The MetaFlows Security System (MSS) uses patented network IDS software technology that does not require any tuning or significant configuration, and yet consistently finds malware and data exfiltrations that are routinely missed by all other products deployed in the same network. The key is multi-session correlation.
Traditional Network IDS software generates alerts by finding known threat patterns within a single TCP/UDP session. This usually results in a very high false positive rate. Important events are often missed due to the huge volume of false positive or low-priority network security events.
MetaFlows uses Multi-Session Correlation. Multi-session correlation is an evolution of dialog-based correlation first introduced by a revolutionary malware detection tool called BotHunter. This advanced correlation technique gathers specific security alerts (also called dialog events) that form a typical behavior pattern for an infected host. Dialog events are fed directly into a separate correlation engine, where each host’s individual dialog production pattern is mapped and scored against an abstract Malware infection life cycle model.
Multi-session correlation extends dialog based correlation by leveraging diverse threat intelligence that goes well beyond signature based IDS alerts. Simply put, it automatically connects the dots between (any) security alert involving a single internal host with multiple external hosts over time.
Rather than alerting on single events, it produces incident reports containing multiple events related to the same threat.This works much better, it will save you time and money in defending your enterprise.
SC Magazine has inducted MetaFlows in the Industry Innovators: Hall of Fame.They write: "We were pleased that this Innovator continues to blaze the trail ahead for perimeter defense in an environment increasingly consisting of less and less perimeter to defend. The problem is a tough one and MetaFlows has brought creativity and insight to the solution. This is one of the most positive uses of the cloud for security purposes that we have seen in quite a while. More...
CIO Review Magazine has selected MetaFlows as one of the top 20 Most Promising Enterprise Security Companies. In the article Cost Effectively Tackling Advanced Security Threats, MetaFlows' Chief Scientist Livio Ricciulli provides a road map for tackling the new security challenges facing Enterprises in the upcoming decade. More...
Besides detecting active malware (we detect thousands per day), Multi-session correlation can also be extended to detect lateral moves that would otherwise go unnoticed. For example, if an external host A scans one of your internal hosts B and then A later on also receives a large amount of data from another internal host C, our system generates an incident report indicating a possible intrusion through B and data exfiltration from C. Admittedly, these kinds of incident reports are rare, but when they occur, they can truly save your enterprise from disastrous data loss.
Comparing incident reports from multiple customers provide an invaluable source of information that further improves detection accuracy. Individual threat indicators that are present in multiple, independent incident reports become very important. If the presence of these indicators as compared to their overall incidence is sufficiently low, they can be elevated by our global ranking system as good individual predictors of a compromise. The table below shows the top indicators for the period 04/16/2019-04/23/2019
We offer the ability to run BotHunter without any additional features. Stand-alone BotHunter can be used to either monitor a span/mirror up to approximately 100 Mbps or as a host-based IDS. If you intend to use it to troubleshoot a single Windows system, you can run it on the system itself as a Virtual Machine. This mode is available for both commercial and non-commercial use (free). Non-commercial use does not require registration (although we recommend it in order to receive support). Please follow these instructions to run in this mode.