This article is a summary describing the Threat Detection feature of NTT Ltd’s Cloud Core Services offering
The cyber threat landscape continues to evolve at an ever-accelerating rate, making it increasingly difficult for organizations to keep up with new and evolving cybersecurity threats. NTT has developed a set of advanced threat detection capabilities which leverage threat intelligence from a wide variety of sources, including NTT’s Tier 1 IP backbone, enterprise client networks and NTT’s Global Threat Intelligence Center (GTIC). The GTIC is home to a group of security researchers and analysts who specialize in threat and vulnerability research to produce applied threat intelligence. The GTIC’s mission is to protect clients by providing advanced threat research and security intelligence to enable NTT to prevent, detect, and respond to cyber threats.
NTT’s Cloud Threat Detection Service is an automated service offering through Cloud Core Services for organizations looking for threat detection capabilities which leverage the sophisticated threat detection abilities of NTT’s Global Managed Security Services platform, and the threat intelligence delivered by NTT’s Global Threat Intelligence Centre, and 24/7 monitoring capabilities.
The Cloud Threat Detection Service feature provides protected Azure Subscriptions with a fully automated cloud threat detection capability based on the analysis of Microsoft Azure’s Network Security Group (NSG) flow logs. NTT Security systems monitor the NSG flow logs using automated algorithms to identify potential threats. Threats identified with a sufficient level of confidence result in a security incident report that is emailed to client-defined email addresses. These incident reports contain detailed descriptions of threats and generic recommendations for remediation. Note the feature is entirely automated and does not include access to NTT engineers or analysts regarding the incidents, though we offer services at additional charge that include such support.
The Cloud Threat Detection Service feature includes a mixture of strong technical capabilities (e.g. correlation, pattern matching, reputation feeds) with Advanced Analytics (e.g. Machine Learning, statistical modelling, Kill-chain modelling) and Threat Intelligence that turns logs and events into curated Security Incidents of high confidence, which enable detection of sophisticated threats.
Cloud Threat Detection Service feature are as following:
Base service
- 24/7 coverage · Services enhanced by NTT’s Global Threat Intelligence Centre
- Continuous Threat Intelligence updates driven by production investigations
- Patent-pending Advanced Analytics with proprietary machine learning / behavioural modelling
- Automated Security Incident reports
Enablement of this capability requires some configuration within the Azure Subscription. The migration team will work with you to handle these aspects of the configuration:
- An Azure Resource Management (ARM) template is deployed to configure the system. The ARM template enables NSG flow logs and configures an Event Grid which is used to channel log events to the central threat detection platform
- Log exports must be enabled
Clients are responsible for the charges incurred by the NSG flow logs and storage
Once the configuration is in place, clients can configure and manage the email addresses to which threat reports will be sent through the NTT Services Portal as described in this article:
Once this is complete, the system will begin emailing incident reports when threats are identified with a sufficient level of confidence.
As Security Incidents are identified, the Cloud Threat Detection Service provides customers with a Security Incident Report that includes a detailed description of the threat, identified activity, impact, and combined with a generalized recommendation of suitable Incident Response steps to take in relation to the specific threat.
Typical Incident Report Content
- Estimated Severity
- Activity Summary
- Incident Description
- Incident Response Recommendations
The contents of these reports will significantly increase the client’s ability to take swift and informed steps in the resolution of escalated Security Incidents.
Given that the impact associated with security incidents are closely tied to the period of time an attacker has until detection and containment, receiving an actionable incident report significantly lowers the client’s risk.
The automated emails will have the following ‘From’ address and Subject:
- From: no-reply@cloud-services.ltd
- Subject: Cloud Core Services Security Incident Report
The emailed reports will include a PDF incident report – a sample is attached here:
A history of incident reports that have been emailed is also available as described in the article below, however the actual PDF reports are not available within the Cloud Core Services application:
It is important to note that behavior of the platform is tuned on an ongoing basis to adjust to changes in the threat landscape.
Suppression of Repeat Detections and Flood Detection
If multiple incidents with a specific signature (combination of Client/Subscription/Tenant, Rule/Signature, Source IP) are detected originating from a single source IP, the system will issue a single report once every 24 hours for 7 days. This ensures the client is not flooded with incident reports repeating the same message over and over again. At the end of the 7-day period, the alerts will reset to the state as if nothing had been received yet. Meaning that the first detection after 7 days would generate a new incident report and begin a new 7-day period of issuing a single report every 24 hours for the next 7-days.
Flood detection ensures that email addresses do not get spammed in the case of on-going detection of the same incident, while still ensuring that the initial instance is reported successfully.
Security Incident Categorization
The following chart indicates some of the kinds of threats which the service is designed to detect
- Note that not all of the categories may be relevant to a specific client.
| Categories | Sub-Categories |
|---|---|
| Unauthorized Access | Data Exfiltration Vulnerability exploitation Cross-site scripting SQL Injection Host compromised Evidence tampering Privilege escalation Brute force attacks |
| Denial of Service | Application DoS Volumetric DoS Application DDoS Latency measurement Bandwidth measurement |
| Malicious software | Malware infection Exploitation attempt Adware, or grayware |
| Improper usage | Instant messaging Data leakage Peer-to-peer activity Policy violation |
| Reconnaissance activity | Network sweep Host port scan Network port scans |
| Other | Phishing Account fraud Social engineering |
| Anomalies | Network anomaly Host anomaly Application anomaly |