User initiated download
VSE can detect an internal host communicating with and downloading data from an atypical domain, based on its understanding of the network’s unique norm.
The download contains malicious software that has not been previously documented, thus endpoint security and other signature-based tools would not be alerted to its presence. VSE automatically generates a ThreatCase and acts as the network’s last line of defense based on expert knowledge of adversary behavior, not a known signature.
External-facing file share
A VSE ThreatCase alerts a bank’s SOC that an internal host is sending unusual volumes of data to another internal host that it hasn’t exchanged data with in the past. Upon investigation, the company’s sysadmin discovers critical data is being backed-up to an Internet-accessible file server.
While not malicious in intent, this activity inadvertently increases the network’s attack surface, leaving critical and sensitive information at higher risk of exposure. VSE identifies potential attack vectors before adversaries can exploit them based on knowledge of how adversaries work.
Circumvention of security mechanisms
VSE detects communications circumventing known security measures - for example, the creation of a covert channel that could serve as a route for data exfiltration or malware command-and-control (C2).
VSE observes behaviors that do not match the network’s unique network normal definition, without requiring awareness of IT policies or specific known malicious signatures. VSE’s ThreatCase guided the security team to close off this attack vector that could be used to exfil critical company data.
VSE observes anomalous behavior from a host on a customer’s network, an employee using network analysis and investigative tools. These tools are approved for use, but a ThreatCase is generated as these are often employed by hackers in a “live off the land” strategy — i.e. secretly leveraging non-malicious services and techniques for malicious ends. VSE mitigates against this approach by understanding how adversaries must interact with a network to accomplish their mission.
Amidst a network of 100,000 hosts, VSE detects a host connecting to a domain that is exclusive to that host. While the domain is not malicious, VSE will highlight this connectivity due to its exclusive nature. The connection consists of multiple sessions, with substantial data being transferred to this domain.
Responding to VSE’s ThreatCase, the company’s security team sees that this domain, though benign, allows for the submission and hosting of source code. VSE enables the security team to shut down an insider threat quickly.