HAWKEYE - How it works
HawkEye uses five primary function modules at the core of the threat detection engine, these modules are tuned by experts for each deployment scenario. Here is a breakdown and brief function of each module.
- Traffic anomaly engine - detects DDoS, BotComs, proxies and p2p violations
- Managed intrusion detection - detects custom attacks on systems and applications
- Malware detection engine - detects worms, malware and APT
- Threat intelligence - shortens the detection time using external threat awareness
- Event correlation - qualifies attackers across locations and provides measurability
HawkEye helps you improve the visibility of your network and detect threats accurately in the smallest time window.
A good SIEM - Threat Management system is required to be flexible, it should be able to integrate and operate seamlessly with the existing infrastructure. HawkEye offers simplicity in design to its customers.
HawkEye adopts a non-intrusive approach to security, it requires no downtime nor does it contribute to the latency of the network. HawkEye can integrate with everything from network devices to applications. It can scale seamlessly across global locations of a customer and still provide real-time visibility through a single window.
HawkEye sends out instant notifications for threats. It escalates events that need further investigation. HawkEye provides training (inclusive in the service) to customers for setting up of a threat response center. The primary roles of this center would be
- Monitor threats on the HawkEye Attack Resolution Desk (CARD Console)
- Analyse threats escalated by HawkEye
- Respond and contain the threat
HawkEye uses cutting-edge algorithms and the power of the cloud to actively detect and respond to attacks on your IT infrastructure. It implements advanced correlation rules and detection mechanism coupled with a global intelligence network to deliver top notch security presented in an intuitive dashboard. We bring with us everything you need to detect attacks, all this is installed, configured and monitored by us round-the-clock.
The Umbrella Network (UNET)
The UNET is a global facility used by HawkEye to deliver real-time threat intelligence to its customers. The UNET aggregates intelligence from two networks namely the HawkEye customer network and the partner network. UNET is a network of global presence points called Points-of-Presence (POPs).
- Each POP has a correlation management and intelligence processing facility
- All POPs are directly controlled by the HawkEye team at Cyber Alpha Security
- Customization on each customer is performed centrally from the HawkEye Threat Center
Intrusion Detection Device (IDD)
The IDD is the primary whistle blower for the HawkEye service, it uses multiple technologies for detecting attacks in real-time. Each IDD is customized to the needs of the network and is monitored using unique correlation rules deployed by the HawkEye Threat Center. Detection modules in the IDD are updated continuously to keep up with the changing threat landscape.
- The IDD contains industry standard and proprietary technology that detect attacks
- It houses a traffic anomaly engine for floods
- It also includes a collaborative worm detection engine to detect outbreaks
Network Aggregator (NAG)
NAG is a local event collection and analysis engine that is responsible for executing the correlation logic on the accumulated data. The NAG ensures that all the data collected by HawkEye remains within the network perimeter. The NAG is in constant connectivity with the UNET which supplies real-time threat intelligence for accurate decision making.
- The NAG collects event logs from various sources and locally processes them
- This device pulls up correlation strategies from the UNET
- The NAG applies the correlation strategies on the current event thread to develop local intelligence and a trend