The MetaFlows Security System

The MetaFlows Security System (MSS) analyzes Internet traffic to reliably find and stop network security threats. The MSS does not require significant tuning or baselining, and yet consistently finds malware and data exfiltrations that are routinely missed by all other security products deployed in the same network.

SaaS-based, shared threat intelligence is 90% more effective than a single feed.

The MSS simultaneously lowers both false positive and false negative detection rates as compared to other network security products.

We use real time feeds from: Emerging Threats, VirusTotal, OSSEC, Trustwave, Cuckoo, YARA and Web of Trust. For example, our Network Antivirus system uses 55+ antivirus solutions at once to identify known malware. But it also uses a mix of proprietary, commercial and open source feeds to analyze the behavior of the content as it detonates to determine if it is dangerous.

System Components

The MSS is designed using open hardware and software standards. This approach provides an enormous amount of flexibility in meeting emerging network monitoring requirements while also yielding one of the best deep-packet-inspection cost-performance ratios in the industry. This is thanks to MetaFlows’ pioneering efforts in the commercialization of open source, coarse-based IDS parallelism (pfring).

Along with a standard browser, our system has two components: the controller and the sensor. The browser connects to the controller through a standard SSL connection for analyzing historical event data and managing configurations. At the same time, the browser also interfaces to the sensors through a real time, cross-domain connection giving users direct access to:

  1. historical payload data
  2. real time event data
  3. real time sensor health statistics.

The sensors are Linux CentOS or RHEL systems augmented with the MSS detection software and (optionally) proprietary kernel drivers for improved I/O performance. The MSS software can, therefore, be easily installed on physical machines or in virtual environments such as VMware, Hyper-V, Amazon EC2, or Microsoft Azure. The user has root/administrative access to the sensors and therefore can customize the system with site-specific applications or site-specific configurations. The Operating System’s update process is performed using standard package management operations (yum) while the MetaFlows’ software self-updates whenever a new feature or a bug fix is published.

The controller functions (in most cases) are provided by our commercial SaaS services at http://nsm.metaflows.com or http://govcloud.metaflows.com and customers only need to deploy sensors. Government and large enterprises that do not want to use our SaaS services can also deploy a dedicated controller either as an on premise, high-performance appliance (starting at 1200 events/second) or as a private Amazon EC2 instance.

read more