Network Security Forensics

CySight provides visibility of every network conversation and scales beyond any other product in the industry.

Today’s IT departments are faced with the complexities of convergence of networks, increased data and NetFlow volumes, heightened security vulnerabilities and threats, legislation and compliance issues, rising network costs, network performance demands, and stringent budgets. Open and complex networks have become increasingly more difficult to manage and accountability and traceability of usage have become a necessity. The organization’s survival and competitiveness are reliant on the IT Dept’s success in largely mitigating the risk to the network, its performance, and its data through continual auditing.

The ability to perform NetFlow forensics for security at a granular level enables the organization to discover breaches of security that occur in real-time or those that occur over a prolonged period (data leaks). Large networks, generate copious amounts of Netflow data that needs a high degree of visibility in order to be scrutinized and reported on by a limited number of people. While standard security devices (firewalls, intrusion detection systems, sniffers, etc…) may already in place, they lack the ability to record and report on every transaction. Recording every transaction requires the ability to scale. Therefore, network NetFlow data analysis, auditing, or forensic reporting at a granular level has been (until now) expensive and difficult to achieve and manage.

Some of the pre-configured Security Forensics and Network Auditing include Dissemination, DDoS Assessment, Botnet Assessment, TCP Flags, P2P Behavior, Packet Size, Spammy Application, Outlier Application, Unknown Application, Long Active, ICMPv4, IPv4 Multicast, Social Networks, Streaming Video.

Count Analysis

Count records as part of a result to quickly identify excessive flows or change. Any record combination can be counted. Enables quick identification of Port Scanners, P2P users, DoS attacks or other spammy conversations. Used over the long-term to identify long lasting flows or conversations.

Percentile Analysis

Short term and long term percentile analysis can be calculated. For Billing or Security. A percentile analysis of a threshold event will provide an indication of change. This can be set in conjunction with Baseline analysis.

Top X/Y Analysis

Top X/Y is a unique flexible aggregating and divisioning tool. It can be used to provide simple birds-eye view Predictive AI Baselining analytics such as – Top 5 applications and Conversations for each ASN Peer – or more granular identification such as – Show the Top 100 Threat (IPs, Category, Type and IP) for each Affected IP.

Packet Size Analysis

Provides a detailed view of network traffic by packet sizes. Use this information to optimize VoIP traffic as well as to identify packet size anomalies.

Baseline Analysis

Comparative analysis can be performed on any and every element comparing an elements periodic behavior across the time line.

Deviation Analysis

Analyze traffic patterns by standard deviation to identify what aspects have changed the most in a specific period. Quickly identify outliers, worms, increasing flows, DDoS or data floods.

Cross section Analysis

Stacked graphs enable comparison of any two network traffic parameters. As an example, A stacked bar QoS analysis can graphically show the details of each application running within every class of service.

Custom Group Analysis

IP addresses can be grouped by Location, Customer, Application and Services. Network traffic detail can now be categorized in logical groups for reporting, billing and capacity planning.

Bi-directional Analysis

Show forward and reverse conversations and In vs. Out conversations to quickly identify which side of the conversation is responsible for traffic usage/flows.

These tools can be used to create multiple perspectives on Network data. CySight provides a number of pre-configured forensics but it is not limited to these and templates provide you the power to extend CySight.

CySight can perform analysis on any combination of data fields simultaneously (e.g. usage, packets, flows, packet size, utilization, latency, drops, counts, etc) and sort data by any field. Effectively measure usage, trending patterns, baselines, averages, peaks and troughs, and standard deviations.

Menu bars and right-click drill-downs, baseline alerting, A.I. (Artificial Intelligence) Diagnostics), threat intelligence correlation, business grouping, automated reporting template shortcuts and many other easy to use functions all facilitate in providing rapid analysis to effectively measure usage, trending patterns, baselines, averages, peaks and troughs, and standard deviations so that fast and appropriate action can be taken to reroute the packets that fit an attack profile.

Netflow originally defined by Cisco systems is an IP flow-based traffic accounting protocol used to support various applications such as usage-based billing, traffic analysis, and capacity planning, and network behavior anomaly detection. It is the basis for the IPFIX (IP Flow Information Export) protocol

CySight supports Cisco NetFlow versions v5, v7 and v9, IPFIX, sFlow, jFlow, NetStream, VMWare, and Flexible NetFlow.

CySight enables complete IPv6 Business Groupings. This means that Netflow IPv6 is fully compliant with all using CySight Predictive AI Baselining analytics, usage billing, 95th percentile billing, network anomaly detection, report scheduling, alerting, user portals and so much more.