A SOC-specific user interface that supports analyst workflows and enhanced predicative threat intelligence capabilities are among the new features. Credit: Laurence Dutton / Getty Images End-to-end network security and performance visibility vendor LiveAction has announced new security operations center (SOC) focused updates to its Network Detection and Response (NDR) platform, ThreatEye. In a press release, the firm stated that the platform features a new user interface (UI) designed to enhance the ability of SOC analysts to correlate findings and policy violations to track incidents.The platform offers enhanced predicative threat intelligence capabilities that allow SOC analysts to identify and track domains and IP addresses not yet active but registered by threat actors and associated malware campaigns. It also includes packet-based behavioral fingerprinting to identify behavior in encrypted traffic streams and host-based behavioral analysis, LiveAction added.New SOC-specific UI designed to support analyst workflowsThreatEye’s new UI has been designed to support SOC analyst workflows with integrated packet analysis insights, LiveAction stated, delivering an integrated approach to searching, collaborating, and alerting. Built by SOC analysts, the UI delivers enhanced collaboration across teams by auto-enriching and correlating disparate data sources, including geography, passive DNS, MITRE techniques, and threat intelligence, the firm added. “ThreatEye’s multi-stage pipeline analysis further layers on detailed findings, risk scores, and MITRE ATT&CK labeling,” according to LiveAction. Alan Freeland, SOC manager at DigitalXRAID, tells CSO that a good UI that supports deep packet inspection is a key component that allows SOC analysts and teams to identify and mitigate threats quicker and more effectively. “By giving analysts this capability, you improve the chances of spotting major threats to the organization, such as ransomware and data leaks.” Proactive threat intelligence a “great help” to the SOC functionAs for the platform’s enhanced predictive threat intelligence features, LiveAction stated that ThreatEye now has the capability to identify and flag when a user is communicating with threat actor infrastructure before campaigns are known to be active. This includes revealing IPs and domains associated with threat actors before they are activated. Such proactive threat intelligence allows analysts to identify potential indicators of compromise before they become threats to an organization.This is a growing area of “great help” to the SOC function, Freeland says. “By integrating these tools into an analyst’s workflow, it helps them to push through up-to-date threat intel data that allows clients to be prepared for attacks before they happen. Many of these tools can be integrated into automated workflows so that it does not require a user to update tooling with this information.” Elad Menahem, director, head of security research at Cato Networks, concurs. “Platforms that appropriately incorporate threat intelligence can ease the SOC’s work effort and reduce the analysis time significantly, as most of the common threats have observables already known in the wild,” he tells CSO. In addition, classifying the source of encrypted traffic, e.g., using TLS attributes analysis so that analysts can correlate between the source (Client Type) and the destination (IP/Domain), helps them to respond accordingly to incidents that originated from a browser versus bots unknown to their network, which might imply a new bot or suspicious application in the environment.Behavioral fingerprinting uncovers activity via multiple information vectorsA third new feature added to ThreatEye is the platform’s “AI-powered” behavioral fingerprinting, which LiveAction said has been designed to uncover activity within encrypted connections by tracking multiple vectors of information, including producer-to-consumer ratios (PCRs) and sequence of packet length and time (SPLT). This session-based fingerprinting is coupled with host-based behavioral analysis to infer when a threat actor is active in an environment, the vendor added, while machine-learning-driven device discovery allows enterprises to identify devices that may be compromised. Related content news Most interesting products to see at RSAC 2024 Tools, platforms, and services that the CSO team recommends 2024 RSA Conference attendees check out. By CSO Staff May 02, 2024 6 mins RSA Conference Security news analysis Biden delivers updated take on security for critical infrastructure Building on previous efforts, the Biden administration's new National Security Memorandum reflects a more modern approach to protecting US critical infrastructure, giving CISA a better-defined and expanded role as the agency coordinating everyth By Cynthia Brumfield May 02, 2024 7 mins Government Threat and Vulnerability Management Critical Infrastructure news NIST publishes new guides on AI risk for developers and CISOs Companion publications to NIST’s AI Risk Management Framework explore a long worry list in more detail and are likely to become essential reading for security professionals. By John Dunn May 01, 2024 4 mins Regulation Government Security Practices news analysis 5 key takeways from Verizon's 2024 Data Breach Investigations Report The rapid of exploitation of zero-day vulnerabilities, such as MOVEit, and the effectiveness of ransomware attacks are two of the major findings from last year’s breach data. By Rosalyn Page May 01, 2024 5 mins Data Breach Zero-day vulnerability Data and Information Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe