Intro
90%
of companies have a shortage of information security professionals71%
of non-tolerable events can be realized by threat actors within one month100%
of corporate infrastructures can be hijacked by internal malicious actors93%
of network perimeters can be penetrated, allowing threat actors to gain access to the local network
02
Positive Technologies metaproducts
Help companies build result-driven cybersecurity and deliver comprehensive automated protection with minimal human involvement. Bring together Positive Technologies products and maintain control over the security of IT infrastructure and business processes by dynamically determining attack vectors and capabilities, stopping intrusions before irreparable harm is done to the company.
MaxPatrol O2
Attack prevention
Automatically detects and stops attacks before the company suffers unacceptable damage.
Already available
MaxPatrol Carbon*
Total protection
Keeps IT infrastructure and business processes secure. Provides recommendations for maintaining the optimal level of security to prevent non-tolerable events.
* Commercial version scheduled for release in 2024.
MaxPatrol 1-2-3**
Automated protection
Automatically orchestrates the security infrastructure and keeps it ready to repel hacker attacks.
** MVP scheduled for release in 2024.
03
MaxPatrol O2 overview
The MaxPatrol O2 metaproduct detects attackers, identifies breached assets, predicts attack scenarios based on company-specific non-tolerable events, and stops attacks before irreparable damage is done.
Result-driven
Rules out non-tolerable events for business.Automates SOC activities
Reduces the human factor in detection, investigation, and incident response processes, and automates routine actions.Knows how attackers operate
Utilizes Positive Technologies' unique expertise gained from regular cyberexercises (including Standoff), and bug bounty programs (including Positive dream hunting).
Metaproducts form a new class of solutions
04
What's the concept of metaproducts, and why can't they be classified as SIEM/SOAR/XDR? We explore autopilot mechanisms for result-driven cybersecurity in conversation with a Positive Technologies expert.
Key features
05
Models potential attacker actions
- Predicts the non-tolerable events that suspicious activity may lead to and how many steps are left until risks are realized.
- Prediction is based on:
- Network reachability of hosts: routing, access lists, NAT rules
- Account permissions for remote login
- RCE vulnerabilities on hosts
- Remote login opportunities through VPN
- Read access to lsass.exe process memory
Detects hacker activity chains
- Analyzes data from Positive Technologies sensors in the metaproduct and demarcates attacking, targeted, and captured resources.
- Correlates resources to build activity chains informed by knowledge of threat actor TPPs.
- Each chain contains a visualization of the attackers' path, plus a prediction of where they will move next.
Automates investigations
- Uses data from Positive Technologies sensors to build the full attack context and conduct an investigation.
- Obtains enrichment of the following activities:
- Process startup: process -> session -> user
- Remote login: RDP, SMB, WMI
- Movement in the infrastructure: IP -> IP
- VPN session creation: client IP -> external IP + username
Assesses threat severity
- MaxPatrol O2 views captured resources and assesses the proximity of a non-tolerable event.
Upon receiving this information, the system escalates attack chain status to "Attention required" before stopping the hacker or prompting the operator to make a decision. - The threat severity assessment algorithm continues to improve thanks to regular Positive Technologies cyberexercises and the contributions of Standoff 365 Bug Bounty participants.
Stops attackers
- Considers risks to business processes and suggests the optimal response scenario.
The scenario can be implemented automatically or manually if adjustments are needed. - Possible response actions:
- Lock account: in the domain or locally, in Windows, Linux, or Mac.
- Block IP address in the firewall: incoming/outgoing traffic.
- Isolate host on the network.
- Stop running process.
- Revoke OpenVPN token.
- Delete email message.
How the metaproduct works
06
- Based on the network topology and reachability of hosts, MaxPatrol O2 factors in vulnerability intelligence and models ways in which non-tolerable events might be realized. If risks haven't been identified in advance, the system calculates the attack vectors to the most critical hosts in the infrastructure.
- MaxPatrol O2 analyzes sensor triggerings and identifies captured, targeted, and attacking resources, such as accounts, hosts, sessions, processes, files, and emails.
- To assemble an in-depth chain of attacker activity, MaxPatrol O2 queries the relevant sensors for intelligence to build the full attack context, prioritize chains, and decide how to respond.
- MaxPatrol O2 analyzes the data and correctly links new sensor triggerings with activity chains already in the system. If none of the existing activity chains can be extended with the new data, MaxPatrol O2 creates a new chain to link the triggering received from the sensor.
- Based on data from the threat prediction module, MaxPatrol O2 assesses the severity level of the attack chain. If it exceeds the threshold value, the system switches the chain to the "Attention required" status and prompts the operator to select response measures.
- MaxPatrol O2 provides the operator with response options for each resource type to stop the hacker and regain control of the captured resources. All that remains for the operator is to verify the chain and accept the proposed response scenario designed to minimize the impact on the company's critical business processes.
MaxPatrol O2 benefits
No niche skills required
For the metaproduct to work effectively, it's enough to have an operations analyst and expert in system administration and maintenance.Lowers the threshold of entry to the world of result-driven cybersecurity
Enables companies to address result-driven cybersecurity issues without the need to hire additional experts or automate SOC processes.Replaces manual investigation
Automates the investigation process by providing the operator with ready chains of attacker activity with full context.Detects advanced targeted attacks
MaxPatrol O2 links all attacker actions into one chain, while traditional solutions create independent incidents within the framework of the targeted attack.Considers non-tolerable events
Predicts the attackers' path before they can realize a non-tolerable event. Determines the threat level based on the attackers' proximity to the target system. Adapts to evolving business risks in ever-changing corporate infrastructures.Knocks out hackers in an instant
Thanks to PT XDR agents located in the corporate infrastructure, MaxPatrol O2 responds in seconds, preventing the realization of non-tolerable events.Positive Technologies ecosystem
Brings together Positive Technologies products that function as sensors, exchange knowledge, and provide comprehensive IT system protection with minimal human involvement.Positive Technologies expertise
Regularly updated with new methods for modeling attack vectors, improved algorithms for incident linking and enrichment, and automated response actions.Single-window operation
The operator doesn't need separate products to detect traces of intrusion and investigate incidents. The system does this automatically by building activity chains and querying Positive Technologies sensors for further attack context.Domestic solution
The MaxPatrol O2 product suite is made entirely in Russia, included in the Register of Russian Software, and certified by the Federal Service for Technical and Export Control (FSTEC) of Russia (certification for PT MultiScanner is currently in progress).Suitable for all infrastructures
Protects corporate infrastructures and meets the demands of all industrial sectors: energy, transportation, metals, manufacturing, medicine, and utilities. The suite includes solutions specially designed for ICS (SCADA) network hosts.Interfaces with any system
During implementation of the metaproduct, Positive Technologies experts will connect any business and IT systems, including custom and in-house systems related to target or key sources.
Interaction scheme
08
Get in touch
Fill in the form and our specialists
will contact you shortly
will contact you shortly