Sqrrl’s latest release, Sqrrl Enterprise 2.5, revolutionizes the hunt by delivering a wide range of new capabilities aimed at streamlining and automating threat hunting activities for security analysts. By combining big data, analytics, investigation, and collaboration capabilities all in a single tool, Sqrrl Enterprise fulfills all of the requirements of a Threat Hunting Platform. Sqrrl’s hunting approach focuses on identifying, gathering, and acting upon an adversary’s Tactics, Techniques, and Procedures (TTPs), in order to rapidly detect and mitigate threats in your network. This release marks the most comprehensive update to Sqrrl since the release of Enterprise 2.0, which launched the Sqrrl visual investigation interface. These are some of the new features added to Sqrrl to make hunting for advanced threats more streamlined than ever. The new release is generally available to all current Sqrrl users as of May 16, 2016.
The Behavior Graph
The Sqrrl Behavior Graph has been upgraded and now more intuitively provides context to security analysts about the assets, actors, and events present on their networks and endpoints. Sqrrl comes pre-built with a cybersecurity ontology that provides a rich, contextual representation from network, endpoint, user, and application log data. By streamlining the data acquisition process via common datasource connectors, Sqrrl is able to quickly assemble a logical view of what’s going on inside a network. The relationships between various entities can be expanded on command depending on what direction an analyst wants to go to answer questions and hypotheses driving a hunt. This automates the hunting process by predetermining the search pathways that would otherwise need to be uncovered through complex querying. This makes it easier for analysts to rapidly pivot from data point to data point, regardless of the differences in the underlying data. The Behavior Graph lets analysts identify normal and abnormal behaviors, rapidly ask questions, and streamline their incident investigation and threat hunting activities.
Sqrrl’s pre-built cybersecurity ontology represented in a linked data model
TTP-oriented detectors are a critical capability in Sqrrl that redefines how analysts start their hunts. These detectors continuously run behavioral analyses over Sqrrl’s linked data model to pinpoint the Tactics, Techniques, and Procedures used by adversaries. Sqrrl’s detectors leverage User and Entity Behavior Analytics (UEBA) to find patterns of activity based on learned baselines, instead of signatures or rules. Along with the Behavior Graph, the UEBA-powered detectors can be used to profile and analyze users, machines, web domains, and other entities of interest. The underlying analytics do this by establishing baselines of normal observed activity in a number of ways depending on the type and application. Baselining procedures observe raw data features and learn distributions across multiple dimensions such as time, frequency, rarity, graph structure, and volume. System analytic results are fed back into baselining processes to enable continuous algorithmic tuning.
Sqrrl’s homepage featuring a rollup of risk dashboards for detection and entity profiles
Risk Scores and Profiles
Sqrrl 2.5 includes a fresh UI redesign that includes powerful risk dashboards which help analysts quickly recognize and investigate the most recent risky events and assets. Each entity (including users, hosts, IPs, domains, and URIs) is given a comprehensive profile which shows other related entities and is assigned a risk score based on a variety of factors. Risk scores are a way for Sqrrl to communicate to analysts what its continuous analytics have been able to recognize, and can help automate the process of developing hypotheses, identifying TTPs, and prioritizing investigations.
An example of an exfiltration detection as seen in the Sqrrl Behavior Graph
To simplify analyst use of Sqrrl, all of the data required to run the TTP detectors and analysis over the Behavior Graph is streamlined via built-in data source connectors. These connectors remove the need for configuration and provide easy access to raw data quickly and easily. It is thus easier than ever to establish a Threat Hunting Platform within your enterprise and start hunting for advanced threats.
Sqrrl 2.5 sets a new industry standard for threat hunting and incident investigations solutions. Combining the contextual exploration power of the Behavior Graph with automated analytics afforded by TTP-oriented detectors, it has never been easier to optimize your incident investigations processes or more rapidly advance your hunting maturity.