Two years ago, I wrote a blog about tracking malware in encrypted traffic. The overall theme of that blog was that encryption has become much more of a standard. 2017 in particular was a milestone year in which the volume of encrypted traffic officially surpassed unencrypted web traffic. It’s safe to say that in three years, that balance has shifted even more in favor of SSL/TLS encryption. In this blog, I’ll explore the concept of JA3 and JA3S fingerprinting and the benefits they introduce when it comes to inspecting encrypted traffic.
Read moreBlog
Plixer Scrutinizer new UI changes
Posted on - by Ryan Slosser
With the newest release of version 19.0.0, I’d like to go over how Plixer Scrutinizer’s UI has changed to make finding data easier. There are a few new ways to accomplish the same tasks in the newest release that differ from the version 18.20 and under. This blog will cover how to accomplish some common workflows in the new UI, and how to navigate to the data you need even faster than before.
Read moreThe importance of monitoring Windows 10 updates
Posted on - by Timothy Morris
Microsoft has redone their release cycle format, and although it makes things easier for the end user, it can prove difficult to ensure your environment is running the most up-to-date or minimally supported operating systems. Microsoft is now only releasing major feature updates to Windows 10, as opposed to releasing a “Windows 11” or a “Windows 10.1.” Thus it is no longer obvious if an end user is running an outdated operating system. This is a challenge for systems administrators who need to make sure endpoint machines are on the latest Windows 10 update.
Read moreFive ways Plixer Scrutinizer helps retail networks
Posted on - by Joanna Buckley
Even though most of us have looked at a calendar recently and thought, “I could have sworn we were in May, not October,” you can’t deny that the holidays are coming. There’s a chill in the air, forecasts for snow, and floods of emails and holiday advertising from almost every retail outlet. While shoppers are gearing up to find the perfect gift, anyone who works in retail cyber security is also no doubt preparing for the big rush as well. Here are five ways Plixer Scrutinizer can help you if you’re in that role.
Read moreDetecting RDP attacks with NetFlow and metadata
Posted on - by Jake
An ever increasing attack vector in the healthcare industry are attacks against open or unsecured RDP connections that allow a bad actor to gain a foothold into the network and use this to propagate malware or export the client via ransomware. In this blog, you’ll find some simple-to-follow workflows that you can use to identify and remediate any potentially vulnerable servers.
Read moreUsername reporting: NetFlow integration with Splunk
Posted on - by Brian Davenport
I was recently able to explore the Splunk software development kit with a customer. This helped me to implement another way to get username attribution within Plixer Scrutinizer. It’s a great addition to past methods such as Active Directory, Cisco ISE, and CounterACT because in many cases user information will already be logged in Splunk, which saves duplicate work with multiple systems.
Read moreHow to detect suspicious ICMP traffic
Posted on - by Scott
A few years ago, we added a behavioral algorithm to Plixer Scrutinizer that looked at all the flow data that was collected and determined if there was possible ICMP tunneling taking place. That algorithm alarmed if it determined that packet sizes were abnormal for ICMP traffic from a Windows or Linux platform.
Read moreHow to detect a reverse SSH tunnel
Posted on - by Khalil Ismayilov
Today we are going to talk about Plixer’s new Flow Analytics algorithm, Reverse SSH Shell, which has been included in the latest Plixer Scrutinizer update. The Reverse SSH Shell algorithm identifies possible reverse SSH tunnels to external destinations.
Read moreWhy highly available monitoring is important to compliance
Posted on - by Justin
Many organizations carry a burdensome responsibility to various regulatory bodies like the Securities and Exchange Commission or the US Department of Health and Human Services. These bodies can levy heavy fines on businesses that fall out of compliance or can’t demonstrate that they complied with industry security standards. Among the many tools and platforms available to organizations, network traffic analytics—and more specifically, network detection and response (NDR) technology—has become a go-to solution used to help businesses demonstrate compliance.
Read moreSTIX/TAXII for threat intelligence
Posted on - by Dylan Mclaughlin
What is STIX/TAXII?
STIX stands for Structured Threat Information Expression, which is an open-source language and serialization format used in sharing threat intelligence. Think of it as the vehicle for containing the threat information. Threat intelligence is communicated as objects and is detailed or as brief as the creator would like. TAXII stands for Trusted Automated Exchange of Indicator Information and is an application protocol that uses HTTPS/HTTP to enable communication. Think of this as the highway for STIX to travel on.
Read more