Overview

Collect More Data

Almost every device on your network is constantly generating data that is relevant to your business: from the security of your network to potential user fraud. Most of that data is never being looked at. Qato's capabilities will allow you to collect vast amounts of data in one location from multiple sources and make it available for centralized analysis. To truly understand what is going on in your network, you must collect as much information as you can.

Store Data Longer

Data on your network is constantly growing. For example, network security sensors are usually focused on one facet of protecting a network and focus on a time frame of seconds to minutes. SIEMs collect data from multiple sensors and typically focus on time frames of minutes to hours to days. When you hear about network intrusions in the news, it’s often the case that the bad guys have been in the network for weeks, months, or longer. You need to store data for much longer to be able to analyze bigger trends and review what has happened on your network over longer periods of time. Qato's big data architecture allows you to store and evaluate that data over time. Recognizing fraud activities over time requires the same pattern recognition.

Perform More Advanced Analytics

Qato’s open, scale able architecture allows for a multitude of processing and analytic techniques to be used with the data including visualization, SQL queries, and custom programming.  You’re free to apply whichever analytic techniques make sense in your environment. Your data is not hidden deep inside a black box, so your only limitation is your imagination. 

Architecture

Qato's design provides a scalable architecture that allows for collecting as much relevant data as possible for unique analysis to detect anomalous malicious behavior and to allow for more detailed analysis once malicious behavior is detected. For example, the cybersecurity implementation of the Qato anomaly detection engine would focus on collecting as much relevant network data. Accordingly the Qato solution collects logs from multiple different sources (Windows Event Logs, Linux syslog, firewall, network monitoring, etc.), stores this data in its scalable, distributed backend and then performs extract/transform/load (ETL) to convert the various data formats into a common format. Finally, an analysis capability allows analysts to detect anomalous behavior via a visualization front-end.  But that is just the start.  In addition to traditional security relevant data, Qato's design allows us to collect supporting data and use it to help increase the accuracy of the information being produced by the system. For example, vulnerability scanning results can be loaded into the system and then correlated with intrusion detection alerts. If a network-based intrusion detection system claims that a particular web server attack was launched on a target system, the fact that a vulnerability scanner already checks that server for that particular vulnerability is useful in raising or lowering the threat level of the attack.  Once the data is in the common format, there are a variety of ways to process the data to get information.  Analysts can query the data using SQL. The Apache Spark API is also available. This means that developers can develop analytics in multiple languages and are not tied to any proprietary scripting languages that may be limiting. 

Cybersecurity Implementation

The amount of data being generated on today’s networks by system logs and security devices is daunting. Qato turns this massive flow of data from a burden into an advantage. Cyber security is one of our Nation’s greatest priorities. Networks are constantly under attack, and these attacks are growing in volume and sophistication. Early detection of attacks is key for proper responses to be taken. 

Qato empowers the network defender to achieve information dominance over the malicious attacker. 

Today’s networks have grown into vast enterprises consisting of thousands of devices running many operating systems and software packages. The constant flow of security patches and software upgrades is almost impossible to keep up with. The number of possible individual configurations of systems is nearly infinite. This gives a huge advantage to attackers. When attacking a network, they need only find one flaw among the millions of permutations of system variables. 

The network defender is better able to detect malicious activity by collecting more information both in volume and detail. However, this increased amount of data has historically ended up being a further vulnerability. A skillful attacker can not only rely on the odds that they will find a vulnerability, but also take advantage of the massive amount of data that defenders must sift through on a daily basis by hiding among it. Most detection systems are not able to scale to handle the full breadth of information available to the defender. This massive amount of data is further compounded by false positives and obscure meanings that end up overwhelming the defender.

In an ideal situation, the defender would have the following key advantages:

• The defender should know the normal operations and flows in their network better than an adversary. 
• The defender can collect information about what is going on in their network to a great level of detail. 
• The defender should be able to lay traps that, while appearing safe, are easy pits only an adversary would fall into on their particular network. False alarms should be overcome using an aggregate method whereby multiple suspicious activities are detected from multiple sources before the operator is alerted.

The necessary data for these advantages are available, but it has not been technologically practical to take advantage of them to the fullest extent because of the massive amounts of data that must be processed on a continual basis. Qato is a game changer.

The Solution

It is very challenging to remotely attack a network without generating network traffic and leaving some trace. and is very difficult for the network defender to find the needle in the haystack that is that trace and to correlate all the traces into the realization that something malicious is going on. The Qato anomaly detection solution is able to collect operating system logs, firewall logs, intrusion detection logs, network logs, and other security relevant information, and combine them with supporting information such as vulnerability scan results, port scan results, etc., thereby allowing the defender to much more easily perform tasks such as identifying new data connections that occur on the network on a daily basis or identifying new programs that were run on Windows desktops that have never been seen before. These types of results allow the defender to better focus on the early signs of anomalous behavior on the network. The inherent false positives in any one detection method are mitigated by combining the results of all detection methods to highlight the activities that are doing multiple “bad” things. Attempts to hide efforts to gather network information by acting slowly over long amounts of time will be more easily detectable. Beyond these examples, other new analytic techniques will be discovered and made possible by a greater ability to store and process the vast amounts of data available to the defender today. The problem then shifts from drowning in data to trying to find more sources of data to cross correlate with.

Our Qato anomaly detection solution utilizes recent advances in Big Data technology to put these advantages within reach. Instead of trying to collect less data and look at as much of it as possible, Qato allows for collecting as much data as possible and running analytics to enable reducing viewings to as few as possible until a threat is detected. Then, upon detection, the analyst has a vast amount of data to dive into. 

Imagine logging the metadata for every network connection on a network including source, destination, source port, and destination port on a daily basis over long periods of time. Numerous opportunities arise for the defender to gain advantage by having the ability to both store and process this information. For example, it would be helpful to be able process a day’s worth of connections and highlight any connections from an internal host to an external host that have never been seen before. People and systems tend to be creatures of habit. Given enough time, a large percentage of connections will be repeated. Being able to easily identify “new” activity that has not been seen before would be very useful. You could also use the same type of data to produce profiles of what is “normal” for a large number of systems and then highlight any deviations from those systems. 

There is no one “magic bullet” for detecting malicious behavior. However, our experience has shown that, while any one technique may provide false positives, it is rare for multiple monitoring techniques and/or algorithms to start alerting for a particular entity at the same time. Therefore, looking for cumulative patterns causes truly suspicious behavior to bubble to the top.

To watch a Cybersecurity use case demo featuring Qlik and AlphaSix QATO, please click on the following link "The Key to Cybersecurity - Data Analytics"

Pharmaceutical Compliance Implementation

The diversion of pharmaceutical controlled substances from the drug supply chain and healthcare delivery system places the public at risk, strains government resources and places increased pressure on law enforcement and regulatory agencies to proactively identify and prevent the transfer of drugs from legitimate commerce into the illicit marketplace. Regulatory compliance plays an important role in ensuring that businesses have established a secure and accountable system of distribution and dispensing that should prevent diversion at all levels of the pharmaceutical supply chain. The accurate accounting of controlled substances and the preparation and maintenance of transaction data is the foundation of a secure distribution system.  Proactive review of transaction data in combination with customer due diligence by regulated entities can identify potential weaknesses and anomalies within the supply chain that can be addressed before large-scale diversion occurs.  If available, this same transaction data can be utilized by regulatory and law enforcement agencies to ensure compliance and assist in the inspection and investigation of regulated entities involved in the manufacture, distribution and dispensing of controlled substances. Controlled substance transaction data provides a complete picture to state regulators and law enforcement agencies about controlled substances entering their jurisdiction, ordering patterns and potential areas of concern. This massive amount of data can be harnessed and integrated with other data systems to provide an effective regulatory agency and law enforcement tool that could identify potential pharmaceutical controlled substance diversion. 

Pharmaceutical manufacturers, wholesalers and distributors are required by statute to make periodic reports to the Federal government concerning certain downstream controlled substance transactions.  The data is collected and housed in the Drug Enforcement Administration (DEA) Automation of Reports and Consolidated Orders System (ARCOS) and is utilized to identify purchase anomalies, trends and changes of controlled substance distribution patterns in the United States.  

Some states have the legal authorization to collect ARCOS-like transaction data from regulated entities that distribute within their respective jurisdictions.  However, the lack of a secure, big data IT system that has transaction specific analytics capabilities is either not available or not cost effective, so the data is either not utilized, or not analyzed in the most efficient or effective manner. 

The Solution

Qato anomaly detection solution provides a scaleable, big data system that can securely maintain data in a format that allows inspectors/investigators to search for data anomalies as well as providing manual search functions for specifically tailored data analytics requests. This system can be utilized, for example, by pharmacy board inspectors/investigators to identify suspicious transactions based on orders of unusual size, orders deviating substantially from a normal pattern, and orders of unusual frequency.  They can then schedule pharmacy inspections based on this information. Additionally, the use of downstream controlled substance transaction data can:

• Depending on the data fed into the system, it enables investigators to compare downstream transaction data with actual pharmacy output using prescription drug monitoring program (PDMP) data
• Provide regulators/investigators with a means to identify areas of the state that have concentrated distribution levels of a particular controlled substance to identify potential geographic areas of concern
• Help regulators/inspectors identify downstream customers who are purchasing small quantities from various distributors to avoid detection
• Provide inspectors with the ability to review controlled substance purchases before they inspect a particular pharmacy and verify that the purchase information provided to the inspectors matches the system information
• Provide regulators/investigators with data concerning controlled substance sales to physicians’ offices who often do not report to the PDMP
• Provide data that is not HIPAA restricted and contains no patient information.  States that do not allow law enforcement or regulator access to PDMP information will now have a tool that can assist in identifying diversion.