The Internet provides access to various pieces of information, applications, services, and the like for publishing information. Today, the Internet has significantly changed the way we access and use information. The Internet allows users to quickly and easily access services such as banking, e-commerce, e-trading, and other services people access in their daily lives.
In order to access such services, a user often shares his personal information such as name; contact details; highly confidential information such as usernames, passwords, bank account numbers, and credit card details; and so on with service providers. Similarly, confidential information of companies such as trade secrets, financial details, employee details, company strategies, and the like are also stored on servers that are connected to the Internet. There is a threat that confidential and/or personal information will be accessed by hackers using unauthorized access methods. Specifically, such methods include, for example, using malware, viruses, spyware, key loggers, a compromised remote desktop services, and the like.
Recently, the frequency and complexity level of attacks has increased with respect to attacks performed against all organizations including, but not limited to, cloud providers, enterprise organizations, and network carriers. Some complex attacks, known as multi-vector attack campaigns, utilize different types of attack techniques to identify weaknesses in the and target network and/or application resources. Identified weaknesses can be exploited to achieve the attack's goals, thereby compromising the entire security framework of the network.
One example for a relatively new type of multi-vector attack campaign is an advanced persistent threat (APT). An APT is an attack in which an unauthorized hacker gains access to a network and remains undetected for a long period of time. Although a multi-vector attack campaign is a complex attack to launch, multi-vector attack campaigns are frequently successful. This is due to the fact that current security solutions are not sufficiently agile and adaptive with respect to detection, investigation, and mitigation of resources needed to meet such evolving threats. Specifically, this is due to the fact that current security solutions cannot easily and promptly adapt to detect and mitigate new attack behavior or attacks that change their behavior in a significant manner in order to bypass the security.
In addition, security solutions and, in particular, solutions for APT attacks, do not provide reliable automatic decision-making capabilities. Typically, security solutions are not designed for both detection and for automatic decision-making. In addition, system administrators do not trust currently available security solutions designed to mitigate complex attacks due, in part, to the high total volume of alerts (events) and the high level of false positive alerts generated by such systems. As a result of such false positive alerts, system administrators (e.g., security experts or officers in organization) often manually perform decision-making processes rather than permit automatic decision-making, which usually increases the time needed to mitigate attacks.
Moreover, the manual decision-making requires system administrators to investigate potential cyber threats or attacks by analyzing thousands of alerts and events generated by different security products deployed in the origination. As such, in most cases, efficient and accurate threat investigation is not feasible or impossible. For example, a task of investigating how an entity was infected, the root-cause of infection, and/or how the entity reacts to the infection cannot be efficiently performed by a system administrator. This due to the fact an administrator would be required to investigate high volume of events (e.g., thousands) in seconds to at least answer such questions. Aside from the high volume of events, as attacks evolve over time, investigation of operations cannot be performed based on out-of-date policies. Such policies, if not dynamically updated, cannot detect correlations that are known a priori between different threats or entities, based on processing of events. Further, an administrator (or security analyst) is incapable of selecting or assigning, in real time, the most effective security solution or solutions to handle a threat based on the current investigation policy. When more than one security solution is used for the investigation, then the order of activation and the right time to activate each solution are also should be determined.
As a result, current solutions cannot perform accurate security investigation operations in real-time, and thus cannot verify if a detected threat is a real ongoing or developing attack or if such threat can harm an organization. Examples for such threats include pre-attack intelligence gathering, malware propagation, data breach, and exfiltration of data. Therefore, current solutions also suffer from a lack of situational awareness of the main risks and loss potential that attacks can impose on an organization or a business.
It would therefore be advantageous to provide a security solution that would overcome the deficiencies of the prior art.