A multi-temporal AI architecture powers the NDR Custocy

New French software enters the battle for network detection and response solutions (NDR) next generation. Called Custocy, the solution stands out from its competitors through intensive use of artificial intelligence (AI), to avoid the flood of false positives generated by the classic rules-based approach.

“Artificial Intelligence is a response to the increase in the volume of attacks and to one of the weak points of existing NDRs, false positives”, argues Sébastien Sivignon, CEO of Cyblex Tehcnologies. “While NDRs generate a lot of noise, we wanted to create a tool that is both simple and generates fewer false positives.”

The challenge: detecting weak signals without triggering an avalanche of false positives

For William Ritchie, CTO, former director of artificial intelligence research at the CNRS, AI only has advantages in detection: attackers know the rules of security frameworks as well as RSSI and can develop bypass techniques. . AI detection will therefore be much more complex to circumvent, because the AI ​​can constantly adapt to attempted attacks.

The other virtue of AI would therefore be to contain the number of false positives. To keep this promise, the start-up worked with the LAAS (Laboratory for Analysis and Architecture of CNRS Systems) to develop an AI that is both precise in detection, but which would generate fewer false positives.

“Our approach is to use all sources of information at our disposal to make NDR as relevant as possible in our clients’ cyber ecosystem. You can’t have complete visibility without a SIEM / EDR / NDR mix”.

Sebastien SivignonCEO of Cyblex Technologies.

The result of this research is a so-called multi-temporal AI technology which has the particularity of working simultaneously on several different time scales: from a millisecond to several weeks. “The Meta Learner consists of an AI that orchestrates 4 others, each working on a different timescale,” explains the CTO.

And to specify: “generally, the solutions work at the level of the network flow. We have an AI that works at this level, but on a much lower granularity, on the order of milliseconds. This makes it possible to search for signatures in the arrival time of the packets and to reveal Command & Control type sequences. Another AI works on a minute scale to analyze network flows between IP addresses. And finally a last one works on the scale of several weeks. This makes it possible to analyze the behavior of a machine and identify a server that would suddenly do BitTorrent on a Sunday…”

The architecture imagined by the researchers consists of 3 supervised AIs (millisecond, second and minute) and an unsupervised AI that works on a weekly scale. Everything is orchestrated by the Meta-Learner who retains the important information at these different time scales. The publisher claims that this approach has reduced the volume of false positives on its test datasets by 88 times compared to an engine that only works on network flows.

A hybrid technical architecture

Technically, a probe is installed on the company’s network and feeds a back-end deployed on AWS. The hyperscaler was chosen for its ability to carry Custocy’s AIs. “The first demonstration was carried out last September and the solution is now ready to be deployed for each customer”, assures the CTO. “The philosophy adopted is that each customer’s data feeds a separate Datalake and that there is no pooling of this data to conduct AI training. Nevertheless, we master the technology to do federated learning; we tested it. If the approach interests our customers, we can put this capability in our roadmap”.

Architectural diagram for implementing the Custocy solution.

While the choice of an American Cloud provider to carry the NDR data may raise questions for some customers, Sébastien Sivignon specifies that only the metadata is transferred to the Cloud and that all network processing loads remain with the customer. “We were at an impasse with the on-premise approach,” he explains. “The choice of AWS was the result of a technical analysis and the availability of the services we needed. As soon as other sovereign Cloud providers like OVHcloud offer the same types of services, then we will be able to offer a multi-Cloud offer”.

In addition to the data gleaned by the network probe, the NDR can feed on third-party data. The publisher already has integrations for data from IDS Suricata and OpenCTI. Threat Intelligence data is integrated at the Meta Learner level.

Diagram of a Custocy analysis architecture
Custocy’s analysis architecture is based on 3 supervised AI models and an unsupervised AI that work on three different time scales, all orchestrated by the Meta-Learner, a brick that it is possible to feed with third-party data.

Finally, in addition to learning AI models, a white listing can be carried out at several levels to no longer report alerts on a given type of behavior for a specific machine. Sébastien Sivignon adds: “we are not looking to go into the field of XDRs, but to provide an NDR brick that is complementary to EDRs, which will focus on the network and exploit multiple sources, in particular to detect the lateral movements of attackers” .

An NDR for SMEs and ETIs

The solution is designed for SMEs and ETIs with 500 IP addresses to 8,000 or even 10,000 IP addresses. The publisher is targeting ETIs directly, but is also deploying an indirect model via managed service providers (MSSP) looking for an NDR to enrich their managed SOC offers.

The publisher is working on connecting its NDR to a partner’s SIEM in order to enrich the data made available to analysts. Another project concerns the integration of the NDR to the XDR of an MSSP.

However, Cyblex Technologies does not seem to want to hunt on the lands of Thales or Gatewatcher and seek out OIV customers requesting ANSSI-qualified probes: “An ANSSI certification seems important to us, in particular to gain confidence on the French market”, explains Sébastien Sivignon, “we are aiming for CSPN certification by the end of 2023”.

The qualification process is considered far too cumbersome for this start-up still in the launch phase. Cyblex Technologies now has 14 people, 30% of whom are doctors and doctoral students. The publisher hopes for “controlled” growth in France in 2023.

The solution is in the deployment phase with a first customer. On the other hand, it was selected by the Swiss acceleration program Tech4Trust, which should allow the start-up to gain in maturity and open up to the Swiss market in parallel.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *