Cutting-Edge AI Security Seceon OTM

What is Seceon?

Seceon OTM is a security solution that uses AI machine learning. Through the visualization of data flowing in the network, the solution supports the handling of threats (information leakage due to malware activities, DDoS attacks, etc.) from detection to remediation.
The AI detects threats in real time through a completely new method combining behavioral and dynamic threat analysis. Additionally, by using Seceon OTM to automate SOC operations it is possible to significantly reduce the cost of security measures including SOC operation costs.
Even though the solution uses advanced technologies such as AI and machine learning, it requires no specialized knowledge/skills to operate, making it easy for customers to navigate.

Features

• Enables easy operation through basic knowledge of networks and security
• Data flowing through the network is collected, reducing network  and server load
• In principle, tuning is unnecessary because the baseline is learned by machine learning
• Reduces operational costs through automatic policy checks using AI
• Knowledge of advanced security is not required since AI will perform the countermeasures
• AI performs correlation analysis of dangerous signs
• Easily achieves incident management

The service will help companies that: 

1. Want to reduce personnel costs, installation costs, and operating costs related to security
2. Want to introduce advanced security that will resist sophisticated and complicated cyberattacks
3. Want to easily introduce a powerful security system without making major changes to the current system
4. Are not confident in their ability to independently operate a new, complex, multi-functional product
5. Are unsure on what new security systems to introduce, but want to review existing measures
6. Want to protect against internal fraud or leakage of information from inside the company
7. Want to protect against targeted attacks which are increasing every year
8. Want to prevent damage caused by ransomware
9. Want to take comprehensive security measures for the various devices connected inside and outside the company

Website for SECEON OTM products can be accessed here

Main Functions

• Data collection
  Collects the following data from the data flowing through the network and performs security analysis.
  ・Sender
  ・Recipient
  ・Data size
  ・Time stamp
  Also collects system logs and AD logs to analyze user behavior.
• Establishing Baseline
  Uses machine learning to create a baseline; a standard for normal communication and behavior within the organization.
• Threat indicator
  Detects abnormalities by comparing the collected data with the baseline. If an abnormality is detected, an index is generated and accumulated as a threat indicator.
• Correlation analysis and alert
  Perform correlation analysis for the accumulated threat indicators and issue alerts only for real threats. AI analysis is characterized by fewer false detections than the manual work of security analysts.
• Dashboard with simple design
  Organizes and displays only the required information. This dashboard function avoids confusion even when an incident occurs and enables accurate understanding.
• Easy-to-understand alert message
  The list displays alerts from the highest urgency in the display format according to the three levels of risk, freeing the administrator the hassle of having to prioritize response.  Recommended measures are also presented together with the alerts.
• Flexible installation for any environment
  Flexible installation is possible for any environment such as on premise or cloud. When introducing the solution at multiple sites, simply install an analysis server at the base and a data collection server at each site. It is not necessary to station an administrator at each of the sites.

Network monitoring service using Seceon OTM

The ID Group also uses Seceon OTM to provide security monitoring services within the network on behalf of customers. The monitoring targets are all terminals in the network that have an IP address; for example, computers, mobile terminals, and IoT terminals.

Details of operation services are available here

Specifications

	Extra-Lite configuration		Lite configuration		Standard configuration
	APE+CCE		APE+CCE		APE+CCE
CPU	Frequency	2.0GHz	Frequency	2.1GHz	Frequency	2.1GHz
	Core×Number of CPUs×Thread	16	Core×Number of CPUs×Thread	32	Core×Number of CPUs×Thread	64
Memory	64GB		128GB		196GB
Disk	1TB SSD		3TB SSD		6TB SSD
*SSD is recommended	*A minimum capacity of 480GB is required for the boot device.		*RAID 5 is recommended		*RAID 5 is recommended
NIC	1GigE		1GigE		1GigE
Number of hosts	300		500		2000
Number of critical devices　*1	Up to 50 devices		Up to 300 devices		Up to 800 devices
IP address	1×IPv4 routing is possible　Internal IP address
	Extra-Large configuration		Split configuration		Windows Collector
	APE+CCE		CCE
CPU	Frequency	2.1GHz	Frequency	2GHz	Frequency	2GHz or higher
	Core×Number of CPUs×Thread	88	Core×Number of CPUs×Thread	4	Core×Number of CPUs×Thread	-
Memory	384GB		42GB		2GB or higher
Disk	9TB SSD		150GB or higher		40GB or higher
*SSD is recommended	*RAID 5 is recommended
NIC	1GigE		1GigE		1GigE
Number of hosts	4000		-		-
Number of critical devices　*1	Up to 1500 devices		-		-
IP address	1×IPv4 routing is possible　Internal IP address				OS:Windows 2012 Server

*1 A critical device is a device that outputs logs, data flowing through networks, etc.
Example: A server hosting a router, firewall, switch, or general services (IPS/IDS, HTTP, HTTPS, database, etc.)
■ Installation in BIOS mode is recommended

Example of Introduction

Example of software development/system operation management company

Location: Tokyo
Number of users: approx. 1,000

Concerns that can be addressed

1. Although we have introduced computers, mobile terminals, and IoT devices, we are unsure whether current security management is sufficient
2. We have received instructions from top management on to provide measures to regulate “internal fraud”
3. We do not have a sufficient budget to establish a dedicated security team
4. Currently, information system members handle security measures while simultaneously handling other duties, making them very busy and creating the risk that a security-related measure is overlooked
5. We want to establish effective security measures without spending a lot of money
   
   

Introduction schedule of ID Group

1Week	Design	Requirement definitions Interviews	Selection of devices to be registered/devices for sending flow Devices listed on black list/white list Necessity of acquiring Windows log, FW log, etc.
2Day	Introduction		Confirmation of data acquisition status (flows, various logs) Alert issuance test (test script)
8Days	Start of operation	Machine learning Rule base	Monitoring for rule-based threat detection begins immediately after introduction Machine learning takes place during the 8-day introduction period. Monitoring begins immediately after the learning period is finished
1Day	Transfer of operations (training)		Transfer of operations is performed with according to manuals when responding to alerts
	Start of operation		After the transfer of operations, continued support is provided through a Q&A basis Providing information such as patch releases and version upgrades

Operation system

ID (cooperation with customers)

1. Irregular confirmation of production environment operation: Confirmation of infrastructure (container, Docker operation), collection status, etc.
2. Provision of version upgrade information and implementation of upgrade
3. Provide technical information (issues, bugs, release schedule, etc.)

Customer (cooperation between information system department and operation department)

Information system department: Alert reaction

1. Confirm alert details
2. Reference report
3. Implement license

Operation department

1. Daily inspection: Confirmation of daily reports
2. Escalation at the time of receiving system alert