To spot potential data leaks or information security breaches, security teams use FlowTraq to analyze network traffic flow records, gaining the highest visibility about data flows into and out of the network.
FlowTraq contains a variety of filtering and anomaly detection features. It quickly recognizes hosts initiating a connection, and importantly, hosts receiving data outside of normal thresholds or exhibiting unexpected network behavior patterns. Our Network Behavioral Intelligence (NBI) toolkit has many features to identify potential threats to proprietary data.
The blacklist detector scans incoming network sessions individually and matches them against a list individual IP addresses and CIDR blocks; each connection to a blacklisted IP or CIDR block results in a generated alert. The detector can be configured with the URL of a threat list (from which it will update every 24 hours by default, or at 6- or 1-hour intervals) or with a static text file.
The threshold detector monitors short-term traffic for increased volume according to any countable object: hosts, autonomous systems, applications, TCP flag combinations, even entire countries. In its simplest form, it monitors the selected counted object type in terms of bytes communicated (both sent and received) and alerts when that traffic volume rises above the selected threshold within a given ten-minute period.
The volume detector is a powerful general statistical analysis tool, that examines long-term traffic history to create baselines for specified network entities — which could be hosts, applications, autonomous systems, or even whole countries — in order to be able to quickly identify unusual volumes in terms of bytes, number of sessions, or unique counts.
The Behavioral Fingerprint Generator is the most general-purpose alert in the NBI toolkit, and is responsible for creating statistical profiles of individual IP addresses in order to identify individual sessions as abnormal. Over time it determines a set of typical connections in terms of client and server IPs and likely applications (determined by service port). Alerts are raised when never-before-seen communications take place: a new host contacted, or an ordinary partner contacted on a new port. This allows the fingerprint generator to function as a network change detector, permitting detection of changes in behavior of individual servers in a way particularly useful for detecting malware and data exfiltration.
Network intrusions often go undetected for months, due to poor alerting of abnormal network traffic patterns and inadequate preservation of network traffic historical data. Quickly detect data leaks with FlowTraq!
The traditional school of network security thinking focuses on keeping the bad guys out, and the good guys safe on the inside. It implicitly assumes a trusted center. But anyone who has been paying attention to the news lately knows this is no longer true. Bad guys are on the inside. What they are dragging out of your network should be your primary concern if your task is to protect the sensitive data on your network.
Fortunately, FlowTraq is an affordable network security software solution. FlowTraq is a full-fidelity flow collector designed to combine the tasks of network monitoring, IT security, and forensics in one powerful, fast, and easy-to-use suite. FlowTraq offers a user-configurable dashboard with many alerting and reporting options, designed for fast, interactive network traffic analysis.
Not all bad guys come in through the front door with weapons drawn, wearing a red bandanna and cowboy boots. Few successful compromises are performed with noisy exploits against vulnerable services. Signature Intrusion Detection Systems will most likely not notice the bad guy coming in! And it will definitely not notice the good data leaving. Most compromises are stealthy, happen by chance, or originate from the inside by someone you trust. Now add to that the cases of accidental data loss where sensitive data, or even credentials to sensitive data leaves the network because of simple human error. There are simply too many vectors, and your last line of defense is to catch the data as it is on the move. Any modern computer system is so complex that bad actors can hide in every cranny, and you might never find them. Once they pop their head out of the sand and start moving your data around, something changes. The data becomes visible, and their behavior becomes detectable. The Solution: Profile your networks for what is normal, so you may catch the abnormal, regardless of the attack vector.