Sheriff Cyber Security
What is Sheriff?
The Sheriff software’s protection is always ready for a showdown.
Sheriff Comprehensive Security Manager (CSM) is a program that provides a host of tools that work together to keep your network secure from cyber security threats. Sheriff provides network and host intrusion detection, asset discovery and management, vulnerability assessment, security intelligence and event management (SIEM), network and host intrusion detection, endpoint detection and response (EDR), flow and packet capture, and file integrity monitoring (FIM), as well as centralized configuration and management.
Advanced Threat and Intrusion Detection
When they mess with the Sheriff, they get the spurs.
Sheriff’s Comprehensive Security Manager™ (CSM) provides you complete security visibility by delivering three types of intrusion detection system (IDS) software, combined with all of the essential security tools built in and continuous threat intelligence updates from Sheriff.
Full threat context and step-by-step response guidance for attacks
Real-time insights from OTX™ based on crowd-sourced info on known malicious hosts
Asset discovery, vulnerability assessment, IDS, SIEM, and netflow analysis in one console
Deploys and provides insights in less than an hour
Stays current with continuous updates including new rule sets, signatures, reports, and more
Catch Threats Anywhere within Your Network
Attackers can be amazingly resourceful and persistent, changing tactics often to bypass IT security countermeasures. They have a clear advantage; they choose when to attack, how to attack, and are capable of surprising any prevention technology deployed. As a result, constant monitoring is required to detect and remediate malware.
With our Comprehensive Security Management (CSM) and Threat Intelligence with Open Threat Exchange (OTX), you have a fighting chance against attackers. CSM provides a single console where you have visibility to assets and vulnerabilities, alarms on potential incidents, visibility to known external threats and forensics to investigate incidents after-the-fact.
Crowd-Sourced Threat Intelligence
OTX is tightly integrated with Sheriff’s CSM to provide the full picture of activity on your network threat intelligence from outside of you network. CSM uses this information to help you prioritize risk and focus your resources better, by correlating known malicious IPs with activities on network components such as firewalls, proxies, web servers, anti-virus systems, and intrusion detection systems. Malware can also be detected in transit over the network (as it is downloaded and installed onto a compromised host), or when it communicates back to its command and control servers. OTX integration is very helpful in identifying known malicious hosts acting as command and control servers.
Known and Unknown Malware Detection
Our built-in security tools and network monitoring capabilities provide visibility to exploits that unintegrated security tools won’t catch. Whereas static “signature-based” anti-malware software used to be effective, this is not the case with polymorphic malware. Polymorphic malware is destructive software, such as a Trojan, virus, work or spyware that constantly changes. In addition, Zero-day malware is often only detected by noticing strange behavior on the network – making CSM’s built in network and behavioral analysis critical.
Threat to Everyone
Small and medium businesses are very attractive targets, typically lacking security-proficient IT staff and typically not having budget for purchasing IT security countermeasures from traditional security vendors. According to Gartner, in 2012 50% of all targeted attacks were aimed at businesses with fewer than 2,500 employees. In fact, the largest growth area for targeted attacks in 2013 was businesses with fewer than 250 employees; 31% of all attacks targeted them. CSM is an optimal product from small and medium businesses, since it’s affordable and includes all the security tools needed, built-in and integrated.
Web-Based Attack Detection
CSM is particularly effective with Web-based attacks, such as SQL Injection and Cross-site scripting. SQL Injection exploits are used to extract sensitive information from websites. Dynamic web applications with SQL backends are likely to be vulnerable to this attack. Cross-site scripting allows attackers to manipulate web sites that they do not own. The purpose of the exploit is to compromise the user’s local system to install malware or get information (such as hijacked cookies) so they can impersonate the user on another web site. CSM continuously monitors for SQL Injection and Cross-Site scripting exploits.
Comprehensive Security Management
In order to address today’s rapidly changing threat landscape, you need unified and integrated security management. Our CSM delivers a complete view into the security of your environment by combining SIEM and intrusion detection software with automated asset discovery, vulnerability information, netflow analysis, log management and visibility to known malicious hosts. These integrated security tools help reduce the “noise” that you can experience with your security tools by correlating information from diverse sources, determining which threats are legitimate and providing actionable information to remediate threats.
Tuned Event Correlation
Full Threat Context
Reduced False Positives
Threat Intelligence Collaboration
Daily Malware Analysis
Full Packet Capture
Continually Updated Signatures
Attacker Profile Analysis
Low Administrative Overhead
Honeypot Deployment and Analysis
Find The Cause Faster Than Ever
Instantly know the who, what, where, when, and how of attacks – no matter where they originate.
In terms of remediation, Sheriff CSM can notify people via email, open a ticket in the built-in ticketing system, or integration with an external help desk / ticketing system. It can also be configured to execute a script to take automated and custom actions, based on your environment. CSM’s built-in software ticketing system creates trouble tickets from vulnerability scans and alarms. These tickets specify who owns the remediation, the status and descriptive information. The tickets also provide a historical record of issues handled, as well as the capability to transfer tickets, assign them to others and push work to other groups.
Sheriff Threat Intelligence applies more than 100 category-based correlation rules against the raw event log data we collect, as well as the events triggered by our built-in intrusion detection software. This enables rapid, accurate, and actionable guidance that interprets the severity of the exposure based on the full threat context.
Sheriff CSM includes several different security monitoring technologies to gather information on a variety of threat vectors and because we have access to everything you need to know about an asset you can get to root cause faster than ever.
Step-By-Step Investigation Instructions
We provide specific, contextual guidance on what to do when an alarm is triggered, so you can contain and investigate the incident quickly.
Asset Discovery and Management
Always keep an eye on your chickens.
Discover All Assets Within Minutes
We believe that IT security analysts have enough to worry about and more than enough work to do. We want to help take away any concern of what is on your network.
Within minutes of installing our system, you’ll be able to discover all of the IP-enabled devices on your network, what software is installed on them, how they’re configured, any potential vulnerabilities and active threats being executed against them almost instantly.
What devices are on my network?
What are users doing?
Are there known attackers trying to interact with my network?
Are there active threats in my network?
What vulnerabilities exist in my network?
Know What’s On Your Network
Be aware of what’s on your network and how your devices are configured with our automated asset platform that provides you with information about what is on your network. Sheriff’s platform combines three core discovery and inventory technologies to give the security analyst full visibility into the devices that show up on their network.
Active Network Scanning
Gently probe the network to coax responses from devices. These responses provide clues that help identify the device, the OS, running services, and the software installed on it. It can often identify the software vendor and version without having to send any credentials to the host.
Installation of a lightweight, host-based agent provides an additional, more granular level of visibility. By enumerating all the software installed on the machine, the agent greatly extends, deepens, and enhances your understanding of the devices on your network, resulting in a much more dynamic and accurate inventory.
Passive Network Monitoring
Highlights hosts on the network and their installed software packages. Information collected includes:
TCP/IP traffic analysis for OS fingerprinting and basic network topography
IP header analysis to identify operating systems and running software packages
IP and hardware MAC address pairings for inventory and detecting MAC spoofing
Never run your business with your trousers down.
Find, Verify, and Remove Vulnerabilities
With network vulnerability assessment, you can find the weak spots in your critical assets and take corrective action before attackers exploit them to sabotage your business or steal your confidential data.
Constant application updates and changes to application and system configurations can introduce vulnerabilities and leave you susceptible to an attack, even if you are keeping your security controls up to date. To keep your data secure, you must continuously scan your systems and devices to detect vulnerabilities as they arise.
Complete security visibility and threat detection
Scan and monitor for new vulnerabilities continuously
Detect the latest threats with continuous threat intelligence
Built-in vulnerability assessment capabilities
Get Immediate Results
Start using within 24 hours.
Actionable Threat Intelligence
See prioritized threats, detailed context, and remediation guidance.
Auto-Discover Asset Information
Collect device, software, config, vulnerability, and active threat data.
Find, Prioritize, And Fix Security Risks
Vulnerability assessment starts with Asset Discovery, which helps you target the vulnerability scan. You can granularly define the vulnerability scan to specific network segments and assets of interest. Scans can be either done ad-hoc or scheduled on regular intervals. With the number of vulnerabilities discovered rising, and difficulties in keeping up with patches and security updates, it is important to prioritize your remediation efforts. Sheriff CSM can report on scanning results regularly to management to assist in prioritizing remediation. CSM includes built-in vulnerability assessment, and filters through the noise of false positives and vulnerabilities that of lesser importance and allows you to focus on risks that truly matter to your business.
Finding, verifying, and fixing vulnerabilities is a constant battle for IT. Sheriff CSM helps by providing not only vulnerability scanning and assessment, but also details about the vulnerabilities. Having the view to external threat information, such as information on known malicious IPs provided with Open Threat Exchange™ is helpful in prioritizing remediation. In addition, Sheriff’s CSM integrated Host and Network IDS and SIEM provide rich contextual information to help with incident response.
Security Incident Response
As a security incident unfolds, you will be able to run vulnerability scans on-the-fly to help determine if you are vulnerable for exploits occurring. You will also be able to see the last scan results across your assets, to assist in incident response. You can see vulnerability and asset information conveniently display in a single console with CSM.
Scanning and Reporting
CSM allows you to schedule vulnerability scans on a flexible basis, such as hourly, weekly or monthly. In addition, you can scan more important network segments or groups more regularly. CSM also provides flexible reporting, which can be done ad-hoc, or on a scheduled basis to be sent to email addresses you specify.
Understand Your Network
CSM provides auto-discovered detailed asset information to help you with this work. Vulnerability scans, at a minimum, should be focused on externally-accessible assets that are of value to your business.
Real-time security intelligence from the outlaw experts.
Security analysts are a lot like detectives. During security incidents and investigations, they need to get to “whodunit” as quickly as possible. This is complicated, especially when mountains of security-relevant data are constantly
being produced. Context is key: one piece of information by itself may mean nothing, but then again, it may become a very important piece of a larger puzzle.
Security intelligence is an essential part of putting that puzzle together. By automating the correlation of real-time events identified through built-in essential security, Sheriff Comprehensive Security Management™ (CSM™) platform provides the security analyst with all of the puzzle pieces in one single view.
Dynamic Incident Response Guidance
Being a security analyst isn’t easy. You don’t have all day to research new exploits. But it turns out Sheriff is a team dedicated to doing just that. In addition, there are often so many items to respond to, it’s hard to know what
to do next. Sheriff’s dynamic incident response guidance and it’s vigilance in discovering new malicious hosts and exploits can help you.
For each alarm that is generated by the Sheriff’s CSM event correlation engine, customized step-by-step instructions are listed in our console. By providing contextually relevant workflow-driven response procedures, analysts know exactly what to do next. The Sheriff research team has curated these how-to-respond instructions based on rich CSIRT experience, as well as our own threat intelligence.
For example, an alert might identify that a host on your internal network is attempting to connect to a malicious external host. The dynamic incident response guidance would include details about:
The external host and what exploits it has executed in the past
The internal host such as owner, network segment, and software that is installed
The network protocol in use and specific risks associated with it
The importance of identifying potential C&C (command and control) traffic
Specific actions to take for further investigation and threat containment, and why you should take them
Security Intelligence In Action
To demonstrate the power of Sheriff’s comprehensive security intelligence, consider the following example:
A port scan is detected by your firewall
The source address of the scan is correlated with the destination address of an SSH session from an internal host. A lookup in CSM’s asset inventory automatically identifies the risk profile of the internal host – the host is critical to business operations creating a critical security incident
The compromised host is then scanned for other vulnerabilities from within CSM and it is found to be missing a critical security patch
The compromised host is patched and returned to service
A complete forensic analysis for the past 30 days is run for the compromised host to determine if additional corrective action is required
Understand your network and identify intruders.
As soon as our Comprehensive Security Management™ (CSM) platform is installed, the behavioral monitoring functionality starts gathering data to help you understand “normal” system and network activity. Using the built-in network behavior
monitoring you can simplify the incident response when investigating an operational issue or potential security incident. And because CSM combines network behavioral analysis with service availability monitoring, you’ll have a full
picture of system, service, and network anomalies.
Preventative security measures are often unsuccessful, with new polymorphic malware, and zero day exploits. Therefore it’s important to be on the watch for intruders. Context is critical when evaluating system and network behavior. For example, an abundance of Skype traffic in the network used by your inside sales team is probably a normal part of operations. However, if the database server that houses your customer list suddenly shows a burst of Skype traffic something is likely wrong.
Network Behavioral Analysis
When it comes to identifying threats in your environment, the best approach is a multi-layered one. Intrusion detection systems (network, host-based, and wireless IDS) identify known threats, and network behavior analysis can help you identify anomalies and other patterns that signal new, and unknown threats.
With Sheriff’s Comprehensive Security Management platform, you can achieve complete and multi-layered security. Sheriff CSM provides the fusion of essential security capabilities required for reliable threat detection – fueling your incident response program and helping you meet various compliance requirements. By using a single comprehensive console, the security analyst can break down security silos for a more seamless workflow.
Specifically, the behavioral monitoring capabilities built into Sheriff CSM provide this core functionality with the following techniques:
Service & Infrastructure Monitoring
Provides continuous monitoring of services run by particular systems. On a periodic basis, or on demand, the device is probed to confirm that the service is still running and available. This lightweight, continuous monitoring will detect unexpected service outages throughout your critical infrastructure.
Network Protocol Analysis
Allows security analysts to perform full protocol analysis on network traffic enabling a full replay of the events that occurred during a potential breach. This level of network monitoring can be used to pinpoint the exploit method used or to determine what specific data was exfiltrated.
Network Flow Analysis
Performs network behavior analysis without needing the storage capacity required for full packet capture. Network flow analysis provides the high-level trends related to what protocols are used, which hosts use the protocol, and the bandwidth usage. This information can then be accessed in the same interface as the asset inventory and alarm data to simplify incident response.
Long-Term Log Retention and Reporting
Never forget who tried to poison your waterhole… or put a snake in your boot.
These premium features are only available with the full Sheriff software package. If you have log compliance requirements, then the full Sheriff software is for you.
Long-term log retention and reporting is a feature exclusive to Sheriff’s full version. It provides a comprehensive historical database of all activity that has occurred on your network.
Long-Term Log Retention
Sheriff provides users with logs to keep track of all of the activity that occurs on their network. The full version of Sheriff provides a full history of all of the activity that has occurred.
Allows users to create reports based on criteria that they enter, such as alarms, over a given period of time. The full version of Sheriff provides this information on an unlimited basis.