organisations. Hackers, including both
state and non-state actors, are getting
progressively advanced in their attacks,
making it increasingly hard to keep up with
the latest threats.
Analysts noted an increase of >60% in
hacktivism targeting the energy sector. A
2018 survey of IT professionals across the
oil, gas, utility and energy sectors found that
fewer than half believed their organisations
could immediately detect a cyber-attack,
although ~65% believed that they were
a target. Furthermore, 81% believed that
attacks could do ‘serious damage’. All
the statistics pointed to a clear state of
uncertainty with the prevalent style of risk
management and adoption of security
controls.
Vehere Cyber Security - 37
Business challenges
Although there has been an increased focus
on cyber security in the recent years, threats
against the energy sector continue to go
undetected for an average of six months.
A key reason behind this is alert overload.
Standard cyber security deployments
generate thousands of alerts per week,
but the client organisation only had the
resources to investigate ~5-6% . With 20%
reliability rate, the client believed they were
wasting precious time and money each
year chasing false positives or performing
investigations with inadequate insights.
38 - Vehere Cyber Security
The main hindrance faced was that users ŸŸ Limited data retention capabilities.
could not get a context or insights from
multiple security solutions quickly enough ŸŸ No compatibility with other
and in one place to perform an efficient technologies.
investigation. This is precisely why adopting
To protect its digital infrastructure, the client
Machine Learning can help improve
required situational awareness of its security
versatility cyber hygiene and compliance.
posture, context and relevant insights for its
The client’s previous tool set had led to a departments and stakeholders.
number of challenges, including:
ŸŸ Slower threat detection and response
due to too many disparate tools, too
much information and the need for a lot
of manual correlation to find the right
data.

Benefits
PacketWorker empowered the client
to detect and neutralise cyber threats
in real time. PacketWorker immediately
affirmed that the bulk of client
infrastructure was clean but did detect
the presence of a certain malware in
their network and allowed them to
zero in on a specific workstation for
remediation.
From the first day of deployment,
clients have seldom had issues with
false-positives of the rule engine. This
has given them the certainty to resolve
security incidents.
With large volumes of data transfer
Key facts and figures
ŸŸ Energy attacks went up by 20% between
2017 and 2018. This trend is expected to
continue as governments pours more
resources into cyber warfare
ŸŸ 75% of companies in the oil, gas and
electricity reported a cyber attack in
2018. Intruders were able to bypass
protections that were in place.
ŸŸ Cyber-attacks against energy companies
usually take months to discover.
ŸŸ 48% of energy and utility CEOs think a
cybersecurity attack is inevitable, sooner
or later.
going on daily, the client was unable to
analyse everything.
Exemplary performance and high detail
availability enabled the cyber security
team to respond to threats quickly,
minimising operational and business
impact.
PacketWorker facilitated simplification
of implementing big data-led security
analytics in a secops environment by
eliminating the considerations around
event rate and the need for collectors
for different applications/processes.
It is a platform for readily-available
structured data lifted from the source –
Packets on the network.
Solution – PacketWorker 10G
Deployed in promiscuous mode to monitor
networks, PacketWorker proved to be an
effective detection and response solution
that helped respond swiftly to cyber threats.
It facilitated efficient resolution of identified
security incidents using concrete evidence,
actionable intelligence and response
workflow integrations.
The client had an account that was
the target of an email-based attack.
PacketWorker put the right protection in
place and stopped the ransomware from
deploying.
Energy &
Utilities
“No business in the
energy industry is
immune to security
issues and fear of
disruptive attacks,
regardless of whether
it is done by internal or
external attackers.”.
- Name withheld, Client
PacketWorker was immediately able to
identify a lot of malicious malware that had
been entering the client’s environment.
The client saw the cost savings generated
in terms of preventing the attacks and
the gains in efficiency resulting from
PacketWorker.
PacketWorker does not require weeks and
weeks of consulting to implement and the
speed at which it can operate and mitigate
risk is a key differentiator.
Clients often need easy access to real-
time data and actionable information to
understand where they need to focus.
Vehere Cyber Security - 39
 PacketWorker can provide
meaningful insights
from comprehensive
monitoring of enterprise
networks for cloud and
shadow-IT, social media
and recreational access,
remote access, trusted-to-
trusted communication,
IoT, and encrypted
communication, enabling
security practitioners to
take proactive remedial
measures, faster.

PacketWorker
Appliances

Vehere Cyber Security - 41

 PacketWorker Appliances
DATA SHEET

Key features

ŸŸ Comprehensive rules framework mean-time-to-detect and, mean-

and Machine Learning algorithms
automate detection of security risks in
real time.
ŸŸ Deep packet and payload inspection
helps detect thousands of protocols
and applications to provide precise
context.
ŸŸ Powerful visualisation platform
enables threats to be analysed and
investigated intuitively to help reduce
time-to-respond.
ŸŸ Session replays and reconstructions to
facilitate better assessment of security
risks using third-party tools or human
analysis.
ŸŸ Detects IPv4 and IPv6 traffic in VLAN,
MPLS encapsulation and tunneled
traffic to support deployment for
most environments.

42 - Vehere Cyber Security

 DataSheet
Services
Support
• Standard – 8/5 e-mail and telephonic support

• Extended – 12/5 e-mail and telephonic support

• Appliances – next business day hardware

replacement

• Web and knowledge base – 24X7 access

Implementation and consulting

• Site survey, preparation/readiness assessment,
consulting and deployment

• Custom-sizing and design for large- scale

deployment

Incident assurance
• Affirmation – confirm an incident/suspicion

• Assistance – provide operational assistance

for PacketWorker while your key human capital
undertakes critical incident response tasks

• Response – provides incident response execution

assistance

PacketWorker 300 - ideal for PacketWorker 1K - ideal for PacketWorker 10K – ideal for
throughput up to 300 mbps throughput up to 1 gbps throughput up to 10 gbps
ŸŸ 1 X gigabit-ethernet copper OOB ŸŸ 1 X gigabit-ethernet copper OOB ŸŸ 1 X gigabit-ethernet copper OOB
interface interface interface

ŸŸ 2 X 1 gigabit-ethernet copper interfaces ŸŸ 4 X 1 gigabit-ethernet copper interfaces ŸŸ 2 X 1 gigabit-ethernet copper interfaces

ŸŸ 2 X 10 gigabit-ethernet SFP+ LR/SR

options

Vehere Cyber Security - 43

 Vehere’s PacketWorker
is a Network Situational
Awareness solution that
enables comprehensive
network monitoring using
either a line-rate full packet
capture or, flow monitoring
technology. It enables
security practitioners at
leadership, risk management
and operational hierarchies
to find answers to the six
most compelling questions –
‘What?’, ‘Why?’, ‘When?’, ‘How?’,
‘Where?’ and, ‘Who?’

White paper

Vehere Cyber Security - 45

 White paper
I keep six honest serving men; they taught
New-age secops me all I knew.
Their names are ‘What’ and ‘Why’ and
‘When’ and ‘How’ and ‘Where’ and ‘Who’.
- Rudyard Kipling

46 - Vehere Cyber Security


In defence of secops
Security operations are expected to
be proactive in response. However,
architectural complexity of layered defenses,
demanding service level agreement
availabilities and uptimes, performance
penalties imposed on in-line tools while
using deep inspection and executing
complex policy enforcement activities
are complicated further by a complex
compliance and security monitoring setups.
This has rendered security operations to
adopt a reactive stance in the better interest
of businesses they support.
White Paper
Security operations can benefit by
deploying security analytics that use
full-packet capture technology. These
are considerable easy-to-deploy, require
minimal effort to configure and manage, do
not require establishment of middleware to
work with different data sources, resulting
in considerably faster data analysis. Pairing
with a customisable user interface ensures
predictable outcomes of assessments and
investigations and eliminates the need
for expensive training and associated
manpower costs.
Such technologies can provide businesses
with the confidence to deliver timely
responses in the face of eventualities and
offering positive outcomes even in trying
situations, such as serious security breaches.
Response is no longer hostage to person
or device availability. Instead, actionable
intelligence is attained without disrupting
business processes and activities, boosting
customer and investor confidence.
Vehere Cyber Security - 47
Business impact analysis
Left to itself, technology would do no harm. It is the human factor that introduces and amplifies risk in any ecosystem.

Safeguarding an enterprise’s digital ‘crown jewels’ is a priority. However, business is a social activity and several organisations have actually
lowered their guards to improve productivity, increase customer engagement and identify new revenue sources.

The result is a manifold jump in security risks and a serious impact on the business.

Additionally, security teams find it difficult to enforce policies on applications being used by business teams. Risk managers cannot
determine the security posture of personal devices or tools used for customer engagement. Newer digital initiatives by enterprises for
business benefit has put pressure on risk managers and security operators to keep up pace without enforcing stringent policies of the
past and at the same time assuring the senior leadership team of being able to accurately determine business impacts and respond to
eventualities.

Cloud/Shadow IT

Incident response
Encrypted traffic
and network
analysis
forensics

Network
Threat
anomaly
detection
detector
Reactive
Proactive

Adaptable
Security
interpretive
orchestration
monitor

Comprehensive visibility

Businesses are increasingly focusing on being able to ‘find more for less’ i.e., better quality insights but with less talented and
lesser number of manpower.

Source: Gartner Analysis Viewpoint, July 2018

48 - Vehere Cyber Security


Doing it right
The concept of surveillance is
ingrained in our beings. God was the
original surveillance camera.
- Hasan M. Elahi
To observe and respond is human nature.
Let’s just apply this to the cyber world.
Deploy a simple monitoring capability that
enables secops to be proactive and fall back
to retrospective analysis mode, on demand.
Gain visibility into every session on
the network. Monitor cloud usage and
encrypted communications. Leverage
Machine Learning to identify suspicious
behaviour, watch out for non-compliances
and travel back in time to determine
root causes. Pick up evidence to build
actionable intelligence, uncomplicate
White Paper
critical monitoring tasks in a cost and
resource-efficient manner to streamline
security operations. Integrate output and
intelligence to prevent perpetrators – on the
inside or from the outside – from causing
significant damage to enterprisal assets.
Free up cycles to focus on future readiness
of security operations. Hone capabilities
of network managers to troubleshoot
performance or availability issues and assist
in terms of capacity planning along with risk
assessment.
Vehere Cyber Security - 49
 Services

Affirmation Assistance Response

50 - Vehere Cyber Security


Uncomplicate secops
Security and risk practitioners need an
upper hand over their adversaries. This
can be achieved using technologies that
permit security and risk practitioners to
adopt their learnings as templates and
apply it to discover threats or risks in
corporate environments. These silently
monitor multiple network segments and
easily integrate with current solutions in the
security ecosystem to provide visibility and
control.
Vehere’s PacketWorker is a Network
Situational Awareness solution that enables
comprehensive network monitoring using
either a line-rate full packet capture or flow
monitoring technology. It enables security
practitioners at leadership, risk management
and operational hierarchies to find answers
to the six most compelling questions –
‘What?’, ‘Why?’, ‘When?’, ‘How?’, ‘Where?’ and,
‘Who?’
A powerful deep packet and payload
inspection offers incisive insights into
network traffic, analyses encrypted
communications without resorting to
decryption, detects network anomalies and
compliance violations, provides visibility
into cloud and software-as-a-service
applications, goes back in time to perform
forensics and root-cause analyses and
retrieves actionable intelligence via session
correlations, graph analyses, full-fidelity
user-session reconstructions for evidence
retrieval and attribution. This ensures
operational efficiency and bolsters the
organisational security foundation without
disrupting ongoing business processes.
White Paper
With a simple and easy-to-use, web-based
interface and an adaptable interpretive
monitor, it offers secops the ability to
deliver predictable and replicable outcomes
irrespective of the skill-set of the user,
maximising efficiency and significantly
reducing dwell-times.
The solution is based on true big data
architecture built around a search engine to
speed up information retrieval and execute
complex analytical tasks such as identifying
spikes and instances of low and slow-flying
traffic, correlate these across multiple
activities and find similar patterns to tell
normal and malicious behaviours apart.
PacketWorker gels well with the secops
ecosystem by integrating with the existing
security monitoring and orchestration
layers and using standardised interfaces
– with security information and event
management for security monitoring and
preventive controls for delivering immediate
responses.
PacketWorker facilitates seamless
implementation of big data security
analytics in security operations by
eliminating concerns pertaining to events
or log rates and the need for collectors for
different applications or processes. It is a
platform for readily-available structured
data and lifts the same off from the source –
packets on the network.
Vehere backs PacketWorker’s deployment
with a set of services aimed at assisting
enterprises in various phases of risk
management.
Vehere Cyber Security - 51
 Machine Learning as
employed by Vehere
PacketWorker

52 - Vehere Cyber Security

 Machine Learning as employed by Vehere
PacketWorker

54 - Vehere Cyber Security

 Learning
Machine
During Machine Topic modeling is a natural language
processing technique with a design
Learning analysis, principle that offers responses to one
the system infers question – What is the probability that
observed session adheres to a behaviour?
a probabilistic
behavioural model
Observed session is the network activity as it
happens and, ‘probability’ is a score between
of each network 0 (zero) and 1 (one). Lesser scores imply

node using ‘topic

suspicious activity and these are delivered
as alerts in human-readable form.
modeling’. PacketWorker uses the Latent Dirichlet
Allocation (LDA) model.

Vehere Cyber Security - 55

Rule engine
PacketWorker enables security analysts to
define and specify various rules in the rule
engine to help them discover compliance
or policy violation issues, look for risky
communications or discover attacks and,
identify network or security-related issues
proactively. Security analyst’s need to set
rules in the application after analysing
their environments. Rules run through the
flow records captured in the system and
generate an alert or execute an action upon
a rule hit.

Rule types with common monitoring paradigms

include:

ŸŸ Match where there are X events in Y time

(frequency type)

ŸŸ Match when the rate of events increases or

decreases (spike type)

ŸŸ Match when there are less than X events in Y time

(flatline type)

ŸŸ Match when a certain field matches a blacklist or

whitelist (blacklist and whitelist type)

ŸŸ Match on any event matching a given filter (any

type)

ŸŸ Match when a field has two different values

within some time (change type)

56 - Vehere Cyber Security

V-1.5.1

Vehere
1629 K Street NW Suite 300,
Washington DC 20006-1631, USA
P +1 202 355 6371

391B Orchard Road #23-01,

Ngee Ann City Tower B
Singapore 238874
P +65 9299 0905

Roxborough Heights,
College Road, Harrow
London HA11GN
P +44 776 631 7891

7 Hazell Rd, Somerset West

Cape Town
South Africa
P +27 83 649 1970

232 DLF South Court,

Saket District Centre
New Delhi 110017, India
P +91 33 4004 6349

#1603, PS Srijan Corporate Park,

Block GP, Sector V, Salt Lake,
Kolkata 700091, India
P +91 33 4054 5454

E info@vehere.com
W www.vehere.com