Securonix

Author: s | 2025-04-24

Securonix Security Analytics Platform, Securonix UEBA, Securonix Cloud, Securonix Security Data Lake, and Securonix Security Applications are trademarks and of Securonix, Inc. in the

Threat Hunting with Securonix - Securonix

Agnostically integrate any security tool, clouds, and data lakes. Third, deliver a frictionless experience with reduced noise, an intuitive user interface, and targeted threat intelligence that frees analysts from the tedious task of manual log analysis and endless alert triage, allowing them to focus on high-level investigations and strategic decision-making. From these principles, Securonix EON extends the capabilities of the company’s industry-leading Unified Defense SIEM.Key features of Securonix EON include:Insider Threat Psycholinguistics: Utilizing the science of deciphering psychology from language powered by Amazon Bedrock, Securonix provides entity and activity-based risk scoring to uplevel insider threat hunting capabilities. This industry-first feature enables users to accurately and efficiently discern the intent behind a user’s language and behavior, identifying potential malicious activity. Key categories analyzed include financial crimes, obfuscation, and more.Adaptive Threat Modeling: Leveraging machine learning to develop adaptive threat models and dynamic threat chaining of violations with anomaly detections, Securonix enhances investigations by enabling analysts and CyberOps teams to identify never-before-seen attack chains in near real-time. With more speed, accuracy, and efficiency, this capability builds the full picture of an attack to prevent destructive phases.InvestigateRX: Converting retrieved targeted and objective content into a coherent and context-aware summary, analysts are empowered to make swift decisions and save approximately 15 minutes per incident. Securonix customers no longer need to search for data from various sources because the information is delivered directly to the analyst.“Effectiveness, efficiency, and scale are the three words that drive our business. And in today’s world, the linear model of adding people as customers and data grows is unsustainable,” said Scott McCrady, CEO at SolCyber Managed Security Services. “That’s why we are thrilled about Securonix working with AWS to utilize Amazon Bedrock within its newly introduced suite of AI capabilities. Our goal is to have the best analysts in the world, and putting the best tools in their hands, allowing them to defend against present and emerging threats while also allowing them to be more efficient is the holy grail of security ops. We couldn’t be more excited about what this is unlocking for our operations and our customers.”Securonix will be showcasing new AI-Reinforced Securonix EON capabilities at the RSA Conference, May 6 – 9, 2024 in San Francisco, at booth #1127 in South Hall. For more information or to meet with Securonix at the conference, please visit: SecuronixSecuronix is pushing forward in its mission to secure the world by staying ahead of cyber threats. Securonix Unified Defense SIEM provides organizations with the first and only AI-Reinforced threat detection, investigation and response (TDIR) solution built with a cybersecurity mesh architecture on a highly scalable data cloud. The innovative cloud-native solution delivers a frictionless CyberOps experience and enables organizations to scale up New Release, Securonix Jupiter, Enhances Detection and Response, Improves User Experience, and Optimizes Cost and Performance of the SaaS ServiceADDISON, Texas – April 20, 2021 – Securonix, Inc., a leader in Next-Gen SIEM, today unveiled Securonix Jupiter, the latest release of its cloud-native SIEM platform. New and enhanced features provide customers with the ability to detect and respond to advanced threats more quickly and accurately, deliver better time-to-value and user experiences for security analysts, and add flexible SaaS service options to optimize cost and performance. Securonix Jupiter is generally available now.The Securonix Next-Gen SIEM platform combines security data lake (SDL), user and entity behavior analytics (UEBA), and security orchestration, automation, and response (SOAR) into a complete, end-to-end security operations platform. Built in the cloud, for the cloud, Securonix provides complete visibility and unlimited scalability with no infrastructure to manage.“There’s no shortage of security-related data for modern organizations to leverage. As this data continues to grow exponentially, it’s incredibly challenging for security teams to scale and manage their security tools while still focusing on their main mission of combating threats,” said JP Cheenepalli, Director of Cybersecurity Engineering, AmerisourceBergen Corporation. “The new capabilities in Securonix’s Jupiter release, particularly data onboarding automation and content-as-a-service, will give our security team the ability to rapidly onboard new data feeds and stay ahead of attackers with up-to-date content services. We had exposure to some of the features of the Jupiter release as part of the beta testing and cannot wait for the GA version.”Enhanced Threat Detection and ResponseNew enhancements and features provide security analysts and threat hunters access to advanced analytics to better detect emerging cloud threats, including:Content as a Service: Customers gain easy access to up-to-date content from the Securonix Threat Labs and Content team. This improves detection by giving organizations more access and control to continuously updated content through the user interface.Autonomous Threat Hunting: When new threats start circulating like HAFNIUM, Securonix offers customers a free autonomous threat hunting service. When new threats are reported, Securonix’s services search across opted-in customer environments for indicators of compromise. If any are found, the customer is notified

A Better SIEM Campaign - Securonix

Leveraging Amazon Bedrock and Anthropic’s Claude 3, Securonix Transforms Security Operations with the Introduction of Advanced AI-Reinforced CyberOps that Helps to Combat AI-powered AttacksADDISON, Texas – April 30, 2024 – In an era where cybersecurity challenges are escalating at an unprecedented pace, Securonix today unveiled Securonix EON, a groundbreaking suite of AI-Reinforced capabilities to transform CyberOps in the face of new AI-powered threats. This launch builds on Securonix’s AI legacy, marking a significant leap forward in securing and preparing organizations to respond to the dynamic cybersecurity threat landscape against a backdrop of converging challenges facing security teams.With the anticipated escalation of AI-powered attacks and adversaries, organizations already face the hurdles of ever-expanding attack surfaces, new regulatory and compliance pressures, and resource constraints. Securonix EON responds to these challenges by using Amazon Bedrock to provide a powerful, unified analyst experience with advanced AI-Reinforced capabilities. Amazon Bedrock is a fully managed service from Amazon Web Services (AWS) that offers a choice of high-performing foundation models—like Claude 3—from leading AI companies via a single API, along with a broad set of capabilities organizations need to build generative AI applications with security, privacy, and responsible AI. As part of the first phase of innovation, Securonix EON will include the following AI-Reinforced capabilities: Insider Threat Psycholinguistics, Adaptive Threat Modeling, and InvestigateRX.“Cybercriminals are increasingly weaponizing AI, and we’re meeting that challenge head-on,” said Securonix CEO Nayaki Nayyar. “As the world faces advanced AI-powered threats on top of the myriad of other challenges confronting security teams, we are releasing Securonix EON to help our customers stay ahead of the escalating threat curve. Securonix EON is not just a suite of capabilities, it’s a comprehensive strategy to combat cyber threats ushering in a new era of AI-Reinforced CyberOps.”Securonix has chosen Amazon Bedrock to underpin many of its advanced new capabilities, allowing organizations to use best-of-breed AI to make precise security decisions more quickly, and effectively counter the rise in sophisticated AI-powered threats. Amazon Bedrock is a strong fit for Securonix’s large enterprise customers who require AI systems that are compliant with several security and privacy standards, including HIPAA, GDPR, and others.“By combining Amazon Bedrock and Anthropic’s Claude 3 with Securonix’s cutting-edge AI-Reinforced CyberOps advancements, customers will be able to detect and defend against adversaries with greater speed, precision, and efficacy than ever before,” continued Nayyar. “These are the first of our AI-Reinforced Securonix EON capabilities, with continued innovation to come that will further advance the cybersecurity market.”The cornerstone of Securonix’s innovative approach rests on three core pillars: First, reinforce the platform with AI so human intervention happens at the most critical moments, while AI handles the manual, repetitive tasks. Second, apply a cybersecurity mesh architecture to seamlessly and. Securonix Security Analytics Platform, Securonix UEBA, Securonix Cloud, Securonix Security Data Lake, and Securonix Security Applications are trademarks and of Securonix, Inc. in the

ZSCALER AND SECURONIX DEPLOYMENT GUIDE

Flexibility to choose the architecture that is best suited for their environment.Bring your own AWS: The new deployment model provides customers with the benefits of Securonix’s fully managed SaaS SIEM solution while allowing them to maintain ownership of their data. Securonix hosts the core SIEM application service on its AWS account, while the data ingestion, processing and storage is hosted on the customer’s AWS account.SaaS Service Enhancements: The enhancements include more data on-boarding options, flexible retention and search options, additional security features, and disaster recovery options – all aimed at providing customers the ability to choose the optimal solution for their needs.“With the increased complexity of hybrid environments, security operations teams are spending way too much time configuring and managing security tools, rather than using them to improve their security posture,” said Tanuj Gulati, CTO, Securonix. “Our goal at Securonix is to empower security teams to work quicker and more efficiently, and our new Jupiter release is proof that we are executing on that promise. The new capabilities in Jupiter focus on three key outcomes for security teams – reducing mean time to respond with improved detection and response capabilities, improving analyst speed and efficiency through automation and better user experiences, and optimizing cost and performance with more innovative, cloud-native SaaS capabilities.”To learn more about how Securonix helps security teams work more efficiently to better detect and respond to advanced threats in their environments, attend Securonix’s product launch event ‘To Jupiter and Beyond’, taking place on April 21, 2021: .About SecuronixSecuronix is redefining SIEM for today’s hybrid cloud, data-driven enterprise. Built on big data architecture, Securonix delivers SIEM, UEBA, SOAR, Security Data Lake, NTA and vertical-specific applications as a pure SaaS solution with unlimited scalability and no infrastructure cost. Securonix reduces noise and prioritizes high fidelity alerts with behavioral analytics technology that pioneered the UEBA category. To learn more, visit www.securonix.com or follow us on LinkedIn, Facebook and Twitter.Media ContactJustin McCannfama PR for Securonix[email protected] Immediately and given guidance on next steps from the Threat Labs team.Intelligent Live Channel: Security analysts and threat hunters are now able to search on live, raw data to immediately detect active threats to their environments instead of waiting for data to be fully ingested by Securonix. This real-time access to the raw event fields allows them to search for active threats in the wild, without having to wait for analytics to process and surface concerns or troubleshoot data ingestion disruptions.Cloud Content 2.0: This delivers updated cloud monitoring and detection content. The new content is primarily around the MITRE Cloud Matrix tactics and techniques, which is especially important for cloud infrastructure environments with AWS, GCP, and Azure.Multi-Tenant Response: Multi-tenant response capabilities enable customers and managed service partners to take faster incident response across multi-tenant environments from a central point of action.On-Demand Case Creation: Security analysts can create new cases and attach associated evidence without starting from a specific entity or artifact, enabling faster, more flexible responses to potential security events.Community Collaboration: A new integration with SIGMA framework enables customers to run SIGMA queries for search and hunt from the Securonix Spotter console.Improved User ExperienceNew processes and capabilities are available to ensure that customers and partners enjoy the benefits of Securonix immediately, and security analysts can interact with the platform in meaningful ways. New and enhanced abilities include:Data Onboarding Automation: Securonix has introduced a new and refined data onboarding process that’s simplified into three steps: Auto Discovery, Auto Parsing, and Identity Enrichment. This improved process increases time to value by reducing manual steps to onboard data sources.Data Dictionary: A unified dictionary of labels to streamline search and increase This feature streamlines the mapping of attributes and correlation of information from data sources to eliminate confusion and increase reliability.Activity Monitor: This new capability unlocks visibility into the data ingested by Securonix on the device level. Activity Monitor helps customers reduce the time it takes to identify data ingestion issues and the dependency on the Securonix Operations team to investigate service disruptions.SaaS Service OptimizationNew SaaS service capabilities and deployment models provide customers the

What is Enterprise Cybersecurity? - Securonix

Needs to be monitored for. While this was a very targeted attack, the tactics and techniques used are well known and it is important to stay vigilant. Securonix customers can take advantage of the detections and seeded hunting queries below.Securonix Recommendations and MitigationsAvoid downloading unknown email attachments / lnk files from non-trusted sourcesDeploy PowerShell script block logging to assist in detectionsDeploy additional process-level logging such as Sysmon for additional log coverage. Additionally sysmon installed on the host will prevent next stage payload executionPay specific attention to attempts to disable your security monitoring tools, including SIEMScan endpoints using the Securonix seeder hunting queries belowMITRE ATT&CK TechniquesTacticsTechniquesInitial AccessT1566: PhishingDefense EvasionT1027: Obfuscated Files or InformationT1140: Deobfuscate/Decode Files or InformationT1202: Indirect Command ExecutionT1005: Data from Local SystemT1562.001: Impair Defenses: Disable or Modify ToolsT1112: Modify RegistryExecutionT1059.001: Command and Scripting Interpreter: PowerShellT1047: Windows Management InstrumentationPersistenceT1547: Boot or Logon Autostart ExecutionT1053: Scheduled Task/JobT1053.005: Scheduled Task/Job: Scheduled TaskT1546.003: Event Triggered Execution: Windows Management Instrumentation Event SubscriptionSome Examples of Relevant Securonix Detection PoliciesEDR-SYM498-ERIEDR-ALL-1083-EREDR-SYM498-RUNPSH-ALL-213-RUPSH-ALL-230-RUWEL-PSH60-RUNWEL-PSH61-RUNHunting Queriesrg_functionality = “Microsoft Windows Powershell” AND eventid=4104 AND message CONTAINS “$env:comspec[” AND message CONTAINS “-Join”rg_functionality = “Microsoft Windows Powershell” AND eventid=4104 AND message CONTAINS “$pshome[“rg_functionality = “Microsoft Windows Powershell” AND eventid=4104 AND message CONTAINS “$shellid[“rg_functionality = “Microsoft Windows Powershell” AND eventid=4104 AND (message CONTAINS “[char[]]” AND message CONTAINS “-join”)rg_functionality = “Microsoft Windows Powershell” AND eventid=4104 AND (message CONTAINS “.(gal ” OR message CONTAINS “.(Get-Alias “) AND (message CONTAINS ” ?e[?x])”rg_functionality = “Microsoft Windows Powershell” AND eventid=4104 AND (message CONTAINS “}{0}” OR message CONTAINS “} {0}”) AND message CONTAINS ” -f”rg_functionality = “Endpoint Management Systems” AND transactionstring5 = “SetValue” AND devicecustomstring2 CONTAINS “\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2”IOCsDomains:terma[.]devterma[.]icuterma[.]appterma[.]vipterma[.]wikiterma[.]picsterma[.]lolterma[.]inkonrender[.]comcobham-satcom.onrender[.]comIP Addresses:199.53.243227.139.39Registry keys:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLoggingHKCU:\Software\Policies\Microsoft\Windows\ExplorerHKCU:\Software\Microsoft\Windows\CurrentVersion\PushNotificationsHKLM:\Software\Classes\ms-offices\Shell\Open\commandHKLM:\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\CurVerHKCU:\Software\Classes\ms-settings\CurVerHKCU:\Software\Classes\ms-offices\Shell\Open\commandHKCU:\Software\Classes\ms-windowsdrive\Shell\Open\commandHKCU:\Software\Microsoft\Windows NT\CurrentVersion\Windows\CurVerFile Hashes:sDa0888f06b2e690a3a4f52f3b04131f7a181c12c3cb8e6861fc67ff062beef37wDa0888f06b2e690a3a4f52f3b04131f7a181c12c3cb8e6861fc67ff062beef37png691c0a362337f37cf6d92b7a80d7c6407c433f1b476406236e565c6ade1c5e87ReferencesFrom PowerShell to Payload: An Analysis of Weaponized Malware is a CDN? | How do CDNs work? PowerShell AMSI and Logging Evasion – Pcalua.exe – Wsreset.exe – WMI Event Subscription – Script Block Logging – Microsoft Started With Sysmon – Black Hills Infosec

A Case of Corporate Espionage - Securonix

Databases, depending on the components and applications used (e.g., ESM uses CORR-Engine, Investigate uses Vertica and UBA leverages Microsoft SQL). The roadmap for a simplified storage tier based on Vertica has not been released.Buyers looking for an integrated UBA solution should confirm the status of Micro Focus’ offering as the version is licensed from Securonix and, while recently updated, is an older version.Although Micro Focus ArcSight occasionally appears on shortlists for new SIEM deployments, inquiries about replacing ArcSight are common. Client interest in Micro Focus ArcSight Express specifically is minimal and is rarely mentioned or included on shortlists of MSEs and smaller enterprise clients.Customer feedback on the overall experience with Micro Focus is below average and lags behind most competitors in the market.Who uses it: large enterprisesHow it is deployed: options for subscription cloud service, virtual appliance, physical serverseWEEK score: 4.5/5.0How Do You Find the Best SIEM Tool for Your Business?SIEM products are differentiated by cost, features and ease of use. Generally, you get what you pay for–greater sophistication and management complexity require higher-end management, so buyers must weigh their needs, budget and expertise as they decide on a SIEM system.. Securonix Security Analytics Platform, Securonix UEBA, Securonix Cloud, Securonix Security Data Lake, and Securonix Security Applications are trademarks and of Securonix, Inc. in the

Securonix Ushers in a New Era of

By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. KolesnikovIntroductionSecuronix Threat Research team recently discovered a new covert attack campaign targeting multiple military/weapons contractor companies, including likely a strategic supplier to the F-35 Lightning II fighter aircraft. The stager mostly employed the use of PowerShell and while stagers written in PowerShell are not unique, the procedures involved featured an array of interesting tactics, persistence methodology, counter-forensics and layers upon layers of obfuscation to hide its code.Additionally, the remote infrastructure or command and control (C2) involved with the stager was relatively sophisticated. We noticed three unique domains leveraging Cloudflare CDN which we will go over a bit more in depth later as to how each plays a role.Target Analysis and Attack ChainAs we’ll dive into a bit deeper in the next section, spearphishing was the primary means of initial compromise. The attack was carried out starting in late summer 2022 targeting at least two high-profile military contractor companies.The overall attack chain can be seen in the figure 1 below which highlights the initial compromise phase of the attack, which as you can see is quite robust compared to most loaders we’ve seen in the past.Figure 1: Attack ChainInitial Infection: Shortcut to Code ExecutionAs with a lot of targeted campaigns, initial infection begins with a phishing email sent to the target containing a malicious attachment. Similar to that of the STIFF#BIZON campaign we reported earlier this year, the phishing email contains a compressed file containing a shortcut file, in this case “Company & Benefits.lnk”.Figure 2: Company & Benefits.pdf.lnkThe shortcut file does some tricky things to avoid detection. First, it attempts to hide its execution by calling forfiles rather than cmd.exe or powershell.exe like we’ve seen in the past.It then takes the powershell.exe executable file and then copies it to C:\Windows, renames it to AdobeAcrobatPDFReader, and then uses it to execute the rest of the PowerShell string. Logs generated from Sysinternals Sysmon identify this in figure 3 below.Figure 3: Windows logs showing renamed PowerShell.exeThe rest of the powershell script runs on a loop with a 120 second timeout or until an error is not produced. C2 communication is attempted at the URL: hxxps://terma[.]dev/0 to pull down the initial stager.Initial Infection: Stager Attack ChainOnce the .lnk file is executed by the user, a rather large and robust chain of stagers will execute. Each stager is written in PowerShell and each is very heavily obfuscated. In total we observed eight layers to the stage which carry a wide range of techniques.Let’s start peeling back this onion of stagers by first examining the first stage as it is executed from the remote C2 server. The file which is loaded remotely via invoke expression is