Prevalent is the only multi-tiered solution approved by the government to manage dispersed Trusted Cyber Sensors (TCSs) from multiple vendors using a simple-to-use web interface. With Prevalent, you can create and publish custom rulesets to help monitor your network traffic, centrally distribute rulesets to managed devices, and collect alerts from each TCS for corrective action.
In 2016, a new capability was approved that makes it possible for the Intelligence Community and the DoD to share, manage, and implement classified indicators on networks. This provides decision makers and operational commanders with a strategic advantage by enabling them to use previously inaccessible indicators in order to have a more informed understanding of adversarial cyber operations that may impact their missions.
What makes the sharing of these high-value indicators possible is the Trusted Cyber Sensor (TCS). TCSs are Type-1 HAIPE® encryption devices that have additional intrusion detection/prevention capabilities. Prevalent is a manager for distributing signatures to the TCSs, as well as funneling the alerts back to a central server for analysis. Prevalent removes the barrier to entry associated with the management of the TCS devices by simplifying the enterprise distribution, modification, and deployment of signatures to the TCS.
How Prevalent Handles Ingest
All alerts generated by the sensors (such as a Snort system or a TCS) are passed into the "right brain" where the data is normalized, enriched, and processed by the streaming analytics engine. Once the data is enriched, it will be sent for processing of statistical primitives, streaming analytics such as automated domain generation detection, K-Means variation, beacon analysis, and visualizing IP addresses using Hilbert Space filling curves.
Next, the enriched alerts are sent to a local Elasticsearch database, and optionally forwarded to an existing SIEM at the site such as Splunk. With large deployments, there may be a need for aggregate metrics about alerts, without the full data in the alert, so a metrics server can be configured to receive such data.
Prevalent User Interface
The user interface for Prevalent is a simple web page that makes it easy to manage a number of different devices and other Prevalent systems. This is important because each sensor requires different training and experience, so providing a single interface reduces training time and increases the speed of deploying new signatures across an enterprise with multiple vendors.
The web interface allows an analyst to easily view and edit signatures before distributing them out.
Prevalent provides syntax highlighting, the ability to temporarily add and remove rules for a single deployment, and the ability to quickly inspect exactly what rules are going to be placed on a sensor prior to doing so.
If you would like more information or would like to see a demonstration of the technology, contact us.