Choose the winner of U.S. Cyber Command to identify and manage risks related to data processing as well as educating employees on IT security and compliance policies.
Next DLP won the U.S. Cyber Command insider threat competition against some of the top insider threat, EDR, UBA, and SIEM vendors.
DreamPort is a cyber center with state-of-the-art facilities and innovative programs which aims to fuel innovation that leads to “unparalleled capability for U.S. Cyber Command and the warfighters at large”. United States Cyber Command (USCYBERCOM) created DreamPort through a Partner Intermediary Agreement awarded to Maryland Innovation & Security Institute (MISI).
DreamPort RPE-003: The Wolf in Sheep’s Clothing
The insider threat competition, The Wolf in Sheep’s Clothing, was the first of its kind and took place in Columbia, MD, from January 29 - February 14. Due to the number of competitors, the event was split into two groups, where the companies competed against each other over the course of three full days.
The insider threat event sought to identify user activity monitoring (UAM) solutions that employed advanced, real-time analysis of multiple data sources for anomaly detection, specifically those that offered both predictive monitoring and policy-based monitoring features. For every attack, the participants were evaluated across many different dimensions, including “time to respond”, “fullness of context” and “innovative methods used”.
Preparations leading up to the competition
In December, the Next DLP team engaged with DreamPort, running Reveal and installed agents running in their simulated HQ network to acquire a baseline of “normal” user activity.
During the preparation, the Next DLP team analyzed the system and became familiar with the different users’ mannerisms, common applications usage, and how much access each user had. Using the Cyber Passport built into the product, a picture of the everyday life in the office was quick and simple to see. In addition to the automatic baseline profiling, the team set up policies to automatically catch any violations of rules in the event guidelines, as well as typical threat and risk indicators such as job hunting and malicious domains.
Let the competition begin
The Next DLP team included Hani Mustafa, David Buchmann (Data Scientist / Security Researcher), Zach Garcia (Cybersecurity Analyst), Neena George (Systems Engineer), and Yogan Patel (Systems Engineer). The small team of five with the 2-year old software faced teams as big as 30 participants with (multiple) products that have been very successful.
Large company networks are constantly under attack. With millions of events happening on a daily basis, a SOC Analyst needs leads to potential high priority events to focus on. Once the SOC Analyst has found something of interest, they need to quickly understand the full context to determine whether to dismiss the event and move on to the next, or to dig deeper.
With Reveal at DreamPort, the machine learning sensors triggered when software ran for the first time and the instant an unusual event occurred, allowing us to detect multiple attacks immediately. It was easy to see if hosts connected to C2 (command and control) servers or malware delivery IPs with no human interaction.
Once the team had a lead on what kind of activity to look for, it was easy to find the evidence they needed and figure out what happened using the power search. While some tools are either optimized for incident response or for detection, Reveal has the versatility and benefit to do both.
Overall, the Next DLP team were easily able to see the narrative play itself out in real-time starting with the suspicious activity of a few HQ employees (e.g. use of unauthorized USB devices, copying and moving sensitive files, unauthorized ‘shadow IT’ behavior, and showing signs of flight risk) and culminating in a wide-spread ransomware attack and data exfiltration attempt.
Our competitors had limited visibility during the competition. Although the competitors were able to detect the occurrence of malicious activity on the network, they were struggling to correlate events from various log sources and unable to extract context. The lack of context also meant that they could not see what was coming.
Reveal was effortlessly able to identify the true insider threat very early on. Within the first 30 minutes, the Next DLP team had identified the first clues of the biggest insider threat risk. Had this been a real-world scenario, Reveal would have given the clear insight needed to take preemptive action and would have prevented this attack all together by locking the individual out of their PC and removing all access. The rules of the competition, however, prevented us from locking / blocking any users.
"Reveal is a very useful tool in the threat hunting and security arsenal. From my perspective and experience Reveal can complement most SOC toolsets." - Zach Garcia, Cyber Analyst
Following the three-day event, even with a smaller team, the team were confident that our two-year old software company had done well against the competitors.
A landslide victory
Next DLP had the highest score in multiple categories:
- Best performance with agent
- Highest # of detections
- Best performance by category:
- Obvious plain text threats
- Malicious/suspicious USBs added to network
- Foreign computer(s) on network or added to network
- Incidents after loss of log data
- Best overall performance
For a complete list of the category winners, see the DreamPort website.
The competition overall
The team at DreamPort did an excellent job of putting together the competitions. The team’s extensive effort and attention to detail was apparent in the way they developed and carried out the whole insider threat narrative on a simulated corporate network.
Being able to rigorously test and prove Reveal in these real-world “active incident” scenarios was a great opportunity to show the Federal community what we can do. Further, benchmarking our capabilities against some of the top industry vendors confirmed we are solving the cyber threats better and more efficiently. Next DLP won by a landslide!
The machine learning sensors did a great job identifying unusual activity, which the team further investigated in great detail. From an alarm, the team were easily able to drill down, identify the relevant actors and workstations, and piece together the string of events that led up to the final attack.
In addition, the threat hunting platform with our unparalleled cybersecurity search capabilities, demonstrated the power of Reveal.
The opportunity to participate in this exercise helped us identify our key strengths and potential areas of improvement to help us make the platform even more effective in mitigating the insider threat which are coming in the next product release.
Being able to participate in the event was an amazing experience for Next DLP, as we were able to yet again prove that the product makes insider threat hunting simple, intuitive, and a real joy for analysts.
"Our dedicated Reston-based team is committed to helping our Federal customers and partners gain unparalleled visibility into their organization and mitigate insider threats. Reach out to us for a demo today!" - Yogan Patel, Federal Systems Engineer