Cutting-Edge AI Security Seceon OTM

What is cutting-edge AI security Seceon OTM?

Seceon OTM is a security solution that uses AI machine learning. Through visualization while collecting data flowing in the network, the solution supports handling of threats (information leakage due to malware activities, DDoS attacks, etc.) from detection to measures.
AI detects threats in real time through a completely new method combining behavioral analysis and dynamic threat analysis. Additionally, by using Seceon OTM to automate SOC operations, it is possible to significantly reduce the cost of security measures such as SOC operation.
Even though the solution uses advanced technologies such as AI and machine learning, it does not require any specialized skills for operation by customers.

Features

• Enables easy operation through basic knowledge on networks and security
• Since data flowing through the network is collected, network pressure and server load are reduced compared to packet data collection
• In principle, tuning is unnecessary because the normal state is learned by AI machine learning
• Reduces operational costs through automatic policy checks using AI
• No need for advanced security knowledge because AI will present countermeasures
• AI performs correlation analysis of dangerous signs
• Easily achieves incident management

The service will solve problems such as the following.

1. Want to reduce personnel costs, installation costs, and operating costs related to security
2. Want to introduce advanced security that can resist sophisticated and complicated cyberattacks
3. Want to easily introduce powerful security without making major changes to the current system
4. Even if we introduce a multi-functional product, our company is not confident that we can operate the product independently
5. We are undecided what to introduce, but want to review our current security measures
6. Want to prepare for internal fraud or leakage of information from inside the company
7. Want to prepare for targeted attacks which are increasing every year
8. Want to prevent damage caused by ransomware
9. Want to take comprehensive security measures for various devices connected from inside and outside the company

Website for SECEON OTM products can be accessed here

Main Functions

• Data collection
  Collects the following data from the data flowing through the network and performs security analysis.
   ・Sender
   ・Recipient
   ・Data size
   ・Time stamp
  Also collects system logs and AD logs to analyze user behavior.
• Uses machine learning to create a baseline
  Based on the collected data, machine learning creates standards for normal communication and behavior within the organization.
• Threat indicator
  Detects abnormalities by comparing the collected data with the baseline created by machine learning. If an abnormality is detected, an index is generated and accumulated as a threat indicator.
• Correlation analysis and alert
  Perform correlation analysis for the accumulated threat indicators and issue alerts only for real threats. AI analysis is characterized by fewer false detections than the manual work of security analysts.
• Dashboard with simple design
  Organizes and displays only the required information. This dashboard function avoids confusion even when an incident occurs and enables accurate understanding.
• Easy-to-understand alert message
  Since the list displays alerts from the highest urgency in the display format according to the three levels of risk, the administrator does not have the hassle of deciding the priority of the response. Recommended measures are also presented together with the alerts.
• Flexible installation for any environment
  Flexible installation is possible for any environment such as on-premise or cloud. When introducing the solution at multiple sites, simply install an analysis server at the base and a data collection server at each site. Furthermore, it is not necessary to station an administrator at each site.

Network monitoring service using Seceon OTM

The ID Groups also uses Seceon OTM to provide security monitoring services within the network on behalf of customers. The monitoring targets are all terminals in the network that have an IP address; for example, computers, mobile terminals, and IoT terminals.

Details of operation services are available here

Specifications

	Extra-Lite configuration		Lite configuration		Standard configuration
	APE+CCE		APE+CCE		APE+CCE
CPU	Frequency	2.0GHz	Frequency	2.1GHz	Frequency	2.1GHz
	Core×Number of CPUs×Thread	16	Core×Number of CPUs×Thread	32	Core×Number of CPUs×Thread	64
Memory	64GB		128GB		196GB
Disk	1TB SSD		3TB SSD		6TB SSD
*SSD is recommended	*A minimum capacity of 480GB is required for the boot device.		*RAID 5 is recommended		*RAID 5 is recommended
NIC	1GigE		1GigE		1GigE
Number of hosts	300		500		2000
Number of critical devices　*1	Up to 50 devices		Up to 300 devices		Up to 800 devices
IP address	1×IPv4 routing is possible　Internal IP address
	Extra-Large configuration		Split configuration		Windows Collector
	APE+CCE		CCE
CPU	Frequency	2.1GHz	Frequency	2GHz	Frequency	2GHz or higher
	Core×Number of CPUs×Thread	88	Core×Number of CPUs×Thread	4	Core×Number of CPUs×Thread	-
Memory	384GB		42GB		2GB or higher
Disk	9TB SSD		150GB or higher		40GB or higher
*SSD is recommended	*RAID 5 is recommended
NIC	1GigE		1GigE		1GigE
Number of hosts	4000		-		-
Number of critical devices　*1	Up to 1500 devices		-		-
IP address	1×IPv4 routing is possible　Internal IP address				OS:Windows 2012 Server

*1 A critical device is a device that outputs logs, data flowing through networks, etc.
Example: A server hosting a router, firewall, switch, or general services (IPS/IDS, HTTP, HTTPS, database, etc.)
■ Installation in BIOS mode is recommended

Example of Introduction

Example of software development/system operation management company

Location: Tokyo
Number of users: approx. 1,000

Issues

1. We have introduced computers, mobile terminals, and IoT devices, but it is unclear whether current security management is sufficient
2. We have received instructions from top management on measures related to “internal fraud”
3. We do not have a sufficient budget to establish a dedicated security team
4. Information system members handle current security measures while also handling other duties
5. We require security measures without spending a lot of money

Introduction schedule of ID Group

1Week	Design	Requirement definitions Interviews	Selection of devices to be registered/devices for sending flow Devices listed on black list/white list Necessity of acquiring Windows log, FW log, etc.
2Day	Introduction		Confirmation of data acquisition status (flows, various logs) Alert issuance test (test script)
8Days	Start of operation	Machine learning Rule base	Monitoring for rule-based threat detection begins immediately after introduction Machine learning takes place during the 8-day introduction period. Monitoring begins immediately after the learning period is finished
1Day	Transfer of operations (training)		Transfer of operations is performed with according to manuals when responding to alerts
	Start of operation		After the transfer of operations, continued support is provided through a QA basis Providing information such as patch releases and version upgrades

Operation system

ID (cooperation with customers)

1. Irregular confirmation of production environment operation: Confirmation of infrastructure (container, docker operation), collection status, etc.
2. Provision of version upgrade information and implementation of upgrade
3. Provide technical information (issues, bugs, release schedule, etc.)

Customer (lcooperation between information system department and operation department)

 Information system department: Alert reaction

1. Confirm alert details
2. Reference report
3. Implement license

Operation department

1. Daily inspection: Confirmation of daily reports
2. Escalation at the time of receiving system alert