News

Advanced Threat Intelligence Services Added to FlowTraq Q2/13

May 17, 2013

FlowTraq by ProQSys Adds New Threat Intelligence Service to Improve Network Security Threat Detection and Alerting

Major upgrades in performance and usability speed up FlowTraq for network security professionals.

LEBANON, NH (PRWEB) May 17, 2013 ProQSys, provider of scalable network security software for enterprise environments, today announces the availability of the latest version of FlowTraq, its flagship product. With significantly enhanced threat detection capabilities, version Q2/13 provides IT security and network managers with more flexibility and power to spot deviating behaviors. It also provides automatic alerts to suspected network threats, while major upgrades in performance and usability enable FlowTraq to take full advantage of modern multi-core architectures to evaluate deviant behaviors in networks of any size.

Try FlowTraq Now

FlowTraq is optimized to work in large network and multi-tenant Managed Service Provider (MSP) environments to detect sophisticated threats through Behavioral Anomaly Detection. It uses behavioral analytics to alert IT administrators to data leaks, compromises, spammers, botnets, worms, and DDoS attacks. FlowTraq monitors network performance and bandwidth consumption, catalogs applications in use, and detects problematic changes in network activity. Designed to complement and improve existing network security operations, it can be deployed stand-alone or in a cluster, enabling it to offer its forensically accurate analytics at any bandwidth level.

“Security professionals would prefer to fully understand what happened in the time leading up to a data breach, even if such scenario is discovered after the fact. With FlowTraq they gain this forensic insight, regardless of the size of their network,” said Vince Berk, ProQSys. “With the latest release we further bolstered our threat detection capabilities to help customers cope with the complexities of defending their networks, and protecting against attacks that are increasingly more sophisticated and harder to detect.”

Security Enhancements

The technical enhancements to the latest version of FlowTraq are designed to empower both security professionals and managed security service providers with a more detailed view of the potential network threats. These enhancements include:

NBI Threat Management – The web interface now contains a convenient way to exploit the power of the FlowTraq Network Behavioral Intelligence toolkit. It allows users to manage behavioral anomaly detectors, which integrate with all modern SIEM systems, for one or more users. This allows security professionals to build powerful detectors faster, and detect new and unknown threats sooner.

New Anomaly Detectors – A suite of behavioral anomaly detectors can baseline quantities such as session counts, byte and packet volumes, etc. on any entity (host, service endpoint, autonomous system, etc.) for any traffic or object. In addition, a powerful blacklist detector provides alerts on any new communications on the network with systems on the blacklist making FlowTraq the most flexible traffic security tool in the industry.

Threat Intelligence Service – This service combines several respected sources of threat information into a list that is constantly updated and refreshed. FlowTraq will now always be aware of the newest dangers threatening your information infrastructure.

Increased Speed, Easier Setup

Security professionals can maximize the use of hardware to improve processing speed because of FlowTraq’s complete auto-configurability, which has been optimized to make maximum use of modern multi-core architectures. Combined with FlowTraq clustering users have virtually unlimited flow analysis capabilities, and extended full forensic recall to customers with the highest bandwidth networks.

As part of the company’s commitment to provide the most scalable cloud platform for flow analysis, all APIs are available publicly. A complete JSON API allows developers to build their own network traffic analysis solution on top of the FlowTraq platform. Berk notes, “We understand that users do not always learn about the newest and most sophisticated attacks right away. Therefore we enhanced FlowTraq to allow customers to customize and personalize their Network Behavior Interface (NBI) detection capabilities.”

Additional enhancements include:

Automatic IP2ASN Tagging – Users can track traffic such as time spent on social networking sites like Facebook or high-volume sites like NetFlix, because of the ability of FlowTraq to automatically tag each flow record with corresponding autonomous system number. This allows users to track threats to their networks at a macro level.

Expanded Multi-Tenancy Support – FlowTraq Multi-tenant support has been improved through the addition of a ‘FlowProxy’ that is deployable in customer environments. FlowProxy packages received flows and brings them back to the central FlowTraq cluster over a secure VPN or encrypted tunnel. Customers can then access their flow data through a central web portal allowing ISPs, MSPs, and cloud providers to offer FlowTraq as a service to their end-customers using a shared platform.

TCP Flag Filtering – Added to the already extensive filtering capabilities, flag filtering allows users to specify the flags that should and should not be set, and which ones are erroneous. With FlowTraq filters, users can surgically sift through traffic, or precisely configure detectors for the most important behaviors.

Pricing and Availability

FlowTraq Q2/13 is available directly from ProQSys and a network of resellers worldwide. Pricing starts at $9,595. Current customers can download the update from the FlowTraq download site. Fully functional 14-day evaluation license keys are available upon request. Additional product information, screenshots, and downloadable software are available at http://www.flowtraq.com.

About FlowTraq: FlowTraq is network security software that uses full-fidelity network flow records to provide unified security, monitoring, and forensics. It is the only commercially available solution that scales beyond 100Gbps without the need to sample or aggregate data. As a result, FlowTraq’s robust behavioral fingerprints trigger few false alarms, which mean less time lost investigating non-incidents. FlowTraq features a multi-tenant web portal for Managed Service Providers and advanced Behavioral Anomaly Detection to catch data exfiltration and security threats. FlowTraq can be deployed stand-alone or in a cluster, enabling it to offer its forensically accurate analytics at any bandwidth level. It is designed to complement and improve existing network security operations.

About ProQSys: Founded in 2004, ProQSys develops and markets software solutions that monitor and analyze network security and performance to provide deep insight, high visibility, and valuable understanding of complex network infrastructures. With FlowTraq, users gain an unprecedented level of network situational awareness that facilitates fast and easy monitoring, quick security analysis, and complete forensic recall of any traffic that crosses their network, thus reducing organizational risk. ProQSys software solutions include FlowTraq, FlowTraq Lite, and FlowExporter. ProQSys has over 2,600 customers worldwide, including Fortune 500 companies, ISPs, Managed Service Providers, government, schools, and universities. ProQSys is privately held and headquartered in New Hampshire. For more information, visit http://www.flowtraq.com/corporate/.

Have You Been Targeted by Chinese Espionage Units?

Mar 28, 2013

Using Mandiant’s Analysis and FlowTraq to Identify Threats

Recently hacking attempts have been in the news again, this time accusations that a Chinese military unit, Unit 61398 in Shanghai, has been responsible for a large number of spear phishing and other attacks. These attacks appear to be focused on getting Windows users to run disguised EXE files, which in turn exfiltrate data. Their first-line emails are well-written and targeted, and make use of subtle tricks like naming a file “filename.pdf     .exe” so that the filename is truncated at the .pdf. There are a number of interesting articles on the subject, as well as Mandiant’s excellent analysis “APT1: Exposing One of China’s Cyber Espionage Units“

When reading through Mandiant’s analysis, we can see how FlowTraq can be used to track down these spear-phishing attempts. They have identified a broad set of IP addresses associated with this military unit for various tasks, though as with any security analysis it can never be entirely complete. Table 8 on page 40 of their analysis includes IP addresses associated with their ‘hop points’: intermediary systems used as bridges so that their attacks are disguised, using techniques including FTP and Remote Desktop. We’ve annotated the list with the best-fit CIDR block.

223.166.0.0 - 223.167.255.255 (223.166.0.0/15)
58.246.0.0 - 58.247.255.255 (58.246.0.0/15)
112.64.0.0 - 112.65.255.255 (112.64.0.0/15)
139.226.0.0 - 139.227.255.255 (139.226.0.0/15)
114.80.0.0 - 114.95.255.255 (114.80.0.0/12)
101.80.0.0 - 101.95.255.255 (101.80.0.0/12)

FlowTraq’s unique filtering ability allows you to search, and alert for IP CIDR blocks, such as above. You can either put each in its own filter line, or paste the following string into a single line:
223.166.0.0/15, 58.246.0.0/15, 112.64.0.0/15, 139.226.0.0/15, 114.80.0.0/12, 101.80.0.0/12
If you see connections to your network to or from these IP ranges over the last year, examine the protocols in use. If you see FTP command channels (TCP port 21) or Windows Remote Desktop (TCP port 3389) or any other file transfer or control protocol, we recommend investigating that connection, and we urge you to read Mandiant’s report to understand the nature of the potential threat.

Later in their report, Table 9 shows the connections they have seen using the “HUC Packet Transmit Tool” (HTRAN), a tunneling tool allowing, in this case, the attacker to make use of middle-man networks. HTRAN can be configured to use a number of ports, but TCP ports 80 and 443 are common. Mandiant specifically lists 443 as being seen in the wild. The list of IP addresses looks similar to the ‘hop point’ ranges shown earlier.

223.166.0.0 - 223.167.255.255 (223.166.0.0/15)
58.246.0.0 - 58.247.255.255 (58.246.0.0/15)
112.64.0.0 - 112.65.255.255 (112.64.0.0/15)
139.226.0.0 - 139.227.255.255 (139.226.0.0/15)
143.89.0.0 - 143.89.255.255 (143.89.0.0/16, Hong Kong University of Science and Technology)

(Single line: 223.166.0.0/15, 58.246.0.0/15, 112.64.0.0/15, 139.226.0.0/15, 143.89.0.0/16)

Finally, they identified a number of domain names used in these attacks that have resolved to IP addresses that should look familiar by now. All of them belong to China Unicom Shanghai Network.
223.166.0.0 - 223.167.255.255 (223.166.0.0/15)
58.246.0.0 - 58.247.255.255 (58.246.0.0/15)
112.64.0.0 - 112.65.255.255 (112.64.0.0/15)
114.80.0.0 - 114.95.255.255 (114.80.0.0/12)
139.226.0.0 - 139.227.255.255 (139.226.0.0/15)
222.64.0.0 - 222.73.255.255 (222.64.0.0/13 and 222.72.0.0/15)
116.224.0.0 – 116.239.255.255 (116.224.0.0/12)

(Single line: 223.166.0.0/15, 58.246.0.0/15, 112.64.0.0/15, 114.80.0.0/12, 139.226.0.0/15, 222.64.0.0/13, 222.72.0.0/15, 116.224.0.0/12)

Our hats are off to the folks at Mandiant for some impressive detective work. Again, we highly recommend visiting their site to learn more about not only this particular threat (especially if you detect connections to any of the IP ranges listed here), but also the tools and techniques being used in this domain. That will enable you both to search your NetFlow record and also to educate your users about what to watch for.

Identify Threats on Your Network Right Now!

Download a free 14-day Trial of FlowTraq NetFlow Montoring solution and put the results of Mandiant’s analysis to work for you today.

Monitoring Your Security Measures: port knocking

Mar 12, 2013

Using knockd and FlowTraq to Secure Your SSH Server

Every network has its own set of security measures, intended to enforce policy, protect assets, and otherwise ensure the proper running of operations without interference. In addition to its other uses, FlowTraq can be used to keep tabs on some of these measures. Some of these uses are obvious: checking your NetFlow history for connection attempts by IPs in your blacklist, for example, or checking traffic volume on ports that should be firewalled off.

But there are non-obvious uses as well. For example, a FlowTraq user mentioned their use of knockd to secure their SSH server, and wondered if it were possible to get a quick listing of all the IP addresses that succeeded, and those that failed.

Knockd is a service that allows you to leave a port (such as TCP/22, for SSH) closed except to people who know the “secret knock”: a pattern of ports to connect to first. For example, a simple knock would be to make a connection attempt to a high port such as 9999, and then 22. When knockd sees the connection attempt to 9999, it changes iptables to allow connections from that IP to port 22 for a short period of time. This helps prevent brute force attacks, and helps confound reconnaissance attempts. Two, three, or four port knocks are also used.

The information about successful and failing connections is available through logs, of course, but that can be time-consuming, especially with multiple hosts to examine. And then when you want to follow up on a suspicious entry, you would want to open up FlowTraq anyway.

Using FlowTraq with knockd

FlowTraq has the ability to view selected sessions and rank entities in many ways. Here, the view “Host ranked by Unique Port/Protocol” is of interest. It tells FlowTraq to make a list of the hosts seen in that time frame, and then keep a tab for each on how many ports they accessed. So, if 192.168.100.100 made a thousand HTTP requests, fifty HTTPS requests, and sent a dozen emails, it will have used 3 unique ports. In this case, we have a specific set of ports of interest: those that make up the knock, and TCP/22. Here, we use a simple knock consisting of a single knock port. We filter on only those sessions connecting to either port.

And then we bring up the Host Ranked by Unique Port/Protocol (Initiated) view. The stack graph shows the first connection by a given entity as a colored spike. The table below it shows, first off, an ordered list of hosts according to number of unique ports: any host with 2 has connected to both 9999 and 22. Any host with 1 has connected only to one of those two (it’s reasonable to assume a connection to port 22 as the more common one, and a quick change of filter to remove 9999 can verify that assumption). In the case below, there are two legitimate users, and a group of potential brute force attacks.

So far, all of this information can be gleaned from the logs with more or less difficulty. However, FlowTraq shows this for all monitored hosts, and also shows the amount of traffic sent and received by each IP address, and there we see something very interesting! While most of the 1s are more consistent with rebuffed brute-force attempts, some over very long periods of time, the selected address sticks out as having a lot of traffic even for an extended brute-force attempt. We created a second view, Hosts Ranked by Port/Protocol (Received), and see the same information but from a different perspective: the hosts receiving these attempts. We can filter out the incoming hosts that we know behave properly.

Sure enough, hosts receiving only one port seem to still have a non-trivial amount of traffic. Clearly there’s some work to do to make sure that all our hosts either do not run sshd, or conform to the knock policy!

Why Profile?

Feb 14, 2013

FlowTraq’s NBI toolkit is your network security guard, defending against data theft and data leakage.

The security guard or the receptionist at your building entrance know the people who work there and their usual habits.  They know delivery schedules and the usual drivers.  They know which doors are usually kept closed.  And they know all this even though these things change over time.  There’s a difference between what’s usual and what’s unexpected. They know when things deviate from the usual, and this knowledge has saved employers from theft, arson, and other loss on countless occasions.

Your network demands the same level of protection, and the same kind of knowledge. Computers and mobile devices have very predictable patterns of behavior which change over time. For instance, Web servers serve web content, and printers are used mostly when there are people physically present in the office. Email servers and email clients see predictable volumes at specific times of the day. Protecting a computer network from data theft and data leakage requires knowledge of the usual and expected so you can spot the unusual and unexpected.  

FlowTraq’s NBI toolkit is your network security guard.  It uses powerful Network Behavioral Intelligence technology to learn what is usual and expected in large volumes of traffic.  With the Q1/13 release of FlowTraq, a new ‘Threats’ page is available in our Web interface that allows you to quickly manage your NBI security guards; point them at your most sensitive assets, and ensure they keep a watchful eye for any unusual and undesired activity.  It’s easy, and it’s powerful.

Within seconds FlowTraq will be picking up on seemingly innocuous network traffic that deviates from the norm, pointing out DDoS attacks, SYN floods, botnet control connections, and undesired data exfiltrations.  Threats are managed through an innovative ‘Anomaly Index’ that shows you at a glance just how unusual the behavior is, and how confident the detector is about that anomaly.  This allows you to quickly prioritize alerts and focus your time where it is most needed.

Contact FlowTraq to schedule a demo or try Flowtraq today.

FlowTraq Q1/13 now 2x as fast!

Feb 05, 2013

The FlowTraq team is proud to announce the general availability of the Q1/13 release of FlowTraq. Current customers may download the update from our download site. For an evaluation copy, please go to: http://www.flowtraq.com/corporate/product/try-flowtraq.

This release includes some major upgrades in performance and usability. You will notice that FlowTraq queries will run almost 2x as fast as before. Thanks to a judicious use of system CPU resources, the development team was able to optimize query processing performance, allowing you to handle nearly 2x the number of flows on the same hardware! Combined with FlowTraq clustering, you are virtually unlimited in your full-fidelity flow analysis capabilities with FlowTraq.

Additionally, FlowTraq now offers a complete JSON API for writing your own applications on top of the FlowTraq web user interface. JSON represents a powerful and flexible new development path to make FlowTraq even better customized to your environment.

Finally, our web user interface now features a beta version of our highly configurable NBI anomaly detecors. We understand that you don’t always learn about threats to your network while sitting at your desk. Now the powerful statistical anomaly detection techniques you’ve already come to rely on from the command line are available with a few quick clicks from the FlowTraq web interface: Add, start, stop, and configure any of the NBI detectors from your web browser.

FlowTraq™ Pay-Per-Flow: $1 for 1M Flows

Jan 22, 2013

FlowTraq Introduces a New Way to Pay for Flow Analysis

FlowTraq uses flow reports on your network to detect DDOS attacks, botnets, spam relays, zero-day worms, scanning reconnaissance, and password guessing attempts. It also offers you an ability to perform historical investigations into all traffic. You can now pay for FlowTraq by how much or how little you use it.

How FlowTraq Pay-Per-Flow Works

Send your NetFlow or sFlow® updates of your network traffic to FlowTraq and it will build a ‘behavioral fingerprint‘ which it uses to find anomalous communications and alert you to them. The bigger your network, the more updates are received. You pay per update, not per license.

Read more about FlowTraq Pay-Per-Flow

Data Exfiltration and Red October

Jan 18, 2013

Keeping an eye on your network traffic may be your last viable line of defense against toxic data extrusion.

It seems that new viruses are discovered like clockwork in specific industries, especially those dealing with sensitive information.  Today I read the details on the newly discovered ‘Red October’ virus – it is eerily reminiscent of the ‘Flame’ worm, and many others that have come before.  There are probably even more that are already making the rounds and have not yet been discovered!  The next big virus is already sneaking around collecting sensitive information and sending it home; by the time it’s discovered and gets its day in the media sun, it will have been out there for weeks, months, even years.

The Exfiltration of Encrypted Data
What interests me about the recent batch of worms and viruses is their targeted ability to find and exfiltrate sensitive documents.  In fact, the “Red October” virus specifically searches for deleted files and files encrypted by “Cryptofiler” which is commonly used in the intelligence community.  I doubt anybody considers this a coincidence.

Toxic Data and Data Breaches
Similarly, I doubt anybody is unconcerned with these viruses that go to great lengths to hide and exfiltrate your most sensitive, most toxic data.  Toxic data is any piece of information that will do massive damage to your organization’s image and bottom line when its disclosure reaches the public.  Usually this includes medical records, financial records and credit cards, and any personally identifiable information. Simply the exposure of a data breach is sufficient, irrespective of the actual content and where the data went.

Using Evidence of Data Exfiltrations
What makes the problem so difficult to tackle is the myriad places inside your computers’ filesystems where these viruses can hide away.  There is no guarantee you will ever find them, and computer systems are getting ever bigger and more complex, making it easier and easier to hide.  It seems the only safe bet is to search for evidence of the data exfiltrations in the network traffic, which is much harder to hide.

Be Vigilant of Viruses and Inside Jobs
In my opinion, most organizations spend far too much time searching for viruses on their computers, and far too little time searching for data exfiltrations over their networks.  Keep in mind that it is not only worms and viruses that may be exfiltrating your most toxic data, it could easily be anyone within your own walls.  In the end, the most important objective is to ensure that no toxic data leaves your enterprise, and keeping an eye on your network traffic may be your last viable line of defense.

Scalable Traffic Analysis for Complex Environments

FlowTraq is a software product by ProQSys, which specializes in high volume, forensically accurate network behavioral flow analysis. Our goal is to substantially improve your visibility and insight into your network infrastructure to understand threats before they become incidents.
ProQSys has 2,600 customers worldwide, including Fortune-500 companies, ISP/MSPs, governments, schools, and universities. For more information, please visit www.flowtraq.com.

 

See how FlowTraq can help you discover data exfiltrations in your network today!

Netflow for MSS Providers, Call for Beta Testers, IPv6, and more

Dec 20, 2012

December 2012

In the July December 2012  edition of the the FlowTraq™ – by ProQSys - Network Monitoring, Security and Forensics Newsletter

1. FlowTraqfor MSS/MSP
2. We Need You!  Seeking FlowTraq Beta Testers
3. Not Just IPv6 Compatible… IPv6 Friendly
4. Flow-Based Behavioral Fingerprinting @FloCon
5. Detect the Top 5 Q3 Security Threats in 1 Workspace

Click here to view this newsletter in a BROWSER.

 

Read the text version of the newsletter below

1. NetFlow Analysis for MSS/MSP

2. We Need You! Seeking FlowTraq Beta Testers

3. Not Just IPv6-Compatible… IPv6 Friendly

4. Flow-Based Behavioral Fingerprinting @FloCon

5. Detect the Top 5 Q3 Threats in 1 Workspace

A successful NetFlow-based security workspace includes strong indicators: IP addresses or ports that are far more likely to be associated with malicious behavior than normal or benign behavior.  We selected five threats this quarter from among the new or renewed threats discussed in the security community during Q3 and created a FlowTraq Workspace to help you to easily detect these threats in your environment:

• FinFisher / FinSpy
• ZeroAccess /ZAccess
• Win32/Poison.BE/BR
• Win32/CVE-2012-4969.C
• BAT/Banload.A (Many aliases)

More on FlowTraq’s included Workspace for Q3 Network Security Threats

 

Start Your 14-Day Free FlowTraq Trial 

NetFlow Analysis for MSS/MSP

Dec 19, 2012

FlowTraq for Managed Security Services / Managed Service Providers

If you’re in the business of providing Managed Security Services, you might be interested in learning more about how to deploy FlowTraq in a multi-tenant environment. Here’s a brief introduction to how it all works.

You probably already know that FlowTraq was designed from the ground up to scale. FlowTraq can support hundreds of users, giving each one their own view of their traffic, the network anomalies detected by FlowTraq, and more.

Thanks to this, you can cost-effectively offer all your customers the proven network forensics FlowTraq provides or enhance your revenue stream by offering FlowTraq as an add-on to your core suite.

FlowTraq can help you perform better, too. Besides offering a wealth of information to your analysts, with all your NetFlow data in one place, FlowTraq makes it easy to cross-correlate network behavior between customers. What’s the first question you ask once your discover one of your customer is being hit by a DDoS or other network disruption and you’ve taken action to mitigate it? “Who else is affected?” FlowTraq can help you protect these customers while they are in the cross-hairs, before the trouble even starts.

If you are looking to take your Managed Security Services platform to the next level, contact us today.

FlowTraq Seeking Beta Testers

Dec 17, 2012

FlowTraq’s Beta Test Group will help to Enhance Planned NetFlow Innovations

Here at FlowTraq, major new development innovations are in the works that will change the way FlowTraq works for you. We’re working to make FlowTraq even faster, more flexible, and easier to use.

To ensure that we’re building what you need, we’re inviting a select group of industry professionals to participate in our FlowTraq Beta Test Group.

We can’t give out many details at this point on what’s in store, but here’s a taste:

• An entirely new, web/mobile-friendly user interface.
• Point-and-click configuration of our cutting-edge NBAD tools for DDOS and worm detection.
• Some serious performance enhancements (think 200% or more).

Needless to say, it’s a big deal and we’re pretty excited. As always, though, things need to be stress tested, usability tested, and just plain tested before we turn it loose.

We’re looking for some people who have a little extra time to help us out. To participate, you’ll need to do at least some of the following things.  Not all will be required and you’ll work closely with us to address your findings.

• Try out some test cases we send you
• Communicate with us about your experiences
• Try patches and updates we create and report back on the experience
• Capture and send us screenshots
• Record screen movies and detail workflow if requested

People who want to help should be somewhat tech savvy (i.e. have no problem installing and uninstalling software and configuring preferences) and have a little extra time to help.

Above all, we’re looking for people who love FlowTraq and NetFlow-based network analysis and would enjoy helping us out.

Get in touch here if you’d like to participate. Thanks a million for your help!

 

Get In Touch to Join the FlowTraq Beta Test Group

Get Started

• Try FlowTraq
• Buy now

Learn More

• Schedule Call
• Watch video
• Read whitepaper

Free Flow Exporter

Export CISCO NetFlow datagrams to up to 16 flow collectors. Flow Exporter captures 100% of the data in an easy-to-deploy way.
Download Now »