FAQ about Jigsaw MSS and our JTMM Model
Is your sensor product signature based?
Our sensor product uses Jigsaw Security Threat Intelligence, heuristic detection, anomaly detection and plugins to allow the sensor to be expanded for the particular use case. In short yes and no, while we have IOC data in the sensor to monitor commodity malware, our heuristic detection and analytics also run on the sensor to find single use malware, APT malware that has never been used before or new emerging threats.
While we have a signature based element, the most valuable feature of our sensor will find never before seen malware using several state of the art detection methods.
As you can see from the image above, our Threat Intelligence is provided using MISP which is fed into the FirstWatch sensors to allow network security personnel to add and remove indicators or you can allow the Jigsaw Security SOC to manage the signatures for you.
Each customers has the ability to customize the information we provide to them on their local Threat Intelligence server (if they have our Jigsaw Threat Analytic Platform) giving our customers full control over what the sensors monitor.
How does your sensor product monitor the network?
Our sensor monitors the network by looking at DNS traffic. In addition we also provide a monitoring port that can be used to connect a span port. In this configuration the sensor will monitor traffic going past the sensors physical location on your network.
So in short there are 2 methods which are DNS and span port monitoring.
See the image above to see how the DNS RPZ sensor feature keeps your users safe by denying your workstations access to known malicious domains and websites, server and other Internet based resources.
What modules are installed on the Jigsaw FirstWatch sensor?
The Jigsaw FirstWatch sensor detects scanning activity, mass scans, anonymous attackers which are using proxy servers or TOR as an example, service attackers, malware detection through signatures and heuristic detection, suspicious domain lookup, suspicious IP lookup site access, suspicious file downloads (if using span port), suspicious HTTP request (if using span port), port scanning activity, DNS resource exaustion, data leakage and more. Modules are added frequently.
Our sensor is based on the open source sensor product Maltrail which has been greatly expanded with new modules and features not available in the open source project. Our development team has integrated the following Jigsaw Security products to work with the sensor product and has bundled the solution as our commercial sensor product: Jigsaw Analytic Platform provides data analysis on sensor activity, our Jigsaw Threat Intelligence provides threat intelligence information and tells the sensor what to look for and with the Jigsaw Security My Alerts dashboard in the Jigsaw Analytic Platform that allows your SOC to monitor all of your customers sensors to see what activity needs to be addressed at each of your customer sites.
What technology is in use on the Jigsaw Analytic Platform?
In order to provide the best possible analytics available, Jigsaw Security has developed and deployed our Jigsaw Analytic Platform which is a highly customized version of Elasticsearch. Our product incorporates TensorFlow and several other technologies that improve our accuracy on detecting activity that is of interest to security analyst.
The overall capabilities realized through TensorFlow include lower false positive rates, improved detection of never before seen threats, the ability to customize what the platform looks for in network traffic as well as statistical modeling based on monitored data.
Our platform's search capability engine is based on Elasticsearch. Elasticsearch allows analyst to quickly search massive amounts of data and to realize benefits of the platform quickly.
We have been continually updating our software from Elasticsearch version 2 and are currently on a later version of Elastic 5. There are some issues with the latest version of Elasticsearch that have kept us from upgrading to the newest versions, once these security issues are resolve, we will port to the latest version.
Apache NiFi and Logstash - Ingest
Ingest is handled by Apache Nifi and Logstash. We have also implemented a method of ingesting US Government Intelligence products and have software installed that can take raw intelligence products directly from existing US Based intelligence products.
In addition we also have implemented a full document indexing solution that will parse over 190 types of documents which is highly useful in intelligence applications.
Additional Software and Search All Feature
Virtually any type of file may be ingested in the Jigsaw Analytic Platform as we have built in a mass search capability to search all indexes. This is useful for looking through various types of data for keywords all of which are displayed in a single results window. Using this method, security engineers can search IRC, Pastebin, Internet Forums, Twitter or other sources all in one location.
Alerting on Items of Interest
The Jigsaw Analytic Platform has the capability to alert users to terms, keywords or content that are of importance to the security staff. This alerting capability will analyze the ingest stream of data and alert the operator of new information that is related to an ongoing investigation or security incident.
Below is an example of event tracking from our Threat Intelligence. The system can be configured to monitor an unlimited number of persons, places, things or objects that may show up in your data stream and may be of importance. Alerting happens in 5-10 seconds of ingest giving a unique capability to find new, relevant information in near real time.
Where does your intelligence information come from?
Jigsaw Security has been collecting cyber threat information since 2008. Over the last 10 years we have formed relationships with many organizations some of which are listed below. By partnering with those that have data and provide our data back, we can better protect our customers and show a larger benefit to the security community.
Jigsaw Security participates in the DHS AIS program. In doing so we share indicators with over 100 other organizations that have a need to protect their critical infrastructure. In addition we are partnered with several ISAC's to include ICS-ISAC as an example to protect IOT and ICS devices.
Some of our contributors remain anonymous and in many cases our customers share threat intelligence back with us to improve the visibility into what is occuring in cyberspace.
In addition to threat sharing agreements, we also operate over 400 sensors that are placed in very strategic locations on the Internet and in some of our customer networks. We monitor things like Amazon S3 buckets, commercial product sensor feeds, third party sensors and more.
While we do not directly use threat feeds to obtain intelligence, we do use threat feeds as a reference to see what is being detected and what is being missed by the industry. It is our estimate that our competition typically misses 30% of the threats that we discover using our big data analytics, sensors and other intelligence methods. The reason we don't use threat feeds is because there are a high number of false positives that are published without any verification of the accuracy of the data being shared.
Do you have any other intelligence capabilities?
Jigsaw Security monitors a large amount of open and closed source data to include IRC chat, Pastebin, Twitter and social media post. Our OSINT-X product brings in open source data into our Jigsaw Analytic Platform which gives us greater visibility and situational awareness in the security space.
Why do you use MISP for your Threat Intelligence library?
MISP is a highly flexible product for collecting, disseminating and formatting threat intelligence information. In addition it is used to format output of relevant threats into formats that sensors, firewalls, proxy servers and other security products can easily use for protecting your networks and computing platforms.
Are you using the Open Source MISP product?
Yes, and No. While we have not changed the core open source product, we have implemented functions in the product that are not available in the open source version. The open source version is fully compatible with all of our products.
It is common for us to send threat intelligence data directly to subscribers onsite MISP instance. Jigsaw Security can install a MISP instance for you and connect you to our worldwide network of contributors.
Software and Security Tools Development
Jigsaw Security can create your big data, Windows or Python based security applications. Our development team has years of experience in creating customized applications for our customers. This rapid application (Agile) development ensures that customers can adequately protect their customers from attack.
Our developers are highly trained at creating customized plugins and applications. We have created endpoint protection products, network security as well as physical security software to keep our customers safe.
Development is avaialble at low rates and is conducted solely in house at Jigsaw Security's Norfolk office.
What is the Jigsaw Threat Mitigation Model?
In 2018, Jigsaw Security started working on a model that would incorporate elements of some of the other standards and models that we frequently get asked to use when doing security work. In analyzing the models typically used to secure networks we realized that we needed a model that could be incorporated into the physical, cyber and human element spaces. We subsequently applied for a service mark to cover the use of the model.
The areas addressed in our model are outlined below.
In addition our model was designed to work alongside the CDM (DHS) model and NIST. By incorporating these popular models and expanding to cover the gaps of these models, we can ensure a consistent method of securing our own networks and the networks of our customers.
Do you cover CDM?
Jigsaw Security incorporated the DHS CDM continual monitoring goal into our JTMM model. This ensures that we can incorporate a higher level of protection and detection when managing or monitor our customers networks. While not conducted in the same manner, our model incorporates the phases of the CDM into how we protect our customers.
What services are provided by Jigsaw Managed Security?
Jigsaw Managed Security provides the following services:
These are the typical areas we have focused in the MSS space. It should be noted that many MSS providers utilize our software and products to protect their customers. By utilizing a system that was purpose built to protect large numbers of customers, MSS's can realize higher effectiveness in keeping their customers safe.
The Service Problem - Please Read
Because our active defenses are highly effective, many MSS customers complain that we cut into their incident response business. There is a problem within the MSS market whereas MSS providers are paid when an incident is responded to, we prefer to be paid based on metrics of what we have prevented in a customers network. MSS providers should be rewarded for preventing attacks, not cleaning up ones that have been successful. It's our way of thinking and we are fighting to get other MSS providers to look at it and bill their customers based on their success, not their failures.
Threat Intelligence Feeds and Management
Proxy, Firewall and Security Device Management and Monitoring
24x7 Security Operations and Incident Response Coverage
Cyber Security Insurance (provided by a third party)
Network and Computer Forensics
Legal Support through Forensics and Cyber Issue Response
Proprietary Intellectual Property Leak Monitoring
Credential Leak Monitoring
Security Briefings and Customer Forums
Do you provide managed security?
We provide managed security through the use of hosted DNS and our sensor technology. We can proactively stop 99,95% of all attackers with our technology. While not 100% perfect, we believe our solution is as close as you can get without seriously disrupting your day to day operations.
Our managed security offerings can be customized to work alongside your existing technologies and are cheaper than most other providers threat intelligence data. In short we provide you with the tools to actively stop attacks for a fraction of the price of our competitors and we stand behind our solutions.
What does a managed security offering cost?
That really depends on your size. In most cases we can provide our entire portfolio of protection products for under $100,000 per year for large enterprises. Small businesses can get solutions starting at just a few thousand dollars per year. We based our fee's off of the support and amount of resources required to effectively protect our clients. In short you pay for your usage and we are very flexible so we are sure to have a solution that will fit your overall security budget and needs. Most mid sized companies choose to have Jigsaw Security monitor their networks for them since it is typically cheaper than the salaries of an in house security team.