WatchEagle Detection & Response

A proprietary platform for cyber attack detection

SBL Cyber Monitoring uses its own developed WatchEagle Detection & Response platform to implement its Managed Detection & Response services.

The WatchEagle Detection & Response platform is based on a so-called agent framework. This is a unique concept where various functionalities required to perform security monitoring can be divided into unique tasks that are performed by agents. These agents in turn work together to form a certain function. The agent framework is essentially a real-time, distributed data processing environment, in which independent agents work together to solve complex problems piece by piece.

As a basis for detecting cyber incidents, SBL takes its inspiration from the so-called Mitre Attack Framework.  In the Mitre Attack Framework, cyber attacks are broken down into different steps, starting with the exploration of the attack surface, the initial entry and finally reaching the target (stealing data or activating ransomware).

Each step explains exactly how the attack proceeds and what techniques are used. Based on these techniques, recommendations are made on how to protect against such attacks and how to detect such an attack. Because the Mitre Attack Framework describes these steps and techniques in such detail, we from SBL have modeled these attack patterns on our agent framework. The moment a similar attack occurs as described in the Mitre Attack Framework, we are able to detect this attack in the data streams we receive from the various log sources. Right now we have most of the network related patterns in the framework.

WatchEagle is separate from the other deployed security products. In fact, through its flexible concept WatchEagle can work seamlessly with the other solutions. 
Since the WatchEagle agent framework is based on Java (OpenJDK), the framework can actually run on any type of system. In practice, WatchEagle is currently used to monitor network traffic. However, there are also use cases in which a container with agents runs on a server or workstation and can detect whether a ransomware attack is being carried out on the basis of a number of flags.


Is your company sufficiently resilient against cyber attacks?

Find out during a free consultation.
Request advice

WatchEagle Detection & Response en Mitre Attack Framework

In various discussions with existing customers and relations, it emerged that there are many challenges in collecting data from various sources in order to perform in-depth analysis to detect threats. How do you find the needle in the haystack? What is an effective way to look for patterns that indicate something unusual?

In our in-depth cybersecurity assessments we already apply the Mitre Attack Framework to interpret the attack path of an attacker and, based on the attack path, analyse the resilience of our customer against such an attack pattern. The Mitre Attack Framework contains the possibilities to protect against a certain attack pattern and how such a pattern can be detected. The latter has proven to be very useful when performing in-depth threat analyses in large amounts of data (threathunting).

The agent framework on which the Mitre Attack Framework is based is ideally suited to analyze the diversity of patterns. In the framework the agents are namely task-oriented and by splitting a pattern into several tasks, the cooperation between the agents can be configured and they can do their job to recognize the patterns. With WatchEagle, we are able to do this almost in real time based on the data that WatchEagle is processing. But WatchEagle can also analyze historical data to see if a particular pattern has occurred before.

In short: by adopting the Mitre Attack Framework, we are increasingly able to find the familiar needle in the haystack with WatchEagle. We have now implemented and automated the following patterns in WatchEagle:

  • DNS Tunneling
  • Lateral movement
  • ​Persistence

More and more patterns will be added in the coming months. We will also look at how to offer immediate action perspectives where possible, after identifying such a pattern.