To develop such threat awareness, MOREAL is based on big-data analytics principles, along with correlation of primal information brought out from logs provided by the underlying network and network security infrastructure. Monitor More precisely, logs are initially analysed, correlated, and collated with Open Source and Crypteia Networks Security intelligence to generate secondary and trietary threat intelligence by the Threat Intelligence Engine of the MOREAL platform. Report Then our Engine augments threat knowledge by behavioural, and statistical analytics, as well as, reputation pattern matching. The MOREAL core reasoning process is found on computations on graph and meta-graph models that are generated from any internal and external connection that can be logged. Alert In particular, graphs and meta-graphs are processed with algorithms that compute efficiently plausible threat paths with a likelihood scoring approach based on observations of the protected infrastucture and Security Intelligence in terms of IP reputation, malware, and traffic patterns. Crypteia Threat Intelligence & Management Service from PCCW Global delivers:

• A new layer of defence, complementing existing ones and maximizing value of network logs already generated & collected by your clients
• Non-intrusive and scalable cloud-based solution for rapid deployment
• Threat aggregation and behavioural analysis identifies threats in their infancy
• Real-time mitigation recommendations
• New visibility into existing security systems and hardware

Crypteia Threat Intelligence & Management Service enables your clients to achieve optimal security by:

• Utilizing advanced behavioural analytics and machine learning to help distinguish real threats from ones that cause non-productive, costly actions
• Generating actionable reports via a single intuitive dashboard
• Viewing network / security health and utilisation in real-time
• Leveraging a global threat database that uses Big Data Analytics and crowd sourcing to identify emerging threats
• Using advanced correlation engines for known and unknown threat identification, now penetrating and potentially already existing in your clients’ network
• Deploying enhanced security simply and quickly via a pure cloud solution, with an on-prem option available

MOREAL components ThreatDB ThreatDB is a platform that aims to collect and aggregate data from several different Threat Information Sources into a unique structure, similar to other commercial sharing platforms, such as IBM X-Force Exchange, Microsoft Interflow and HP Threat Central. It has as a main purpose to make security information easily accessible to any kind of Threat Intelligence System. In reality, it allows decision-making systems to focus on the security analysis, rather on the overkill of data normalization. That is a significant pre-processing step, which simplifies post-processing for all future consumers and it sets a good baseline towards real-time alerting. GraphIQ Extracting the most significant activity in a network with millions of transactions is a challenging task, but one that is critical in the process of analyzing behaviours, detecting issues and recognizing the most significant interactions in a monitored network. GraphIQ is a MOREAL component that aims to aid in this task, leveraging low-level and high-level information from other MOREAL ThreatIQ components. The most frequent IP flows and especially the ones “surprisingly” frequent, along with the flows exhibiting anomalies and threat events are extracted in a common format which is then utilized in other MOREAL components like the branch-level network graph. Anomaly detection Anomaly detection (AD) is a ThreatIQ component that detects suspicious behavior based on “deviations” from historical models of activity. The justification for using anomaly detection for inferring suspicious behavior is based on the observation that many malicious actions leave a footprint that significantly changes the typical behavior of an entity. For example, a malware may alter the observed traffic patterns when trying to propagate to other workstations or when communicating with C&C servers. When combined with input from other systems, significant evidence may be accumulated in order to raise security alerts for zero-day attacks or in order to provide a level of defense for customers not protected by other security measures. Behavioural clustering Behavioural Clustering is a ThreatIQ component that groups entities utilizing attributes such as proximity and similarity by behaviour (collection of MOREAL aggregated metrics) and extracts information from those groups about the severity of each entity based on security events associated with the group.