Products & Solutions

   

More Information

   

Intrusion Prevention

   

Request a Live Demo

Anomaly Detection (ADS)

NitroView Enterprise Security Manager collects and analyzes data from multiple systems, correlating all available data for purposes of anomaly detection. The data collected may be sourced from virtually any relevant network device, including: network traffic flows (from Netflow or Sflow capable routers and/or using NitroFlow); alerts and events generated by NitroGuard; from any of the large list of supported 3rd party firewalls, IDS and IPS devices; from host devices using OS logs such as WMI; and from many other devices through the support of unstructured syslog feeds.

The ability to detect anomalies in the context of intrusion prevention and simultaneous network behavior analysis provides a network awareness to security events — a valuable situational context used for detecting anomalies in live traffic patterns. However, understanding the historical context of security events and network traffic patterns is even more valuable. This level of context has been largely overlooked due to the computational challenges of correlating large histories of data against live security and flow data. However, due to the performance benefits of the NitroSecurity solutions, it is possible to perform real-time correlation of historical data while at the same time correlating data from live network traffic, and providing real-time analytics as well. The result: a comprehensive and cohesive trend analysis and anomaly detection system (ADS).

The power of a solution providing both deep anomaly detection and real-time analytics is evident through contextual baselining of the existing traffic; creating a traffic- and alert- model for the network that can flag unexpected and potentially harmful behavior. Prior knowledge of the anomalous behavior is not required, with anomalies being recognized through continuous correlation of whatever data points are made available to NitroView.

Context Sensitive Analytics

Using NitroView and NitroGuard together as an ADS is possible due to Context-Sensitive Analytics (CSA), which provide on-the-fly data analytics. CSA is a function of the underlying high-performance data engine: counts, sums, averages, correlated trends, and other complex analytics are performed through patented indexing technologies used within the data storage engine. Typical databases would require multiple database table scans to retrieve data (one scan per data point), correlation of the data sets for relevance, and finally analytical calculations based upon the correlated results. Each step of this process could take minutes or even hours, necessitating carefully planned reports and procedures — as well as a good deal of time and money — for their use. NitroView's built-in, context-sensitive analytics (CSA), in contrast, occur in real time, enabling a heuristic approach to information management: if a data point appears suspect, simply investigate it. As new data concerning the situational and historical context of that data is unveiled in real-time, new avenues of investigation are either opened or closed. The result is a highly human, context-driven diagnostic approach to information management.

Dynamic Situational Context

The Nitro system breaks down all network traffic by packet, address, port or protocol -- and allows you to rapidly determine what activity and packets are causing the anomaly. Again, this is possible due to the ongoing correlation of both historical data (logs) and live data (security events and network flows), which analyzes data as the NitroView user interacts with the system, and and re-correlates to display new information according to new data contexts.

Dynamic Historical Context

The real-time analytic capabilities may be spread across any customizable time period for historical context. For instance, if an operator is looking at the network history in 1 day increments, a data-distribution graph (indicating flows, alerts, packets, etc.) is generated. If historical context is required, a time-correlated baseline — calculated by default from a sample of activity based on the current context (daily increments) — is presented as an overlay to that same graph. Adjusting the context in which the data is viewed, for example changing from daily to monthly increments, adjusts the time-correlated baseline as well. The result: through simple-point-and-click examination of data, a security professional is able to instantly see what is "normal" and what is anomalous: including the expected results from the time-correlated baseline, the actual results, and the degree under or over the baseline the actual result occurred.

The provided screenshot of NitroView illustrates a high level view of network utilization over a 4 hour time period. The increments on the graph are of 6 minute slices. Each slice can be "drilled into" for further analysis until the exact packet or events causing the anomalies are identified, or "zoomed out" until broader histories are presented. The time-correlated baseline, because it is re-calculated according to historical context, would adjust to each action. This functionality is only possible through the combination of Nitro Security's high performance data engine, which is able to both correlate data and perform data analytics (such as baselines) in real-time.

Summary

Combining basic anomaly detection via signature-based event and flow matching is only one building block of a true ADS. Correlating these alerts and events with historical event and flow data, as well as with other relevant network data — such as server and host logs, firewall logs, and other records — extends the value of the anomaly detection system by adding situational context. Providing real-time analytics as well extends the value further by adding historical context. Whether considering NitroGuard alone, which provides a large library of security and network anomaly signatures, or in conjunction with NitroView ESM, which enhances the value of the NitroSecurity solution by adding real-time correlation of all collected data, NitroSecurity is capable of discovering network and event anomalies for the protection of your information and infrastructure.