Network Intrusion Detection for the Cloud

MetaFlows offers advanced network intrusion detection for public cloud environments such as Amazon AWS, Microsoft Azure or Google Cloud Platform. It performs deep packet inspection and event correlation of cloud based network traffic.

Instantly start receiving email alerts with actionable incident reports that identify suspicious behaviour. Gain unprecedented visibility. Analyze coincident threat indicators, and reconstruct historical network activities using full packet logging. Use real time flow analysis to quickly identify abnormal data communication patterns caused by misconfiguration, or hostile network behavior.

Threat Feeds

~40k+ Emerging Threats IDS signatures ~19k SpiderLabs Web Application rules ~100k IPv4 addresses, ~100k URLs and ~2,700 domains from MimeMeld
~700k/day file hashes for static content analysis ~4k Yara signatures for dynamic content analysis MetaFlows' Machine Learning Threat Prediction

Architecture

Sensors

Sensors receive mirror feeds from your cloud instances and perform a number of concurrent network traffic analysis operations which include:

Deploy the MetaFlows Security System in the cloud.
Multi-session correlation of IDS events, communication patterns, system logs, content analysis results
Intrusion Prevention through Soft IPS.
Logging NSEW traffic in a local indexed packet database.
Real time flow data, telemetry and access to the packet database using web sockets.
Optionally receive passive TLS mirrors.
Optionally export alerts to third party SIEMs

The controller

MetaFlows offers 2 publicly accessible controller systems; one in the commercial AWS EC2 cloud and one in the AWS Govcloud. Most users will just deploy sensors and use one of these two public SaaS services to monitor their networks. We can also license dedicated controllers to Government organizations or very large enterprises that offer an equivalent, self-managed SaaS.

A diagram illustrating how the pieces of Metaflows' software-as-a-service solution fit together.

Sensors post incident reports and security event data to the controller where they can be accessed for analysis through a browser.

Besides offering network security tools to analyze the event data, controllers also centralizes the management of compliance reports, IDS/IPS rules, event classification policies, sensor configurations, software licenses, audit logs and data sharing across multiple users.

Controllers also host a machine learning application that dynamically prioritizes each customer's events according to a global relevance analysis similar to the Google page ranking algorithm.

Event Types

Our cloud-based network intrusion detection system generates the following event types:

IDS Multi-session Behavioral Analysis Incident Reports File Transmission Activity
Intrusion Prevention Notifications User Logins Service/Host Discovery
Web Application Firewall notifications AWS Guard Duty Events Aggregated System Logs
All this information is available in real time through our Security Console. Optionally we can export our events either in syslog or CEF format to any existing Security Event Management System (SIEM).

Splunk or Qradar applications are available for quick integration.

Splunk Application snapshot

How to setup a production system

  1. Launch one or more MetaFlows AMI in the same availability zone of your instances (the first one you start will create an account in our system).
  2. Install agents on your cloud instances or setup VPC Traffic Mirroring
  3. Login to get access to real time traffic flows, browse security events and perform forensic investigations on you network traffic
AWS Partner badge.