Flow Analysis

Sometimes Malware security alerts are not enough, and many security platforms lack any kind of flow analysis. Observing network communication patterns is essential for better security because potentially disastrous uses of your network (like intellectual property loss or outbound scanning) cannot be detected by Malware detection software.

Metaflows embeds security event information within IDS, Log, and Service events for real-time event information. This allows you to gain far greater visibility into your network. Metaflows can also log and automatically scan file transmissions (PDFs, images, HTML, and more) that were part of specific flows for use in forensics and remediation.

Examples

The Metaflows flow aggregation algorithm simplifies flow analysis by automatically choosing the most efficient invariant of a set of flows. This automatically highlights patterns that show scans or anomalous uses of network bandwidth.

A screenshot demonstrating that the Metaflows interface selects the most efficient invariant of a set of flows.
A screenshot demonstrating mapping with Metaflows.

Maps are useful for a very quick visualization of the geographical movement of data. This simple technique has led to users catching dangerous data exfiltration that could not be detected otherwise.

Ntop is integrated with Metaflows to provide historical flow and protocol usage data. Bandwidth anomalies and unusual communication patterns can be cross-correlated with network security events using a simple, integrated interface.

A screenshot of the Ntop interface from a Metaflows sensor.