Unprecedented granularity, flexibility and scaling ability providing complete network visibility, application intelligence and all conversations between every internal and external endpoint
CySight is a market-leading and award-winning NetFlow analyzer software solution, which enables management to accurately audit network NetFlow data augmenting network security and business intelligence. It records NetFlow data at the micro-level and assists in the discovery of real-time and ongoing security breaches and alert administrators where other systems fail. Customers have reported satisfaction in being able to identify, highlight trends, baselines, and act on irregular traffic movements and applications and provide services more appropriately. The ability of CySight to capture granular traffic over the long term provides complete network visibility and has enabled customers to identify spurious traffic.
CySight is a 24 x 7 automated end-to-end solution that simplifies network Netflow auditing. It starts with unique patent-pending scalable collection methodology and storage and offers granular and flexible reporting processes culminating in the delivery of business intelligence and security forensics.The base Performance Analytics features of CySight:
NetFlow Monitoring
- Monitoring without probes: – CySight utilizes NetFlow (version 1, 5, 7, 9, flexible), IPFIX, sFlow, and all variants such as jFlow, Netstream, VMware, and others. Cloud logs such as Amazon AWS, Azure, and Google Cloud (GCP). Extended metadata provided by partners such as Cisco, Checkpoint, Ixia, Gigamon, Mikrotik, Palo Alto, and for specialized devices like Cisco ASR and Cisco WLC. There is no need for probes or other intrusive methods to detect traffic.
- Network bandwidth monitoring: – Provides reports of current, average, and peak bandwidth utilization across NetFlow-enabled devices or interfaces, on all IP’s, all protocols, all ports/applications, all QoS/DSCP and many other parameters.
- Network usage monitoring: – Provides detailed short term and long term usage information of all IP’s, all protocols, all applications, all QoS/DSCP, etc… Fields of traffic information collected from NetFlow include source/destination IPs, port/application, protocol, DSCP, interface, AS numbers, and many other parameters.
- Filtering ability – Capable of creating filtered reports based on any supported NetFlow field (show me traffic between certain subnets, certain servers, using certain applications…).
- Real-time and long-term analysis and data storage – Provides both real-time, high-definition analysis as well as long-term, panoramic reporting and trending on traffic.
- Seamless integration between real-time and long-term analysis – Drill down feature allows the users to easily tour from a long-term trend report to the detailed root cause of the trend.
CySight Product Features and Unique Capabilities
CySight collects NetFlow big data in a small footprint using a unique patent-pending collection methodology that highly reduces storage and overheads while enabling full-flow forensics analysis and insight of your Network.
CySight provides granular, scalable, and flexible NetFlow Analysis providing benefits to various levels within an organization ranging from network performance and security specialists to data-center managers, capacity planners, network architects, and business decision-makers.
CySight Unique Capabilities:
1. Baselining
Short term and long term comparative analysis of any and every element. e.g. interface/IP/Location/Application or a combination thereof for a particular period compared against a previous period:
- this minute versus last 20 minutes;
- this hour versus last 6 hours;
- this day of the month versus other days of the month or this day every month;
- this weekday versus each other weekday or this weekday versus every other same weekday for the last 12 months;
- this week versus last 4 weeks;
- this month versus last 12 months;
- this quarter versus last 4 quarters;
- this year versus last year;
- what was my Server Farm usage this quarter compared to last quarter?
Comparative analysis of each element across the timeline. Gives the ability to identify which element caused the change and when.
2. Powerful and Flexible Analysis
CySight can do analysis on any combination of data fields simultaneously (e.g. usage, packets, flows, utilization, etc) and sort data by any field. Menu bars and shortcuts facilitate rapid analysis.
- Packet Size analysis – Network teams can use this to create reports such as DSCP, Application, and Packet Size to identify anomalies.
- Full Flow analysis – (Not just Usage or Utilization or simple conversations) Flow analysis enables the Network Specialist to identify “noise”.
- Count analysis – Ability to count records as part of a result to quickly identify excessive flows or change. Any record combination can be counted, e.g. counting all internal IPs with a number of IP or Port conversations enables quick identification of P2P users or other multi-threaded conversations and Denial of Service attacks.
- Deviation analysis – Ability to analyze by the standard deviation to identify what aspect has changed the most in a specific period, e.g. what application has changed the most in the last 2 hours can lead to early detection of issues. Coupled with a threshold SNMP trap enables identification of usage that can grow dynamically over time via any “application/service port”. Identify Worms/increasing flows/ data floods.
- Bi-directional analysis – show forward and reverse conversations and In vs. Out conversations to quickly identify which side of the conversation is responsible for traffic usage/flows.
- Cross-section analysis – stacked graphs enable cross over of various data, e.g. report on key business servers and watch only known ports (services/applications) that are used on those servers. A stacked bar analysis shows each IP and the “layers” of applications stacked will show the number of applications being used on each server. The opposite is also possible – show my key business servers where “unknown” applications are trying to communicate with servers.
- Business group analysis – IP addresses can be categorized into business groups and accordingly traffic associated with an IP address can be stamped with the business group information of this IP address. This feature provides the capability of splitting traffic by business groups, which is particularly useful in billing.
3. Anomaly Detection, Unattended (proactive) Analysis, Alerting and Reporting
- Anomaly Detection – Ability to create any combination of anomaly detection intelligent baselines. Comes Preset with default alerts. Available as an Add-on.
- Reporting – Ability to create any combination of analysis and automate the output as a report periodically. E.g. end of a week, end of a quarter, end of a month, end of an hour, every 23 days, etc… Reports can be written to saved and/ or emailed to one or more recipients. A report can be repeatedly updated or time-stamped e.g. A data center manager wants to know the server usage trends in his environment over time and monitors this every week, month and quarter to make decisions on how to position his servers and provision services. Reports can take the format of a CSV file to record events that occur for input into other systems. For example, logging when unknown IP’s use of key business services will enable the compliance team to identify risk over the long term.
- Alerting – Ability to create any combination of analysis and automate the output as an alert once certain criteria are met e.g. bandwidth utilization is over a certain threshold. Alerts can be tuned to reduce or eliminate false positives. Alerts can take the format of an SNMP trap to a trap receiver to raise a trouble ticket with the correct team/person.
- Templates – Creation and customization of any analysis combination into a template to be used in the drill-down menu.
4. Data Collection Tuning
- CySight can be tuned to collect only the data required. For example, CySight can collect all network conversations with per-minute granularity in one part of the network where detailed forensic information is required and/or can be configured to collect traffic information at a one hour granularity/view where only high-level reporting is required.
- Self-maintaining rules enable levels of granularity to be set to “protect” the collector/server in the event of a major worm outbreak that can cause NetFlow data to become excessive.
5. Scalability, Fault Tolerance, and “Self Healing”
- CySight scales to collect at rates up to 1 Million flows/second.
- High-fault tolerance and self-healing capability: Each process and function/thread is monitored for health and CySight heals itself.
Key Features
- Real-time visibility of every network flow recorded, per minute.
- Long term historical visibility of every network flow recorded, per hour (standard 12 months, typical 3-4 years).
- Historical visibility of every network flow recorded, per minute (standard 7 days, typical 4 weeks).
- Full integration with long term historical visibility of every network flows recorded, per hour (standard 12 months, typical 3-4 years).
- Secure integration with any third-party management product, using URL’s
- Ability to filter baseline reports based on template architecture.
- Fully customized reports scheduled to email, file location or Intranet portal; hourly, daily, monthly, quarterly, or yearly in both CSV and HTML formats.
- No changes to existing network infrastructure required.
- No impact on network performance.