The network threat detection landscape continues to evolve. The latest custom written stealthy threats evade most security perimeter defenses. To help reduce the rise of penetration, most companies are taking a layered approach to network security. Anti-virus software is constantly being updated on servers and desktops, passwords are rotated, wireless authentication is setup, firewalls are deployed, access lists are maintained and other layers continue to be added. These efforts are often the only defense against some of the nastiest internet crimes. It could be better.
Network Behavior Analysis
Within the Plixer solution, we take a multi layered approach to detecting unwanted network behaviors by using something called NetFlow Telemetry. All flows are put through dozens of Flow Analytic algorithms which look for nefarious traffic patterns such as network scans and unwanted protocols, that could be trying to fly under your watchful radar. Not wanting to limit our customers to the algorithms we ship with, Scrutinizer can also be configured to watch for custom unwanted traffic patterns such as mail traffic not involving the local mail server or DNS traffic to hosts other than the local DNS servers. Excessive traffic to facebook.com or other web sites can also be monitored.
Zero Day Threat Detection
Behavior based threat detection without the use of signitures allows Scrutinizer to leverage flows from the existing investment in routers and switches to perform zero day detection of unknown threats. When an anomaly is detected, the infected host can be quickly quarantened until the correct team can address the issue. Next steps often include:
- Watch for command and control (C&C) traffic - once the machine is quaranted, it's traffic can be monitored to see which machines on the Internet it is communicating with.
- Data Exfiltration - Identify what information is being sent back to the attacker.
- Network interior malware proliferation - track the infected machine's internal traffic to determine other machines that may have been infected.
- Network reconnaissance - gather contextual historical data to find out when the initial infection occured and where it may have spread. Even usernames are determined.
IP Host Reputation
One of our most important security layers is our ability to compare the IP addresses in all flows to a constantly updated IP reputation database of known compromised internet hosts. For most companies this is one of the best defenses against some of the scariest internet attacks such as Advanced Persistent Threats (APTs).
"Making the right decisions to protect networks from malicious threats is one of the greatest challenges. Knowledge is power, and Emerging Threats and Plixer combine their industry-leading technologies to enable users to maximize their threat detection with the most comprehensive IP Reputation list with NetFlow."
Matt Jonkman, CTO - Emerging Threats