Network Intelligence Archives – CySight - Integrated AI-Driven Cyber Network and EndPoint Detection and Response

Advanced Predictive AI leveraging Granular Flow-Based Network Analytics.

Tomare Curran — Mon, 13 Oct 2025 12:27:08 +0000

IT’S WHAT YOU DON’T SEE THAT POSES THE BIGGEST THREATS AND INVISIBLE DANGERS.

Existing network management and network security point solutions are facing a major challenge due to the increasing complexity of the IT infrastructure.

The main issue is a lack of visibility into all aspects of physical network and cloud network usage, as well as increasing compliance, service level management, regulatory mandates, a rising level of sophistication in cybercrime, and increasing server virtualization.

With appropriate visibility and context, a variety of network issues can be resolved and handled by understanding the causes of network slowdowns and outages, detecting cyber-attacks and risky traffic, determining the origin and nature, and assessing the impact.

It’s clear that in today’s work-at-home, cyberwar, ransomware world, having adequate network visibility in an organization is critical, but defining how much visibility is considered “right” visibility is becoming more difficult, and more often than not even well-seasoned professionals make incorrect assumptions about the visibility they think they have. These misperceptions and malformed assumptions are much more common than you would expect and you would be forgiven for thinking you have everything under control.

When it comes to resolving IT incidents and security risks and assessing the business impact, every minute counts. The primary goal of Predictive AI Baselining coupled with deep contextual Network Forensics is to improve the visibility of Network Traffic by removing network blindspots and identifying the sources and causes of high-impact traffic.

Inadequate solutions (even the most well-known) mislead you into a false level of comfort but as they tend to only retain the top 2% or 5% of network communications frequently cause false positives and red herrings. Cyber threats can come from a variety of sources. These could be the result of new types of crawlers or botnets, infiltration and ultimately exfiltration that can destroy a business.

Networks are becoming more complex. Because of negligence, failing to update and patch security holes, many inadvertent threats can open the door to malicious outsiders. Your network could be used to download or host illegal materials, or it could be used entirely or partially to launch an attack. Ransomware attacks are still on the rise, and new ways to infiltrate organizations are being discovered. Denial of Service (DoS) and distributed denial of service (DDoS) attacks continue unabated, posing a significant risk to your organization. Insider threats can also occur as a result of internal hacking or a breach of trust, and your intellectual property may be slowly leaked as a result of negligence, hacking, or being compromised by disgruntled employees.

Whether you are buying a phone a laptop or a cyber security visibility solution the same rule applies and that is that marketers are out to get your hard-earned cash by flooding you with specifications and solutions whose abilities are radically overstated. Machine Learning (ML) and Artificial Intelligence (AI) are two of the most recent to join the acronyms. The only thing you can know for sure dear cyber and network professional reader is that they hold a lot of promise.

One thing I can tell you from many years of experience in building flow analytics, threat intelligence, and cyber security detection solutions is that without adequate data your results become skewed and misleading. Machine Learning and AI enable high-speed detection and mitigation but without Granular Analytics (aka Big Data) you won’t know what you don’t know and neither will your AI!

In our current Covid world we have all come to appreciate, in some way, the importance of big data, ML and AI that if properly applied, just how quickly it can help mitigate a global health crisis. We only have to look back a few years when drug companies didn’t have access to granular data the severe impact that poor data had on people’s lives. Thalidomide is one example. In the same way, when cyber and network visibility solutions are only surface scraping data information will be incorrect and misleading and could seriously impact your network and the livelihoods of the people you work for and together with.

The Red Pill or The Blue Pill?

The concept of flow or packet-based analytics is straightforward, yet they have the potential to be the most powerful tools for detecting ransomware and other network and cloud-related concerns. All communications leave a trail in the flow data, and with the correct tools, you can recover all evidence of an assault, penetration, or exfiltration.

Not all analytic systems are made equal, and the flow/packet ideals become unattainable for other tools because of their difficulty to scale in retention. Even well-known tools have serious flaws and are limited in their ability to retain complete records, which is often overlooked. They don’t effectively provide the visibility of the blindspots they claimed.

As already pointed out, over 95% of network and deep packet inspection (DPI) solutions struggle to retain even 2% to 5% of all data captured in medium to large networks, resulting in completely missing diagnoses and delivering significantly misleading analytics that leads to misdiagnosis and risk!

It is critical to have the context and visibility necessary to assess all relevant traffic to discover concurrent intellectual property exfiltration and to quantify and mitigate the risk. It’s essential to determine whether a newly found Trojan or Ransomware has been active in the past and when it entered and what systems are still at risk.

Threat hunting demands multi-focal analysis at a granular level that sampling, and surface flow analytics methods just cannot provide. It is ineffective to be alerted to a potential threat without the context and consequence. The Hacker who has gained control of your system is likely to install many backdoors on various interconnected systems to re-enter when you are unaware. As Ransomware progresses it will continue to exploit weaknesses in Infrastructures.

Often those most vulnerable are those who believe they have the visibility to detect.

Post-mortem analysis of incidents is required, as is the ability to analyze historical behaviors, investigate intrusion scenarios and potential data breaches, qualify internal threats from employee misuse, and quantify external threats from bad actors.

The ability to perform network forensics at a granular level enables an organization to discover issues and high-risk communications happening in real-time, or those that occur over a prolonged period such as data leaks. While standard security devices such as firewalls, intrusion detection systems, packet brokers or packet recorders may already be in place, they lack the ability to record and report on every network traffic transfer over the long term.

According to industry analysts, enterprise IT security necessitates a shift away from prevention-centric security strategies and toward information and end-user-centric security strategies focused on an infrastructure’s endpoints, as advanced targeted attacks are poised to render prevention-centric security strategies obsolete and today with Cyberwar a reality that will impact business and government alike.

As every incident response action in today’s connected world includes a communications component, using an integrated cyber and network intelligence approach provides a superior and cost-effective way to significantly reduce the Mean Time To Know (MTTK) for a wide range of network issues or risky traffic, reducing wasted effort and associated direct and indirect costs.

Understanding The shift towards Flow-Based Metadata

for Network and Cloud Cyber-Intelligence

The IT infrastructure is continually growing in complexity.
Deploying packet capture across an organization is costly and prohibitive especially when distributed or per segment.
“Blocking & tackling” (Prevention) has become the least effective measure.
Advanced targeted attacks are rendering prevention‑centric security strategies obsolete.
There is a Trend towards information and end‑user centric security strategies focused on an infrastructure’s end‑points.
Without making use of collective sharing of threat and attacker intelligence you will not be able to defend your business.

So what now?

If prevention isn’t working, what can IT still do about it?

In most cases, information must become the focal point for our information security strategies. IT can no longer control invasive controls on user’s devices or the services they utilize.

Is there a way for organizations to gain a clear picture of what transpired after a security breach?

Detailed monitoring and recording of interactions with content and systems. Predictive AI Baselining, Granular Forensics, Anomaly Detection and Threat Intelligence ability is needed to quickly identify what other users were targeted, what systems were potentially compromised and what information was exfiltrated.

How do you identify attacks without signature-based mechanisms?

Pervasive monitoring enables you to identify meaningful deviations from normal behavior to infer malicious intent. Nefarious traffic can be identified by correlating real-time threat feeds with current flows. Machine learning can be used to discover outliers and repeat offenders.

Summing up

Network security and network monitoring have gone a long way and jumped through all kinds of hoops to reach the point they have today. Unfortunately, through the years, cyber marketing has surpassed cyber solutions and we now have misconceptions that can do considerable damage to an organization.

The biggest threat is always the one you cannot see and hits you the hardest once it has established itself slowly and comfortably in a network undetected. Complete visibility can only be accessed through 100% collection and retention of all data traversing a network, otherwise even a single blindspot will affect the entire organization as if it were never protected to begin with. Just like a single weak link in a chain, cyber criminals will find the perfect access point for penetration.

Inadequate solutions that only retain the top 2% or 5% of network communications frequently cause false positives and red herrings. You need to have 100% access to your comms data for Full Visibility, but how can you be sure that you will?

You need free access to Full Visibility to unlock all your data and an Intelligent Predictive AI technology that can autonomously and quickly identify what’s not normal at both the macro and micro level of your network, cloud, servers, iot devices and other network connected assets.

Get complete visibility wiith CySight now –>>>

The post Advanced Predictive AI leveraging Granular Flow-Based Network Analytics. appeared first on CySight - Integrated AI-Driven Cyber Network and EndPoint Detection and Response.

Balancing Granularity Against Network Security Forensics

Tomare Curran — Fri, 20 Jun 2025 10:08:13 +0000

With the pace at which the social, mobile, analytics and cloud (SMAC) stack is evolving, IT departments must quickly adopt their security monitoring and prevention strategies to match the ever-changing networking landscape. By the same token, network monitoring solutions (NMS) developers must balance a tightrope of their own in terms of providing the detail and visibility their users need, without a cost to network performance. But much of security forensics depends on the ability to drill down into both live and historic data to identify how intrusions and attacks occur. This leads to the question: what is the right balance between collecting enough data to gain the front foot in network security management, and ensuring performance isn’t compromised in the process?

Effectively identifying trends will largely depend on the data you collect

Trend and pattern data tell Security Operations Center (SOC) staff much about their environments by allowing them to connect the dots in terms of how systems may have become compromised. However, collecting large portions of historic data requires the capacity to house it – something that can quickly become problematic for IT Departments. Netflow data analysis acts as a powerful counterweight to the problem of processing and storing chunks of data, since it collects compressed header information that is far less resource-intensive than entire packets or investigating entire device log files, for example. Also, log files are often hackers’ first victims by way of deletion or corruption as a means to disguise attacks or intrusions. With CySight’s ability to collect vast quantities of uncompromised transaction data without exhausting device resources, SOCs are able to perform detailed analyses on flow information that could reveal security issues such as data leaks that occur over time. Taking into account that Netflow security monitoring can easily be configured on most devices, and pervasive security monitoring becomes relatively easy to configure in large environments.

Netflow security monitoring can give SOCs real-time security metrics

Netflow, when retained at high granularity, can facilitate seamless detection of traffic anomalies as they occur and when coupled with smart network behavior anomaly detection (NBAD), can alert engineers when data traverses the wire in an abnormal way – allowing for both quick detection and containment of compromised devices or entire segments. Network intrusions are typically detected when data traverses the environment in an unusual way and compromised devices experience spikes in multiple network telemetry metrics. As malicious software attempts to siphon information from systems, the resultant increase in out-of-the-norm activity will trigger warnings that can bring SOC teams in the loop of what is happening. CySight employs machine learning that continuously compares multi-metric baselines against current network activity and quickly picks up on anomalies overlooked by other flow solutions, even before they constitute a system-wide threat. This type of behavioral analysis of network traffic places security teams on the front foot in the ongoing battle against malicious attacks on their systems.

Network metrics are being generated on a big data scale

Few things can undermine a network’s performance and risk more than a monitoring solution that strains to provide anticipated visibility. However, considering the increasing complexity of distributed connected assets and the ways and speed in which people and IoT devices are being plugged into networks today, pervasive and detailed monitoring is absolutely crucial. Take the bring your own device (BYOD) phenomenon and the shift to the cloud, for example. Networking and security teams need visibility into where, when, and how mobile phones, tablets, smart watches, and IoT devices are going on and offline and how to better manage the flow of data to and from user devices. Mobile devices increasingly run their own versions of business applications and with BYOD cultures somewhat undermining IT’s ability to dictate the type of software allowed to run on personal devices, the need to monitor traffic flow from such devices – from both a security and a performance perspective – becomes clear.

General Netflow performance analytics tools are capable of informing NOC teams about how large IP traffic flows between devices, with basic usage statistics on a device or segment level. However, when network metrics are generated on a big data scale, traffic anomalies that require SOC investigation get lost in leaky bucket sorting algorithms of basic tools. Detecting the real underlying reasons for traffic degradation or identifying risky communications such as Ransomware, DDoS, slowDoS, peer-to-peer (p2p), the dark web (ToR), and having complete historical visibility to trackback undesirable applications become absolutely critical, but far less difficult, with CySight’s ability to easily provide information on all of the traffic that traverses the environment.

NetFlow security monitoring evolves alongside technology organically

Thanks to Netflow and the unique design and multi-metric approach that CySight has implemented, as systems evolve at an increasing rate, it doesn’t mean you need to re-invent your security apparatus every six months or so. CySight’s ubiquity, reliability, and flexibility give NOC and SOC teams deep visibility minus the administrative overheads in getting it up and running along with collecting and benefiting from big flow data’s deep insights. You can even fine-tune your monitoring to give you the right granularity you need to keep your systems safe, secure, and predictable. This results in fewer network blind spots that often act as the Achilles Heel of the modern security and network experts.

On the other end of the scale, Netflow analyzers – in their varying feature sets – give NOCs some basic ability to collect, analyze, and detect from within-the-top bandwidth metrics which some engineers may still believe is the most pertinent to their needs. Once you’ve decided on the data you need today whilst keeping an eye on what you need tomorrow, it’s now time to choose the collector that does the job best.

The post Balancing Granularity Against Network Security Forensics appeared first on CySight - Integrated AI-Driven Cyber Network and EndPoint Detection and Response.

Hunt SUNBURST and Trojans with Turbocharged Netflow.

Rafi Sabel — Mon, 10 Mar 2025 12:06:31 +0000

US: December 13 of 2020 was an eye-opener worldwide as Solarwinds software Orion, was hacked using a trojanized update known as SUNBURST backdoor vulnerability. The damage reached thousands of customers, many of which are world leaders in their markets like Intel, Microsoft, Lockheed, Visa, and several USA governmental agencies. The extent of the damage has not been fully quantified as still more is being learned, nevertheless, the fallout includes real-world harm.

The recent news of the SolarWinds Orion hack is very unfortunate. The hack has left governments and customers who used the SolarWinds Orion tools especially vulnerable and the fallout will still take many months to be recognized. This is a prime example of an issue where a flow metadata tool has the inability to retain sufficient records, causing ineffective intelligence, and that the inability to reveal hidden issues and threats is now clearly impacting organizations’ and government networks and connected assets.

Given what we already know and that more is still being learned, it makes good sense to investigate an alternative solution.

What Is the SUNBURST Trojan Attack?

SUNBURST, as named by FireEye, is a kind of malware that acts as a trojan horse designed to look like a safe and trustworthy update for Solarwinds customers. To accomplish such infiltration to seemingly well-protected organizations, the hackers had to first infiltrate the Solarwinds infrastructure. Once Solarwinds was successfully hacked, the bad actors could now rely on the trust between Solarwinds and the targeted organizations to carry out the attack. The malware, which looked like a routine update, was in fact creating a back door, compromising the Solarwinds Orion software and any customer who updates their system.

How was SUNBURST detected?

Initially, SUNBURST malware was completely undetected for some time. The attackers started to install a remote access tool malware into the Solarwinds Orion software all the way back in March of 2020, essentially trojaning them. On December 8, 2020, FireEye discovered their own red team tools have been stolen and started to investigate while reporting the event to the NSA. The NSA, also a Solarwinds software user, who is responsible for the USA cybersecurity defense, was unaware of the hack at the time. A few days later, as soon as the information became more public, different cybersecurity firms began to work on reverse engineering and analyzing the hack.

IT’S WHAT WE DON’T SEE THAT POSES THE BIGGEST THREATS AND INVISIBLE DANGERS!

You may be surprised to learn that most well-known tools lack the REAL Visibility that could have prevented attacks on a network and its local and cloud-connected assets. There are some serious shortcomings in the base designs of other flow solutions that result in their inability to scale in retention. This is why smart analysts are realizing that Threat Intelligence and Flow Analytics today is all about having access to long term granular intelligence.

From a forensics perspective, you would appreciate that you can only analyze the data you retain, and with large and growing network and cloud data flows most tools (regardless of their marketing claims) actually cannot scale in retention and choose to drop records in lieu of what they believe is salient data.

Imputed outcome data leads to misleading results and missing data causes high risk and loss!

A simple way to think about this is if you could imagine trying to collect water from a blasting fire hose into a drinking cup. You just simply cannot collect very much!

Many engineers build scripts to try to attain the missing visibility and do a lot of heavy lifting and then finally come to the realization that no matter how much lifting you do that if the data ain’t there you can’t analyze it.

We found that over 95% of network and cyber visibility tools retain as little as 2% to 5% of all information collected resulting in completely missed analytics, severely misleading analytics, and risk!

How does CySight hunt SUNBURST and other Malware?

It’s often necessary to try and look back with new knowledge that we become aware of to analyze.

For a recently discovered Ransomware or Trojan, such as SUNBURST, it is helpful to see if it’s been active in the past and when it started. Another example is being able to analyze all the related traffic and qualify how long a specific user or process has been exfiltrating an organization’s Intellectual Property and quantify the risk.

SUNBURST enabled the criminals to install a Remote Access Trojan (RAT). RATs, like most Malware, are introduced as part of legitimate-looking files. Once enabled they allow the hacker to view a screen or a terminal session enabling them to look for sensitive data like customer’s credit cards, intellectual property or sensitive company or government secrets.

Even though many antivirus products can identify many RAT signatures, the software and protocols used to view remotely and to exfiltrate files continues to evade many malware detection systems. We must therefore turn to traffic analytics and machine learning to identify traffic behaviors and data movements that are out of the ordinary.

Anonymity by Obscurity

In order to evade detection, hackers try to hide in plain sight and use protocols that are not usually blocked like DNS, HTTP, and Port 443 to exfiltrate your data.

Many methods are used to exfiltrate your data. An often-used method is to use p2p technologies to break files into small pieces and slowly send the data unnoticed by other monitoring systems. Due to CySight’s small footprint Dropless Collection you can easily identify sharding and our anomaly detection will identify the outlier traffic and quickly bring it to your attention. When used in conjunction with a packet broker partner such as Keysight, Gigamon, nProbe or other supported packet metadata exporter, CySight provides the extreme application intelligence to help you with complete visibility to control the breach.

Identifying exposure

In todays connected world every incident has a communications component

You need to keep in mind that all Malware needs to “call home” and today this is going to be through onion routed connections, encrypted VPNs, or via zombies that have been seeded as botnets making it difficult if not impossible to identify the hacking teams involved which may be personally, commercially or politically motivated bad actors.

Multi-focal threat hunting

Threat hunting for SUNBURST or other Malware requires multi-focal analysis at a granular level that simply cannot be attained by sampling methods. It does little good to be alerted to a possible threat without having the detail to understand context and impact. The Hacker who has control of your system will likely install multiple back-doors on various interrelated systems so they can return when you are off guard.

CySight Turbocharges Flow and Cloud analytics for SecOps and NetOps

As with all CySight analytics and detection, you don’t have to do any heavy lifting. We do it all for you!

There is no need to create or maintain special groups with Sunburst or other Malware IP addresses or domains. Every CySight instance is built to keep itself aware of new threats that are automatically downloaded in a secure pipe from our Threat Intelligence qualification engine that collects, collates and categorizes threats from around the globe or from partner threat feeds.

CySight Identifies your systems conversing with Bad Actors and allows you to back track through historical data to see how long it’s been going on.

Using Big Data threat feeds collated from multiple sources, thousands of IPs of bad reputation are correlated in real-time with your traffic against threat data that is freshly derived from many enterprises and sources to provide effective visibility of threats and attackers.

Cyber feedback
Global honeypots
Threat feeds
Crowd sources
Active crawlers
External 3rd Party

So how exactly do you go about turbocharging your Flow and Cloud metadata?

CySight software is capable of the highest level of granularity, scalability, and flexibility available in the network and cloud flow metadata market. Lack of granular visibility is one of, if not the main flaw in such products today as they retain as little as 2% to 5% of all information collected, due to inefficient design, severely impacting visibility and risk as a result of missing and misleading analytics, costing organizations greatly.

CySight’s Intelligent Visibility, Dropless Collection, automation, and machine intelligence reduce the heavy lifting in alerting, auditing, and discovering your network making performance analytics, anomaly detection, threat intelligence, forensics, compliance, zero trust and IP accounting and mitigation a breeze!

The post Hunt SUNBURST and Trojans with Turbocharged Netflow. appeared first on CySight - Integrated AI-Driven Cyber Network and EndPoint Detection and Response.

End Point Threat Detection Using NetFlow Analytics

Rafi Sabel — Fri, 21 Feb 2025 08:47:11 +0000

So, with that we’re going to get started. Again, we appreciate everyone taking the time today to listen to what we have to say and learn about our product, and learn about some of the new features. If you’re on here and you’re an existing customer, that you’ll learn a little bit about one of our new features. So, today we’re going to be talking a lot about security, that’s really the focus of this presentation. NetFlow in general, and CySight in particular can do a lot of things with the data that we have, and one of those things is really focused on being able to identify security threats to your network.

This is obviously very important, right? I mean you literally cannot go a day anymore without hearing of some company, some organization out there that’s been attacked or that has been infiltrated. I was reading about a hospital system recently that was held up by a Ransomware company, and actually had to pay money to unlock their files and this is not a home user, this is not a person who opened up the wrong email and their desktop got under attack or held for ransom. This is a legitimate hospital organization that had that happened to them and so, it really underscores the pervasiveness of these kinds of attacks.

Crawlers, botnets, Ransomware, they’re finding new ways to cause denial of service attacks and other kinds of attacks that can put your business or organization at an extremely high risk and, your network could be used to download or host illicit materials, leak intellectual property. That’s another thing that we’ve seen, this sort of cybercrime. Intellectual property cybercrime where it’s not that they’re just trying to bring down your site or bring down your network, but they’re actually trying to take intellectual property out and again, either hold it for ransom or just sell it or whatever it may be. So, this is certainly an important topic.

There are a number of major challenges for security teams to try and figure out what’s going on and how to lock down that network. The sophistication of the cybercrime organizations out there is just growing and growing. They’re always seemingly one step ahead of the for-profit companies that are trying to block them; the anti-virus companies, firewall companies and so forth. The growing complexity of the infrastructure is making it more difficult, there’s not a single point of entry and exit anymore. You’ve got BYOD, you’ve got lots of wireless, you’ve got VPNs, cloud-based services, you’ve got all kinds of things that people are using today. So it’s not just a lock it down at the firewall and we’re good, it’s really all over the place, and you need to be able to look at the traffic to understand what’s going on.

Of course, it’s very difficult or can be very difficult to retain and analyze that network transaction data across a big organization. Again, you have lots of lots of systems, lots of points of entry and exit, and it can be a challenge to really be able to collect all of that data and be able to use it. Because of that, because of the highly complicated and complex nature of networks, we’ve got this graphic here that talks about the really scary things that are out there. About do you know where things are happening? Do you…? You have certain aspects that you know and that you maybe know that you don’t know, but the really scary stuff is when you don’t know what you don’t know, right? It’s happening or could be happening and you have no idea, and you don’t even know that you should be looking at that, or could be looking at that data to try and understand what’s going on.

But in fact, products like ours and technologies like ours, allow you to, or allow a system to be watching for those unknown unknowns all the time. So, it’s not something that you wake up in the morning and say, “I’m going to go, look at this.” It’s actually happening in the background and looking for you. That machine learning capability is really what makes the new level of systems like ours trying… you know being able to catch up with the sophistication of the attack profiles out there.

When there is an attack or when there is a detection of something, then Incident Response Teams always have to look at that communications component, right? So, they’re going to look at hardware, they’re going to look at software, but they also have to look at the communications. They have to look at historical behavior, they have to look to see if there’s been data breaches, they have to look to see if there’s been internal threats.

There is a certain percentage, depending on who you talk to, 30%, 35%, 40% of data breaches happen from the inside out. So, these are internal employees who have access to something that they shouldn’t, and they email that out or they otherwise try to get that data out of the network. Of course, there’s the external threats from bad actors, those malicious types that are probing, probing, probing trying to find holes to get in and do whatever, the nefarious things that they’re trying to do.

So, being able to have some insight into the nature of how those systems, all of your systems communicate with each other and how they have communicated is critical. It’s really about being able to go from the blind area into a much more aware and certain area, right? So, do you really have… and thinking about, do you really have visibility in terms of what’s going on inside your network, because if you don’t, that can certainly hurt you.

The way we look at it, there’s the very basic things that virtually everybody has. Everybody has a firewall, most people have virus protection on their desktops. That sort of blocking and tackling, very basic prevention at the edge of a network is only a piece, right? It is not the most effective place anymore. You have to have it, we certainly wouldn’t tell you not to have it, but if you really want to move to a defense in depth, then it’s more than just trying to put up a blocking of things coming in. It’s being able to look at the live traffic and see what’s happening and identify if there are threats going on that got through. If something gets through the defenses that you have, how can you then further identify that it has happened and what’s going on? If you just think, “Well, I’ve got this firewall and I got my rules setup and I’m good, nothing can ever touch me,” and don’t look any further, then you’re really setting yourself up for a failure.

So, the way we approach the problem as a piece of this overall security landscape, is through the use of NetFlow information. So, NetFlow’s been around for a long time, it’s a quite a mature technology. But the great thing about it is, it’s continually even further maturing as we go on. What used to be sort of a traffic accounting product only, that was based on data coming from core routers and switches, has now been extended out to other systems in the network. Things like wireless LAN controllers, cloud servers, firewalls themselves. You can get the data from taps and probes that collect passively information about data traffic, and then turn that into a NetFlow export that can be sent to us that we can read.

Virtually every vendor… certainly every major vendor out there supports Flow in some way … Cisco of course is NetFlow and we use the term NetFlow to generically mean all of the various Flow types out there. Jflow from Juniper, anything that’s IPFIX compatible as the standard, and some of the other kind of specialized versions of Flow, if you will. But all of them have the common theme that they’re going to look at that traffic and they’re going to be able to send that metadata to a collector like ours and then we can use that information intelligently to help both give you and allow you to report on and look deeply into the data, but also, and what we’re going to be talking about today, is really using that intelligence that’s built into the product to be able to identify threats, look at anomalies. Not just show you who your top talkers were, but actually say, “Hey, look. We’ve identified people that are communicating to known bad actors out there,” or, “We’ve seen an unusual bit of behavior in traffic between here and there, and this is something that really needs to be investigated.”

Talking about more of the specifics about how we do that. There’s two major pieces we’re going to be focusing on today. The first one is Anomaly Detection. Anomaly Detection for us means that we can baseline your network and the traffic on your network across a number of different dimensions. There’s actually quite a few metrics that we’re watching, some of the ones you could see below like flows, and packets, and bytes, and bits per second, packet size, it can be flags, it can be counts it can be all kinds of different metrics, and we can baseline each of them over time, across all of your interfaces or potentially even other aspects. So, it could be a specific conversation or a specific application, but at its most basic level through all of your interfaces to understand what is normal and what is normal activity for that time of day, that day of the week from those devices or whatever it may be.

Then of course, once we know what is normal, we can detect any activity that deviates from that normal baseline, right? This gives you a really great way of watching traffic 24/7 for things that you wouldn’t potentially pick up if you were just you know kind of eyeballing it if you will, or waiting certainly for someone to contact you and say there’s a problem. So, the statistical power of an application to be doing this behind the scenes and running all the time, and noticing things that you wouldn’t notice in the middle of the night, is incredibly useful for this sort of thing and then when we do detect an anomaly, we move into phase two as we call it, into diagnostics? So, diagnostics says, “Okay, there’s been some anomaly that has been detected, let’s look at this. Let’s figure out what’s going on here. We then kick off this diagnostic approach, which qualifies the cause and impact for each offending behavior breach. We’re looking it for KPIs that are specific to things like DOS attacks or scanners or sweepers or peer-to-peer activity. We roll all of that information up into a single ticket so to speak, for you on a screen that you can very easily look at and understand exactly what’s going on. When did it happen? Where did it happen? What was involved? What baseline was breached? What does that mean? What could that possibly be?

You can also do of course advance things like intelligent whitelisting. You can send the information out of our system up to another system that you may have, like an ITSM or trouble ticket system, via SNMP and via email and so forth. So, really this again this is the intelligent piece of the product with machine learning as its background. So it’s doing this whether you’re watching it or not. It’s looking for those baseline breaches and then when we see them, it’s really coordinating all of the information about what happened into a single easy-to-use place, which you can then drill down into using all of our standard features to try and identify other things that are happening or where do you need to go next.

Anomaly Detection or NBAD as you may hear us talk about it, has been in the product for a number of years now. So, that’s not something new, it’s continually being improved, and it’s a wonderful piece of the product, and it’s been there for a while.

The new thing that we have introduced and are introducing is what we call our Endpoint Threat Detection. So this is another module added onto the product that adds additional security capabilities while still utilizing all of the things that you typically utilize. So we’re still taking the data from NetFlow information but now we are applying to that information other outside data sources that we have, basically using some big data threat feeds collated from multiple sources that you can match up to or coordinate with the information about your traffic.

So, I’ve got information about my traffic, I’ve had that. Now, I’ve got information about what is bad in the world and in real time, where known bad actors, known bad IP addresses, Ransomware, malware, DDoS attacks, Tor and so forth are coming from and then looking at the two of them and saying, “Are any of my people talking to those things?” At the very most basic level that’s what we’re looking for, right? So, it’s things global in terms of getting all of these feeds and using pattern matching, and Anomaly Detection and so forth, and then it’s acting very local against the traffic that you have in your network.

This capability of having network connection logging or NetFlow, just as everybody in the industry agrees, is one of the best places that you can get this data. It’s almost impossible to get the kind of granular level of information from any other source. Especially if you are held to any sort of standard in terms of retention or policies around not being able to look directly into the data. If you’ve got compliance requirements that say, “Hey, I can’t store my customers’ data.” That is fine with NetFlow because NetFlow is not looking inside the packets; it’s looking at the metadata. Who’s talking to whom, and when are they doing it, and how much talking are they doing and so forth. But it’s not actually reading an e-mail or anything inside of that. So, you’re not going to run into a foul of any of those regulatory problems, but you’re still able to get a huge amount of benefit from a network investigation using that data.

It’s important that even without content, NetFlow provides an excellent means of guiding that investigation because there’s still so much data there. As it’s called in our world, metadata – Data about the data! There’s still so much information there. But what’s great also is that, you don’t have to retain content… unlike let’s say a probe or other type of system that is collecting every bit and byte. You run into problems there too, they’re expensive, and you run into storage requirements trying to store historically every conversation including the data, over a long period of time is just incredibly expensive and incredibly unwieldy to do. The amount of storage you have to have to be able to do that, and the difficulty in quickly and effectively retrieving that information and searching for things, just becomes next to impossible. But when you can still get the same benefit of what you need to look at from a security standpoint without those complications of price and just the logistics of handling it all, you end up with having a really valuable product and that’s what NetFlow can give to you.

So, with our Endpoint threat Detection, I’ve got a few screens here that can really dive down into what it looks like and how it works. Again, we’ve got these big data feeds of threat information out there in the world, collected from various sources, and honeypots and so forth and we’re continuously then monitoring for communications with those IPs of poor reputation. So, you’ve got your communication that we can see because of NetFlow, and you’ve got these known bad actors out there that we know about. We can match up those two pieces of information and when we do it, we’re not just saying it happened, but we’re giving you much more detail about it happening. So, if we kind of zoom in here a little bit, threat data can be seen in summary or in detail. We’ve got a categorization of what’s happening and different threat types. So, I can see this is a peer-to-peer kind of thing, is this known malware, is it Tor, is it an FTP or an SSH attacker? What kind of thing is happening from or on these known bad IP address?

So, from a high of macro level you can see what the threat categories are and what the threat types are and then of course, you can drill down using the standard CySight tools to investigate them and provide complete visibility into that threat. So, now I’ve seen it, I have traffic that’s been identified as a threat. I can use our drill down, right-click, or however you want to do it capability. In this case we’re showing a right-click on threat detection and saying show me the affected IP addresses. I want to know, let’s drill down and see in this case on Ransomware, command and control Ransomware what the infected IP addresses are and then you’re going to get into the individual affected IPs, the threat IP where it’s coming from and, how much traffic was done?

These are Ransomware-type attacks, and I can see this is happening in my network at this period of time and I can even then of course change the view to be a time view. When did this start? Has this been a long-lived thing that’s been going on over a period of time where it’s been sucking information out of my organization, or did this pop off and go away? And if it did, when did that happen? All of that kind of deep level investigation is something that you can get using all of the normal tools that we have. You can get this deep dive investigation of traffic for regular traffic. Not just malicious traffic, but just using our tool for what I’ll call normal traffic accounting. Who is talking to who and when, is all available to you and more now with the threat detection features.

So, we’re watching for those threats, we’ve identified them and then using all of the common things that you’re used to using if you’re already a customer of ours, being able to identify or drill down into that data and provide those reports when you want to see it.

Here’s another example: let’s look at threat-port usage over the last few hours. So, it’s may be a couple hour time frame and I can see specifically which ports, which protocols have been detected as potential threats. What kind of threats, of course again how much traffic did they use? How long has this gone on for, and so forth. So, you can in fact in this case, know that increasing Tor usage. That we’ve highlighted in yellow and green … but you can also notice it’s been this continual botnet chatter, this red line. It’s just been going on and on forever, and that’s obviously something that needs to be absolutely looked into. It might be very difficult to find this in any other way, it’s just ongoing background chatter that’s been happening. It may not spike to anything that’s incredibly large that would set off a threshold alert, or maybe not even set off an anomaly alert. But, we’ve identified this is being definitely an issue because it’s communicating to something that we know is bad out there.

Of course you have all of the common reporting type tools. So, you can automate those threats, I want a threat report every hour emailed to me, or every day, or whatever makes sense or a roll up report every month to provide to management to say, okay, over the last 30 days, here are all the threats that were identified as happening in our network, and then here’s what’s been remediated, here’s what we’ve blocked, here’s what we’ve stopped, here’s what we’ve fixed, here’s what we’ve cleaned up kind of thing and all of those reports that look good and can be scheduled in a great for both live use and for management, are part of and parcel of the product that we’ve been delivering for over a decade now.

As well as those deep dive threats forensics. So the high level reports are good for some people but the deep dive of course reports are important for other people and that’s something that we can give you because we store an archive all of this flow information, it’s not just the top 100, or the top 500, it’s the top 5,000 or 10,000 or every single Flow using our compliance version. The compliance version store has the ability to store all of those flows all the time for you to pull up and review may not have been yesterday, it may have been last week or last month or six months ago or whenever. You can still drill in, you can still see every individual flow in terms of IPs, source and destination and ports and protocols interfaces and all of that kind of information. It gives you that super granular capability that you’re just not going to find anywhere else.

We also try to give you different viewpoints; we’re very big on flexibility in terms of giving you an easy-to-understand way of looking at the traffic. Some people like to view numbers and other people like to view pictures, and there’s lots of ways that we can show that data to you. The visualization capability is outstanding within our product and one of the ways that that can be really useful. We’ve got this example here of a Tor correlation attack. So, it’s de-anonymizing Tor is a difficult but super important issue within the world of identifying Tor, and so for us, when we see that there has been Tor traffic we can build this visualization and we can see all the different places that that Tor traffic has hopped to within your network or in and out of your network and that really gives you a way to get in and say, “Okay, I need to look here, I need to stop at here, I need to stop at there.” From a service provider perspective, this can be a really, really useful example of what we can do in the power of our product.

So with the last few minutes here, I know we’re getting close to the time frame, but we do want to talk about the many options you have in terms of our scalable architecture. Whether you are small or mid-size organization, or very, very large organization, we have a way of delivering our product to you. It could be in a single standalone environment with a single database and single software installation, it could be as you grow and maybe you have various components of traffic that are disseminated globally, and you need local collection, we can do that. So, we can offer split off collectors or helper collectors that communicate up to a single master database or we can even do multi-site server, multi-database hierarchical architecture for really, really massively scaled organizations. So, no matter who you are, if you’re listening to this, if you’re just small organization with one site and a few devices, or a massively global corporation with thousands of devices and data traversing it in many different areas, we can fit your organization and we can architect a solution that is right for you.

We’ve got a number of exciting features one of the great things about us is that, we never stop developing and we never stop investigating what the best things are to add to the product. We’ve got some really cool enhancements coming on, all things that people have asked about or have inquired about, or we’ve decided to build on our own and we love talking to our customers.

Our best source of future development is request from our customers. So, anything that you can think of I can’t guarantee that that our team will do it, but I can certainly guarantee you that we’ll listen to you and we’ll think about it and we’ll do our absolute best to solve whatever issue you may have and because of our commitment to our customers and our willingness to listen to them, we really have built up a wonderful group of customers. You can see a few of their logos on the screen here again, everything from traditional organizations enterprises to service providers, educational institutions, Telco’s, whatever it may be, we can handle it and we’d love if you’re not already a customer of ours, but you’re listening to this webinar, certainly we’d love to have your logo on this list in the future and we feel like once you get to working with us and really get used to our product, you’re going to be super thrilled about how we do things. What we offer to you and the support we provide to you.

So, with that I think we’re at the end of the presentation, almost exactly right on time here, about 30 minutes. So, I want to thank everyone for taking the time to join today, as always it does not look like we have… I’m just looking. Does not look like we have any questions right now, so, if you do have any now would be the time to type them in. But if not, we just want to thank you for joining us today. This presentation has been recorded and will be available to any of the folks who registered, and it’ll eventually make it up into the website. So, please check it out. Also please check out our website for other information about future webinars or other documentation that we have, there’s a lot of good resources up there and we invite you to take a look at those and certainly if you have any questions to reach out to us either to the sales team or the support or engineering team depending on what you’re interested in.

So, with that, I’ll end the session and I look forward to speaking with all of you at some point in the future.

Thanks.

The post End Point Threat Detection Using NetFlow Analytics appeared first on CySight - Integrated AI-Driven Cyber Network and EndPoint Detection and Response.

5 Ways Flow Based Network Monitoring Solutions Need to Scale

Rafi Sabel — Thu, 19 Sep 2024 10:10:22 +0000

Partial Truth Only Results in Assumptions

A common gripe for Network Engineers is that their current network monitoring solution doesn’t provide the depth of information needed to quickly ascertain the true cause of a network issue. Imagine reading a book that is missing 4 out of every 6 words, understanding the context will be hopeless and the book has near to no value. Many already have over-complicated their monitoring systems and methodologies by continuously extending their capabilities with a plethora of add-ons or relying on disparate systems that often don’t interface very well with each other. There is also an often-mistaken belief that the network monitoring solutions that they have invested in will suddenly give them the depth they need to have the required visibility to manage complex networks.

A best-value approach to NDR, NTA and general network monitoring is to use a flow-based analytics methodology such as NetFlow, sFlow or IPFIX.

The Misconception & What Really Matters

In this market, it’s common for the industry to express a flow software’s scaling capability in flows-per-second. Using Flows-per-second as a guide to scalability is misleading as it is often used to hide a flow collector’s inability to archive flow data by overstating its collection capability and enables them to present a larger number considering they use seconds instead of minutes. It’s important to look not only at flows-per-second but to understand the picture created once all the elements are used together. Much like a painting of a detailed landscape, the finer the brush and the more colors used will ultimately provide the complete and truly detailed picture of what was being looked at when drawing the landscape.

Granularity is the prime factor to start focusing on, specifically referring to granularity retained per minute (flow retention rate). Naturally, speed impediment is a significant and critical factor to be aware of as well. The speed and flexibility of alerting, reporting, forensic depth, and diagnostics all play a strategic role but will be hampered when confronted with scalability limitations. Observing the behavior when impacted by high-flow-variance or sudden-bursts and considering the number of devices and interfaces can enable you to appreciate the absolute significance of scalability in producing actionable insights and analytics. Not to mention the ability to retain short-term and historical collections, which provide vital trackback information, would be nonexistent. To provide the necessary visibility to accomplish the ever-growing number of tasks analysts and engineers must deal with daily along with resolving issues to completion, NDR, NTA and general Network Monitoring System (NMS) must have the ability to scale in all its levels of consumption and retention.

How Should Monitoring Solutions Scale?

Flow-Based Network Detection and Response (NDR) / Network Traffic Analysis (NTA) software needs to scale in its collection of data in five ways:

Ingestion Capability – Also referred to as Collection, means the number of flows that can be consumed by a single collector. This is a feat that most monitoring solutions are able to accomplish, unfortunately, it is also the one they pride themselves on. It is an important ability but is only the first step of several crucial capabilities that will determine the quality of insights and intelligence of a monitoring system. Ingestion is only the ability to take in data, it does not mean “retention”, and therefore could do very little on its own.

Digestion Capability – Also referred to as Retention, means the number of flow records that can be retained by a single collector. The most overlooked and difficult step in the network monitoring world. Digestion / Flow retention rates are particularly critical to quantify as they dictate the level of granularity that allows a flow-based NMS to deliver the visibility required to achieve quality Predictive AI Baselining, Anomaly Detection, Network Forensics, Root Cause Analysis, Billing Substantiation, Peering Analysis, and Data Retention compliance. Without retaining data, you cannot inspect it beyond the surface level, losing the value of network or cloud visibility.

Multitasking Processes– Pertains to the multitasking strength of a solution and its ability to scale and spread a load of collection processes across multiple CPUs on a single server. This seems like an obvious approach to the collection but many systems have taken a linear serial approach to handle and ingest multiple streams of flow data that don’t allow their technologies to scale when new flow generating devices, interfaces, or endpoints are added forcing you to deploy multiple instances of a solution which becomes ineffective and expensive.

Clustered Collection – Refers to the ability of a flow-based solution to run a single data warehouse that takes its input from a cluster of collectors as a single unit as a means to load balance. In a large environment, you mostly have very large equipment that sends massive amounts of data to collectors. In order to handle all that data, you must distribute the load amongst a number of collectors in a cluster to multiple machines that make sense of it instead of a single machine that will be overloaded. This ability enables organizations to scale up in data use instead of dropping it as they attempt to collect it.

Hierarchical Correlation – The purpose of Hierarchical correlation is to take information from multiple databases and aggregate them into a single Super SIEM. With the need to consume and retain huge amounts of data, comes the need to manage and oversee that data in an intelligent way. Hierarchical correlation is designed to enable parallel analytics across distributed data warehouses to aggregate their results. In the field of network monitoring, getting overwhelmed with data to the point where you cannot find what you need is a as useful as being given all the books in the world and asked a single question that is answered in only one.

Network traffic visibility is considerably improved by reducing network blindspots and providing qualified sources and reasons of communications that impair business continuity.The capacity to capture flow at a finer level allows for new Predictive AI Baselining and Machine Learning application analysis and risk mitigation.

There are so many critical abilities that a network monitoring solution must enable its user, all are affected by whether or not the solution can scale.

Visibility is a range and not binary, you do not have or don’t have visibility, its whether you have enough to achieve your goals and keep your organization productive and safe.

The post 5 Ways Flow Based Network Monitoring Solutions Need to Scale appeared first on CySight - Integrated AI-Driven Cyber Network and EndPoint Detection and Response.

How to Use a Network Behavior Analysis Tool to Your Advantage

Tomare Curran — Thu, 22 Aug 2024 11:39:12 +0000

How to Use a Network Behavior Analysis Tool to Your Advantage

Cybersecurity threats can come in many forms. They can easily slip through your network’s defenses if you let your guard down, even for a second. Protect your business by leveraging network behavior analysis (NBA). Implementing behavioral analysis tools helps organizations detect and stop suspicious activities within their networks before they happen and limit the damage if they do happen.

According to Accenture, improving network security is the top priority for most companies this 2021. In fact, the majority of them have increased their spending on network security by more than 25% in the past months.

With that, here are some ways to use network behavior anomaly detection tools to your advantage.

1. Leverage artificial intelligence

Nowadays, you can easily leverage artificial intelligence (AI) and machine learning (ML) in your network monitoring. In fact, various software systems utilize AI diagnostics to enhance the detection of any anomalies within your network. Through its dynamic machine learning, it can quickly learn how to differentiate between normal and suspicious activities.

AI-powered NBA software can continuously adapt to new threats and discover outliers without much interference from you. This way, it can provide early warning on potential cyberattacks before they can get serious. This can include DDoS, Advanced Persistent Threats, and Anomalous traffic.

Hence, you should consider having AI diagnostics as one of your network behavior analysis magic quadrants.

2. Take advantage of its automation

One of the biggest benefits of a network anomaly detection program is helping you save time and labor in detecting and resolving network issues. It is constantly watching your network, collecting data, and analyzing activities within it. It will then notify you and your network administrators of any threats or anomalies within your network.

Moreover, it can automatically mitigate some security threats from rogue applications to prevent sudden downtimes. It can also eliminate blind spots within your network security, fortifying your defenses and visibility. As a result, you or your administrators can qualify and detect network traffic passively.

3. Utilize NBA data and analytics

As more businesses become data-driven, big data gains momentum. It can aid your marketing teams in designing better campaigns or your sales team in increasing your business’ revenues. And through network behavior analysis, you can deep-mine large volumes of data from day-to-day operations.

For security engineers, big data analytics has become an effective defense against network attacks and vulnerabilities. It can give them deeper visibility into increasingly complex and larger network systems.

Today’s advanced analytics platforms are designed to handle and process larger volumes of data. Furthermore, these platforms can learn and evolve from such data, resulting in stronger network behavior analytics and local threat detection.

4. Optimize network anomaly detection

A common issue with network monitoring solutions is their tendency to overburden network and security managers with false-positive readings. This is due to the lack of in-depth information to confirm the actual cause of a network issue. Hence, it is important to consistently optimize your network behavior analysis tool.

One way to do this is to use a flow-based analytics methodology for your network monitoring. You can do so with software like CySight, which uses artificial intelligence to analyze, segment, and learn from granular telemetry from your network infrastructure flows in real-time. It also enables you to configure and fine-tune your network behavior analysis for more accurate and in-depth monitoring.

5. Integrate with other security solutions

Enhance your experience with your network behavior analytics tool by integrating it with your existing security solutions, such as prevention technology (IPS) systems, firewalls, and more.

Through integrations, you can cross-analyze data between security tools for better visibility and more in-depth insights on your network safety. Having several security systems working together at once means one can detect or mitigate certain behaviors that are undetectable for the other. This also ensures you cover all the bases and leave no room for vulnerabilities in your network.

Improving network security

As your business strives towards total digital transformation, you need to start investing in your network security. Threats can come in many forms. And once it slips past your guard, it might just be too late.

Network behavior analysis can help fortify your network security. It constantly monitors your network and traffic and notifies you of any suspicious activities or changes. This way, you can immediately mitigate any potential issues before they can get out of hand. Check out CySight to know more about the benefits of network behavior analysis.

But, of course, a tool can only be as good as the people using it. Hence, you must make sure that you hire the right people for your network security team. Consider recruiting someone with an online software engineering masters to help you strengthen your network.

Ref: Accenture Report

The post How to Use a Network Behavior Analysis Tool to Your Advantage appeared first on CySight - Integrated AI-Driven Cyber Network and EndPoint Detection and Response.

How NetFlow Solves for Mandatory Data Retention Compliance

Rafi Sabel — Thu, 08 Aug 2024 11:24:12 +0000

Compliance in IT is not new and laws regulating how organizations should manage their customer data exist such as: HIPPA, PCI, SCADA and Network transaction logging has begun to be required of business. Insurance companies are gearing up to qualify businesses by the information they retain to protect their services and customer information. Government and industry regulations and enforcement are becoming increasingly stringent.

Most recently many countries have begun to implement Mandatory Data Retention laws for telecom service providers.

Governments require a mandatory data retention scheme because more and more crime is moving online from the physical world and ISP‘s are keeping less data and retaining it for a shorter time. This negatively impacts the investigative capabilities of law enforcement and security agencies that need timely information to help save lives by early spotting lone-wolf terrorists or protect vulnerable members of society from abuse by sexual deviants, ransomware or other crimes online.

Although there is no doubt as to the value of mandatory data retention schemes they are not without justifiable privacy, human rights and expense concerns to implement.

It takes a lot of cash, time and skills that many ISP’s and companies simply cannot afford. Internet and managed service providers and large organizations must take proper precautions to remain in compliance. Heavy fines, license and certification issues and other penalties can result from non-compliance with mandatory data retention requirements.

According to the Australian Attorney-General’s Department, Australian telecommunications companies must keep a limited set of metadata for two years. Metadata is information about a communication (the who, when, where and how)—not the content or substance of a communication (the what).

A commentator from the Sydney morning herald qualified“…Security, intelligence and law enforcement access to metadata which overrides personal privacy is now in contention worldwide…” and speculated that with the introduction of Australian metadata laws that “…this country’s entire communications industry will be turned into a surveillance and monitoring arm of at least 21 agencies of executive government. …”.

In Australia many smaller ISP’s are fearful that failing to comply will send them out of business. Internet Australia’s Laurie Patton said, “It’s such a complicated and fundamentally flawed piece of legislation that there are hundreds of ISPs out there that are still struggling to understand what they’ve got to do”.

As for the anticipated costs, a survey sent to ISPs by telecommunications industry lobby group Communications Alliance found that “There is a huge variance in estimates for the cost to business of implementing data retention – 58 per cent of ISPs say it will cost between $10,000 and $250,000; 24 per cent estimate it will cost over $250,000; 12 per cent think it will cost over $1,000,000; some estimates go as high as $10 million.”

An important cost to consider in compliance is the ease of data reporting when requested by government or corporate compliance teams to produce information for a specific ipv4 or ipv6 address. If the data is stored in a data-warehouse that is difficult to filter this may cause the service provider to incur penalties or be seen to be non-complying. Flexible filtering and automated reporting is therefore critical to produce the forensics required for the compliance in a timely and cost effective manner.

Although there are different laws governing different countries the main requirement of mandatory data retention laws at ISP’s is to maintain sufficient information at a granular level in order to assist governments in finding bad actors such as terrorists, corporate espionage, ransom-ware and pedophiles. In some countries this means that telcos are required to keep data of the IP addresses users connect to, for up to 10 weeks and in others just the totals of subscriber usage for each IP used for up to 2 years.

Although information remains local to each country and governed by relevant privacy laws, the benefits to law enforcement in the future will eventually provide the ability to have the visibility to track relayed data such as communications used by Tor Browsers, Onion routers and Freenet beyond their relay and exit nodes.

There is no doubt in my mind that with heightened states of security and increasing online crime there is a global need for governments to intervene with online surveillance to protect children from exploitation, reduce terrorism and to build defensible infrastructures whilst at the same time implementing data retention systems that have the inbuilt smarts to enable a balance between compliance and privacy rather than just a blanket catch all. There is already an available solution for the Internet communications component based on Netflow that assists ISP’s to quickly comply at a low cost whilst properly allowing data retention rules to be implemented to limit intruding on an individual’s privacy.

NetFlow solutions are cheap to deploy and are not required to be deployed at every interface such as a packet analyzer and can use the existing router, switch or firewall investment to provide continuous network monitoring across the enterprise, providing the service provider or organization with powerful tools for data retention compliance.

NetFlow technology if sufficiently scalable, granular and flexible can deliver on the visibility, accountability and measurability required for data retention because it can include features that:

Supply a real-time look at network and host-based activities down to the individual user and device;
Increase user accountability for introducing security risks that impact the entire network;
Track, measure and prioritize network risks to reduce Mean Time to Know (MTTK) and Mean Time to Repair or Resolve (MTTR);
Deliver the data IT staff needs to engage in in-depth forensic analysis related to security events and official requests;
Seamlessly extend network and security monitoring to virtual environments;
Assist IT departments in maintaining network up-time and performance, including mission critical applications and software necessary to business process integrity;
Assess and enhance the efficacy of traditional security controls already in place, including firewalls and intrusion detection systems;
Capture and archive flows for complete data retention compliance

Compared to other analysis solutions, NetFlow can fill in the gaps where other technologies cannot deliver. A well-architected NetFlow solution can provide a comprehensive landscape of tools to help business and service providers to achieve and maintain data retention compliance for a wide range of government and industry regulations.

The post How NetFlow Solves for Mandatory Data Retention Compliance appeared first on CySight - Integrated AI-Driven Cyber Network and EndPoint Detection and Response.

Scalable NetFlow – 3 Key Questions to Ask Your NetFlow Vendor

Rafi Sabel — Tue, 30 Jul 2024 07:07:14 +0000

Why is flows per second a flawed way to measure a netflow collector’s capability?

Flows-per-second is often considered the primary yardstick to measure the capability of a netflow analyzer’s flow capture (aka collection) rate.

This seems simple on its face. The more flows-per-second that a flow collector can consume, the more visibility it provides, right? Well, yes and no.

The Basics

NetFlow was originally conceived as a means to provide network professionals the data to make sense of the traffic on their network without having to resort to expensive per segment based packet sniffing tools.

A flow record contains at minimum the basic information pertaining to a transfer of data through a router, switch, firewall, packet tap or other network gateway. A typical flow record will contain at minimum: Source IP, Destination IP, Source Port, Destination Port, Protocol, Tos, Ingress Interface and Egress Interface. Flow records are exported to a flow collector where they are ingested and information orientated to the engineer’s purposes are displayed.

Measurement

Measurement has always been how the IT industry expresses power and competency. However, a formula used to reflect power and ability changes when a technology design undergoes a paradigm shift.

For example, when expressing how fast a computer is we used to measure the CPU clock speed. We believed that the higher the clock speed the more powerful the computer. However, when multi-core chips were introduced the CPU power and speed dropped but the CPU in fact became more powerful. The primary clock speed measurement indicator became secondary to the ability to multi-thread.

The flows-per-second yardstick is misleading as it incorrectly reflects the actual power and capability of a flow collector to capture and process flow data and it has become prone to marketing exaggeration.

Flow Capture Rate

Flow capture rate ability is difficult to measure and to quantify a products scalability. There are various factors that can dramatically impact the ability to collect flows and to retain sufficient flows to perform higher-end diagnostics.

It’s important to look not just at flows-per-second but at the granularity retained per minute (flow retention rate), the speed and flexibility of alerting, reporting, forensic depth and diagnostics and the scalability when impacted by high-flow-variance, sudden-bursts, number of devices and interfaces, the speed of reporting over time, the ability to retain short-term and historical collections and the confluence of these factors as it pertains to scalability of the software as a whole.

Scalable NetFlow and flow retention rates are particularly critical to determine as appropriate granularity is needed to deliver the visibility required to perform Anomaly Detection, Network Forensics, Root Cause Analysis, Billing substantiation, Peering Analysis and Data retention compliance.

The higher the flows-per-second and the flow-variance the more challenging it becomes to achieve a high flow-retention-rate to archive and retain flow records in a data warehouse.

A vendor’s capability statement might reflect a high flows-per-second consumption ability but many flow software tools have retention rate limitations by design.

It can mean that irrespective of achieving a high flow collection rate the netflow analyzer might only be capable of physically archiving 500 flows per minute. Furthermore, these flows are usually the result of sorting the flow data by top bytes to identify “Top 10” bandwidth abusers. Netflow products of this kind can be easily identified because they often tend to offer benefits orientated primarily to identifying bandwidth abuse or network performance monitoring.

Identifying bandwidth abusers is of course a very important benefit of a netflow analyzer. However, it has a marginal benefit today where a large amount of the abuse and risk is caused by many small flows.

These small flows usually fall beneath the radar screen of many netflow analysis products. Many abuses like DDoS, p2p, botnets and hacker or insider data exfiltration continue to occur and can at minimum impact the networking equipment and user experience. Lack of ability to quantify and understand small flows creates great risk leaving organizations exposed.

Scalability

This inability to scale in short-term or historical analysis severely impacts a flow monitoring product’s ability to collect and retain critical information required in today’s world where copious data has created severe network blind spots.

To qualify if a tool is really suitable for the purpose, you need to know more about the flows-per-second collection formula being provided by the vendor and some deeper investigation should be carried out to qualify the claims.

With this in mind here are 3 key questions to ask your NetFlow vendor to understand what their collection scalability claims really mean:

How many flows can be collected per second?

Qualify if the flows per second rate provided is a burst rate or a sustained rate.
Ask how the collection and retention rates might be affected if the flows have high-flow variance (e.g. a DDoS attack).
How is the collection, archiving and reporting impacted when flow variance is increased by adding many devices and interfaces and distinct IPv4/IPv6 conversations and test what degradation in speed can you expect after it has been recording for some time.
Ask how the collection and retention rates might change if adding additional fields or measurements to the flow template (e.g. MPLS, MAC Address, URL, Latency)

How many flow records can be retained per minute?

Ask how the actual number of records inserted into the data warehouse per minute can be verified for short-term and historical collection.
Ask what happens to the flows that were not retained.
Ask what the flow retention logic is. (e.g. Top Bytes, First N)

What information granularity is retained for both short-term and historically?
- Does the data’s time granularity degrade as the data ages e.g. 1 day data retained per minute, 2 days retained per hour 5 days retained per quarter
- Can you control the granularity and if so for how long?

Remember – Rate of collection does not translate to information retention.

Do you know what’s really stored in the software’s database? After all you can only analyze what has been retained (either in memory or on disk) and it is that information retention granularity that provides a flow products benefits.

The post Scalable NetFlow – 3 Key Questions to Ask Your NetFlow Vendor appeared first on CySight - Integrated AI-Driven Cyber Network and EndPoint Detection and Response.

Big Data – A Global Approach To Local Threat Detection

Rafi Sabel — Sat, 27 Jul 2024 09:42:51 +0000

From helping prevent loss of life in the event of a natural disaster, to aiding marketing teams in designing more targeted strategies to reach new customers, big data seems to be the chief talking point amongst a broad and diverse circle of professionals.

For Security Engineers, big data analytcs is proving to be an effective defense against evolving network intrusions thanks to the delivery of near real-time insights based on high volumes of diverse network data. This is largely thanks to technological advances that have resulted in the capacity to transmit, capture, store and analyze swathes of data through high-powered and relatively low-cost computing systems.

In this blog, we’ll take a look at how big data is bringing deeper visibility to security teams as environments increase in complexity and our reliance on pervading network systems intensifies.

Big data analysis is providing answers to the data deluge dilemma

Large environments generate gigabytes of raw user, application and device metrics by the minute, leaving security teams stranded in a deluge of data. Placing them further on the back foot is the need to sift through this data, which involves considerable resources that at best only provide a retrospective view on security breaches.

Big data offers a solution to the issue of “too much data too fast” through the rapid analysis of swathes of disparate metrics through advanced and evolving analytical platforms. The result is actionable security intelligence, based on comprehensive datasets, presented in an easy-to-consume format that not only provides historic views of network events, but enables security teams to better anticipate threats as they evolve.

In addition, big data’s ability to facilitate more accurate predictions on future events is a strong motivating factor for the adoption of the discipline within the context of information security.

Leveraging big data to build the secure networks of tomorrow

As new technologies arrive on the scene, they introduce businesses to new opportunities – and vulnerabilities. However, the application of Predictive AI Baselining analytics to network security in the context of the evolving network is helping to build the secure, stable and predictable networks of tomorrow. Detecting modern, more advanced threats requires big data capabilities from incumbent intrusion prevention and detection (IDS\IPS) solutions to distinguish normal traffic from potential threats.

By contextualizing diverse sets of data, Security Engineers can more effectively detect stealthily designed threats that traditional monitoring methodologies often fail to pick up. For example, Advanced Persistent Threats (APT) are notorious for their ability to go undetected by masking themselves as day-to-day network traffic. These low visibility attacks can occur over long periods of time and on separate devices, making them difficult to detect since no discernible patterns arise from their activities through the lens of traditional monitoring systems.

Big data Predictive AI Baselining analytics lifts the veil on threats that operate under the radar of traditional signature and log-based security solutions by contextualizing traffic and giving NOCs a deeper understanding of the data that traverses the wire.

Gartner states that, “Big data Predictive AI Baselining analytics enables enterprises to combine and correlate external and internal information to see a bigger picture of threats against their enterprises.” It also eliminates the siloed approach to security monitoring by converging network traffic and organizing it in a central data repository for analysis; resulting in much needed granularity for effective intrusion detection, prevention and security forensics.

In addition, Predictive AI Baselining analytics eliminates barriers to internal collaborations between Network, Security and Performance Engineers by further contextualizing network data that traditionally acted as separate pieces of a very large puzzle.

So is big data Predictive AI Baselining analytics the future of network monitoring?

In a way, NOC teams have been using big data long before the discipline went mainstream. Large networks have always produced high volumes of data at high speeds – only now, that influx has intensified exponentially.

Thankfully, with the rapid evolution of computing power at relatively low cost, the possibilities of what our data can tell us about our networks are becoming more apparent.

The timing couldn’t have been more appropriate since traditional perimeter-based IDS\IPS no longer meet the demands of modern networks that span vast geographical areas with multiple entry points.

In the age of cloud, mobility, ubiquitous Internet and the ever-expanding enterprise environment, big data capabilities will and should become an intrinsic part of virtually every security apparatus.

The post Big Data – A Global Approach To Local Threat Detection appeared first on CySight - Integrated AI-Driven Cyber Network and EndPoint Detection and Response.

NetFlow for Usage-Based Billing and Peering Analysis

Rafi Sabel — Thu, 25 Jul 2024 12:09:57 +0000

Usage–based billing refers to the methods of calculating and passing back the costs of running a network to the consumers of data that occur through the network. Both Internet Service Providers (ISP) and Corporations have a need for Usage-based billing with different billing models.

NetFlow is the ideal technology for usage-based billing because it allows for the capture of all transactional information pertaining to the usage and some smart NetFlow technologies already exist to assist in the counting, allocation, and substantiation of data usage.

Advances in telecommunication technology have enabled ISPs to offer more convenient, streamlined billing options to customers based on bandwidth usage.

One billing model used most commonly by ISPs in the USA is known as the 95^th percentile. The ISP filters the samples and disregards the highest 5% in order to establish the bill amount. This is an advantage to data consumers who have bursts of traffic because they’re not financially penalized for exceeding a traffic threshold for brief periods of time. The solution measures traffic employing a five-minute granularity standard typically over the course of a month.

The disadvantage of the 95^th percentile model is that its not sustainable business model as data continues to become a utility like electricity.

A second approach is a utility-based metered billing model that involves retaining a tally of all bytes consumed by a customer with some knowledge of data path to allow for premium or free traffic plans.

Metered Internet usage is used in countries like Australia and most recently Canada who have nationally moved away from a 95^th percentile model. This approach is also very popular in corporations whose business units share common network infrastructure and who are unwilling to accept “per user” cost, but rather a real consumption-based cost.

Benefits of usage-based billing are:

Improved transparency about the cost of services;
Costs feedback to the originator;
Raised cost sensitivity;
Good basis for active cost management;
The basis for Internal and external benchmarking;
Clear substantiation to increase bandwidth costs;
Shared infrastructure costs can also be based on consumption;
Network performance improvements.

For corporations, usage-based billing enables the IT department to become a shared service and viewed as a profit center rather than a cost center. It can become viewed as something that’s a benefit and a catalyst for business growth rather than a necessary but expensive line item in the budget.

For ISPs in the USA, there is no doubt that utility-based costs per byte model will continually be contentious as video and TV over Internet usage increases. In other regions, new business models that include packaging of video over “free zones” services have become popular meaning that the cost of premium content provision has fallen onto the content provider making utility billing viable in the USA.

NetFlow tools can include methods for building billing reports and offer a variety of usage-based billing model calculations.

Some NetFlow tools even include an API to allow the chart-of-accounts to be retained and driven from traditional accounting systems using the NetFlow system to focus on the tallying. Grouping algorithms should be flexible within the solution to allow for grouping of all different variables such as interfaces, applications, Quality of Service (QoS), MAC Addresses, MPLS, and IP groups. For ISPs and large corporations Asynchronous Network Numbers (ASN) also allow for analysis of data-paths allowing sensible negotiations with Peering partners and Content partners.

Look out for more discussion on peering in an upcoming blog…

The post NetFlow for Usage-Based Billing and Peering Analysis appeared first on CySight - Integrated AI-Driven Cyber Network and EndPoint Detection and Response.

Network Intelligence Archives – CySight - Integrated AI-Driven Cyber Network and EndPoint Detection and Response

Advanced Predictive AI leveraging Granular Flow-Based Network Analytics.

IT’S WHAT YOU DON’T SEE THAT POSES THE BIGGEST THREATS AND INVISIBLE DANGERS.

The Red Pill or The Blue Pill?

Often those most vulnerable are those who believe they have the visibility to detect.

Understanding The shift towards Flow-Based Metadatafor Network and Cloud Cyber-Intelligence

So what now?

Summing up

Balancing Granularity Against Network Security Forensics

Effectively identifying trends will largely depend on the data you collect

Netflow security monitoring can give SOCs real-time security metrics

Network metrics are being generated on a big data scale

NetFlow security monitoring evolves alongside technology organically

Hunt SUNBURST and Trojans with Turbocharged Netflow.

What Is the SUNBURST Trojan Attack?

How was SUNBURST detected?

IT’S WHAT WE DON’T SEE THAT POSES THE BIGGEST THREATS AND INVISIBLE DANGERS!

How does CySight hunt SUNBURST and other Malware?

Anonymity by Obscurity

Identifying exposure

Multi-focal threat hunting

CySight Turbocharges Flow and Cloud analytics for SecOps and NetOps

Cyber feedback

Global honeypots

Threat feeds

Crowd sources

Active crawlers

External 3rd Party

So how exactly do you go about turbocharging your Flow and Cloud metadata?

End Point Threat Detection Using NetFlow Analytics

5 Ways Flow Based Network Monitoring Solutions Need to Scale

Partial Truth Only Results in Assumptions

The Misconception & What Really Matters

How Should Monitoring Solutions Scale?

How to Use a Network Behavior Analysis Tool to Your Advantage

How to Use a Network Behavior Analysis Tool to Your Advantage

How NetFlow Solves for Mandatory Data Retention Compliance

Scalable NetFlow – 3 Key Questions to Ask Your NetFlow Vendor

Why is flows per second a flawed way to measure a netflow collector’s capability?

Big Data – A Global Approach To Local Threat Detection

Big data analysis is providing answers to the data deluge dilemma

Leveraging big data to build the secure networks of tomorrow

So is big data Predictive AI Baselining analytics the future of network monitoring?

NetFlow for Usage-Based Billing and Peering Analysis

Understanding The shift towards Flow-Based Metadata

for Network and Cloud Cyber-Intelligence