Network Behavior Analysis
Now that the importance of behavior monitoring has been established, the question becomes how best to accomplish it. Scrutinizer baselines the expected behaviors of end systems and applications. Scrutinizer then incorporates dozens of security algorithms that analyze flow and metadata details, looking for communication patterns and behaviors inconsistent with the baseline. Using NetFlow telemetry, malware that would otherwise fly under the radar is identified and sets off an alarm, triggering an incident response process. Rich forensic data and fast reporting provide the information needed to quickly find root cause and mitigate the risk.line-break
Zero Day Threat Detection
Zero day threats compromise systems in ways that are new and unknown. These never-before-seen attack vectors avoid detection from traditional perimeter- and signature-based solutions. The most effective means of identifying the presence of a zero day attack is to monitor for the symptoms of its malware. Scrutinizer’s use of Flow Analytics and behavior-based threat detection (rather than a reliance on signatures) applies security algorithms to collected flow and metadata. Anomalous behavior is quickly identified so the infected host can be quarantined and the breach resolved.
Scrutinizer with Flow Analytics can:
- Watch for command and control (C&C) traffic – once quarantined, forensic data is available to identify the destination of all internal and internet-based machine communication.
- Identify data exfiltration – look to see whether any information leaving the organization was destined to the attacker.
- Identify the spread of malware inside the network – track the infected machine’s internal traffic to find other infected machines.
- Provide forensic data – gather contextual historical data, including usernames, to find out when the initial infection occurred and where it may have spread.
Malware often generates outbound traffic destined for command and control servers and other compromised devices on the internet. Plixer maintains a domain reputation database of known compromised internet hosts. By comparing all internet-bound traffic with this database, malicious connections are flagged and the infected devices can be remediated.line-break
Investigating Targeted Attacks
You received a call about an IP address behaving strangely and now you need to investigate the issue and start collecting details surrounding the event. As the information is gathered, you will try to put the puzzle together and hopefully discover what is happening, why it occurred, and how long it will take to clean up. From small networks with a few routers to massive, distributed network environments, searching for the system is often where it all begins.
Adding Context to Detection with NetFlow
Today’s cyber threats are becoming more and more sophisticated. How do we stay vigilant with these unpredictable and ever-changing tactics? The answer is adding context to detection with the flow data you are already collecting.
Big Data Security Analytics
For the last few decades, security teams have taken a “point product” and best-of-breed approach to securing their environments. Although historically this approach has been considered a best practice and has served organizations fairly well, the current state of malware and the sophistication of bad actors have changed the game.