Cytomic Orion solution integrates OSquery as a research tool and extends its behavioral detection capabilities by following MITRE ATT&CK on Linux.

Cytomic leader in prevention, detection, and response endpoint security, today announced the release of a new version of Cytomic Orion that extends its core functionality with OSQuery to empower organizations to ask questions about many system entities, attributes, and states of all endpoints. It also broadens its coverage of the MITRE ATT&CK framework by delivering new behavior-based threat intelligence to customers for Linux endpoints and servers.

These new capabilities augment the existing ones on Cytomic Platform, allowing taking real-time remediation actions from the cloud, as well as simplifying operational detection and investigation, all from a single agent.

While with Cytomic Orion, security teams can perform behavioral-based detections, in-depth investigations, conduct remote remediation actions from the cloud, and accelerate threat hunting activity on a data lake of 365 days of endpoint telemetry, Cytomic Covalent gives customers and MSSPs a consolidated and comprehensive, cloud-native security stack, which bridges security administration and cybersecurity operations by combining Cytomic EPDR with Cytomic Orion.

OSQuery accelerates the Threat Hunting and investigation processes_

According to Maria Campos, VP of Cytomic: “There is a gap in security platforms, which lack the ability to make real-time inquiries across the entire endpoint fleet. By leveraging OSQuery, the open-source tool used by hundreds of the largest enterprises, we are filling this gap, delivering, with the newest version of Cytomic Orion the most complete security platform, which combines advanced prevention, detection, response, and cybersecurity operations.”

The OSQuery capability enables threat hunters and incident response (IR) teams to remotely acquire key investigation and forensic data that normally would require additional effort,” said Iratxe Vazquez, Cytomic Orion Product Manager. “It allows cybersecurity operational teams to accelerate the investigation and response by quickly discovering threat actors by answering questions across their entire fleet of endpoints and determining the root cause of an incident”.

MITRE ATT&CK Framework for Linux_

Along with the increased capacities provided by the integration of OSQuery capability, the new version of Cytomic Orion adds new sources of behavior-based threat intelligence from the MITRE ATT&CK framework that improves threat actor detection in Linux servers and endpoints.

Cytomic Orion’s MITRE ATT&CK threat Intelligence combines the power of 365 days of enriched and unfiltered endpoint telemetry with a robust collection of adversary techniques to simplify threat detection and threat hunting.

The new Indicators, triggered by this threat Intelligence, are mapped directly to the various attack techniques outlined by MITRE for Linux platform. These techniques extend the existing behavior-based threat intelligence for windows, mapped to MITRE ATT&CK Framework as well.


Figure 1. MITRE ATT&CK Framework implementation as per July 2020. Cytomic cybersecurity team works to continually extend the Platform with new threat intelligence feeds, including behavior-based TI for any type of supported endpoint platforms and versions.

By extending the ATT&CK threat intelligence feeds in Cytomic Orion, organizations now have unfiltered visibility into all endpoint activity viewed through the lens of attack building blocks and behaviors noted by MITRE. We believe this results in a more comprehensive understanding of the cyberincidents and allows security professionals to quickly gain threat hunting capabilities,” said Iratxe Vazquez.

About Cytomic Orion version 2.08_

Cytomic Orion version 2.08, generally available to customers and partners from July 8, 2020, includes usability improvements in the management of investigations, as well as improvements in the Cytomic Orion API for better integration in SOCs, MSSP and MDR Providers tools and platforms.