Connecting the Dots
One of the most important lessons from cyber-war fighters is that relying on a single mechanism to defend your enterprise is naive. In fact, the more disparate and heterogeneous the network defense mechanisms, the better. MetaFlows fully embraces this concept by providing several detection mechanisms that work together:
- IDS behavioral analysis looking for multiple symptoms that indicate a compromised host.
- Using up to 50 different antivirus solutions at once to find bad content on the network.
- Honeypots continuously mining for new threats.
- Flow and log analysis.
These are just a few things that MetaFlows does.
Until now, MetaFlows has used these mechanisms independently to find and defeat threats. Our multifunctional approach has proven to be very effective. Many customers characterize the MetaFlows Security System as “The Last Line of Defense”. But now, we just upped the ante!
Leveraging our multifunctional view, we now also support behavioral correlation to combine disparate intelligence sources. Our Correlation Engine Rule (CER) specification now allows you to connect the dots across the different functional paradigms. But enough smoke and mirrors! Here are some REAL examples.
- Detect the external hosts that are scanning your network.
- If any of these hosts exchange more than a few thousand packets with an internal host, flag the internal host as compromised.
Notice that (1) is an IDS function while (2) is a flow analysis function.
Zero-day Infection of Something That Cannot Be Executed in a Sandbox
Adownloads a bad
C(an Apple computer) downloads a
JARfile from server
Cis talking to a known Command & Control site.
(1) is detected by a virus scanning application, (2) is detected with L7 analysis, (3) is detected by an IDS rule.
These examples demonstrate why traditional defenses are inadequate. Correlated together, these rules give you a powerful view of exactly what is happening on your network. You really need a multifunctional system that can connect the dots.