HCapollo is designed with redundancy and availability for maximum fault tolerance. The solution is architected to meet a variety of organization-specific requirements and is always available for access to security data. The ability to store and expand easily in all dimensions of HCapollo meets the needs of storing large amounts of data (logs, alerts, events) for a long time. In addition, the system also allows storing the original log for digital forensic and investigation in the past.

HCapollo provides 2 platform architectures:

·      Single: for small-sized organizations, with no strict requirements for availability and low frequency of data access

·      Cluster: for large-scale organizations that require high fault tolerance and large data access frequency

HCapollo supports different deployment models: on-premises, on-cloud or hybrid

We cannot fight what we cannot see. To gain better visibility and successful in monitoring and addressing threats, organization need to collect data from as many sources as possible. These data are extremely important and effective in enhancing security incident detection and analysis after normalization, filtering, classification and context extraction.

HCapollo is designed to collect and process data from an unlimited number of sources to accelerate threat identification and response. HCapollo collects, identifies, normalizes, filters, classifies and extracts data to provide valuable content for effective analysis and investigation. In addition, the data is also enriched by HCapollo with many external sources of information to help expand the context beyond the current system.

From raw data to security events by HCapollo process

·      Collection: support many different types of data collection protocols to meet different specific systems and solutions such as syslog, JDBC, file, HTTP, SNMP, API...

·      Parsing: analyze data structures, identify unlimited fields by data type, and normalize event output

·      Filtering: to filter out redundant and duplicated data, based on built-in use cases and HPT SOC's best practices

·      Masking: partially hide sensitive data, but is still valuable for monitoring

·      Classification: data is classified into groups such as operating system (Windows, UNIX/LINUX), application (Mobile, Web application, .... Applications with logging function), database, edge devices, information security solution devices and event behavior groups

·      Enrichment: information is enriched based on HCINT system, GeoIP and external information sources, automatically retrieved for hash, domain, IP

Several collectable and unlimited event sources:

·      Security events: firewalls, VPN, IDS/IPS, gateway, database…

·      Network events: switch, router, server, workstation…

·      Network activity: Layer 3-7 network context of OSI model

·      Cloud events: Office365, SalesForce, Amazon Web Services (AWS), Azure and Google Cloud…

·      User and asset context: PIM/PAM, IAM, Vulnerability scanner

·      Endpoint events: Windows event log, Sysmon, Endpoint security, EDR…

·      Application events: web application, ERP solution, SaaS application…

·      Threat Intelligence: HCINT, open feeds, community channel…

The core feature of a SIEM solution also HCapollo is real-time attack analysis, correlate, and detection. This helps organization overcome operational obstacles and analytical skills, thereby reducing the time to detect and respond to cyber threats. HCapollo uses a variety of detection techniques such as advanced correlation, signature recognition, blacklisting, whitelisting, statistical analysis, and machine learning. Usecases are built by the HPT SOC team, global shared knowledge to detect common and advanced threats and attacks in most different system environments. HCapollo's analytics core component is capable of large-scale data processing, provides the ability to scale with the system. As well as a flexible rule set system, easily customized to respond and adapt anomalous behavior from specific system conditions, minimizing false positive

Over time, the attacker's behavior becomes more and more complex, requiring rapid adaptation of security monitoring solutions. HCapollo uses MITER ATT&CK, a knowledge base of threat tactics and techniques based on real-world observations, to provide an overview of the phases and lifecycle of an attack scenario. In addition, HCapollo recognizes and alerts early of attack signs via IOCs from multiple Threat Intelligence sources.

Leveraging the knowledge power of MITER ATT&CK, the open data of Threat Intelligence, and the flexibility of HCapollo's use case building capabilities, organizations quickly get valuable and highly accurate alerts when identifying potential threats.

To facilitate the management, setting and updating of rules, HCapollo integrates the rule management tool through the interface as well as allows to configure many types of alert output.

Security alert and incident lifecycle management

HCapollo provides the ability to manage security alert and incident lifecycle according to the workflow from early detection to successful remediation. The feature helps to store, track history, and easily handle incidents, with a unified interactive console for different user roles, and information is recorded and synchronized for the processing to take place, efficient, suitable for SOC operation.

·      Ensure incident response implementation according to defined policies and workflow so that it can be done quickly, reliably and reduce mean time to respond such as gathering evidence, maintaining evidence, enrich the useful information.

·      The workflows that allow customization and are built on the organization's experience, policy and knowledge for handling security alerts and incidents.

·      The system aggregates alerts and displays a single interactive console for personnel to manipulate. On each alert there is a minimum of specific information such as: name of the alert, detection time, alert type, alert source, severity, MITRE ATT&CK and other information for the most effective response.

·      Some workflows are built by default for SOC monitoring such as: DOS/DDOS, Network exploit, Webshell detection, New user detection, Malware detection...

·      Allows to expand or add more functions to interact with external systems, supplement sources of risk information, assess risks, enrich information sources about suspected objects.

·      Accelerate the processing and efficiency, reduce the workload for the monitoring team, especially in deciding when handling security incident.

To help the organization gain the comprehensive security monitoring picture, HCapollo provides an intuitive and diverse main monitoring dashboard.

·      The dashboard is built according to HPT SOC's best practice, including hierarchical charts for handling information security incidents and alerts

·      The dashboard is divided by many levels from SOC operation to leadership level, from general information to detailed information

·      Visual representation of monitored assets, EPS, layering of processed data

·      Visual some common use cases of security incidents such as Phishing, Malware, Bruteforce, DDOS. Web attack...

·      Allows exporting reports in different formats PDF, HTML...

Organizations operating SOCs face the biggest problem in making efficient use of limited resources while trying to get the best results. HCapollo's automation workflow of information security incident handling allows monitoring teams to accomplish more, reducing investigation time and allowing enough time to respond to threats. HCapollo allows automation workflow which is the key to maximize the processing capacity of the monitoring system and save human resources. In addition, nowadays, many security personnel use self-written codes for workflow automation which can lead to serious problems because there is no uniformity and it is impossible to maintain and track, so HCapollo will provide customizable templates for building automation workflow to ensure efficiency and maintainability.

Automated workflow is built according to use cases, the current state of the organization and HPT SOC best practices. However, automation workflow should only be considered as an effective support tool for handling information security alerts and incidents, but cannot completely replace the role of personnel.