Network Intrusion Detection for the Cloud
MetaFlows offers advanced network intrusion detection for public cloud environments such as Amazon AWS, Microsoft Azure or Google Cloud Platform. It performs deep packet inspection and event correlation of cloud based network traffic.
Instantly start receiving email alerts with actionable incident reports that identify suspicious behaviour. | Gain unprecedented visibility. Analyze coincident threat indicators, and reconstruct historical network activities using full packet logging. | Use real time flow analysis to quickly identify abnormal data communication patterns caused by misconfiguration, or hostile network behavior. |
Threat Feeds
~40k+ Emerging Threats IDS signatures | ~19k SpiderLabs Web Application rules | ~100k IPv4 addresses, ~100k URLs and ~2,700 domains from MimeMeld | |||
~700k/day file hashes for static content analysis | ~4k Yara signatures for dynamic content analysis | MetaFlows' Machine Learning Threat Prediction |
Architecture
Sensors
Sensors receive mirror feeds from your cloud instances and perform a number of concurrent network traffic analysis operations which include:
Multi-session correlation of IDS events, communication patterns, system logs, content analysis results | |
Intrusion Prevention through Soft IPS. | |
Logging NSEW traffic in a local indexed packet database. | |
Real time flow data, telemetry and access to the packet database using web sockets. | |
Optionally receive passive TLS mirrors. | |
Optionally export alerts to third party SIEMs |
The controller
MetaFlows offers 2 publicly accessible controller systems; one in the commercial AWS EC2 cloud and one in the AWS Govcloud. Most users will just deploy sensors and use one of these two public SaaS services to monitor their networks. We can also license dedicated controllers to Government organizations or very large enterprises that offer an equivalent, self-managed SaaS.
Sensors post incident reports and security event data to the controller where they can be accessed for analysis through a browser.
Besides offering network security tools to analyze the event data, controllers also centralizes the management of compliance reports, IDS/IPS rules, event classification policies, sensor configurations, software licenses, audit logs and data sharing across multiple users.
Controllers also host a machine learning application that dynamically prioritizes each customer's events according to a global relevance analysis similar to the Google page ranking algorithm.
Event Types
Our cloud-based network intrusion detection system generates the following event types:
IDS | Multi-session Behavioral Analysis Incident Reports | File Transmission Activity | |||
Intrusion Prevention Notifications | User Logins | Service/Host Discovery | |||
Web Application Firewall notifications | AWS Guard Duty Events | Aggregated System Logs |
Splunk or Qradar applications are available for quick integration.
How to setup a production system
- Launch one or more MetaFlows AMI in the same availability zone of your instances (the first one you start will create an account in our system).
- Install agents on your cloud instances or setup VPC Traffic Mirroring
- Login to get access to real time traffic flows, browse security events and perform forensic investigations on you network traffic