When is a false positive not a false positive? When looked at individually, many events seem like noise. However, even the most benign activity can represent a part of a larger threat. Luckily, NitroView makes the process easy. Using several advanced threat detection techniques together, NitroView finds these more sophisticated threats and brings them to your immediate attention.

Dynamic Baselines

NitroView is able to dynamically calculate baseline behavior—including deviations—on all collected information. Think of it as network anomaly detection that also works for user activity, application use, database transactions, and everything else that NitroView is monitoring. Baseline's are represented graphically throughout the user interface using clear color indicators, so you can immediately identify abnormal behavior, at-a-glance.

Advanced Correlation

Event correlation looks for patterns of events in order to discover blended attacks. NitroView takes this a step further by including network flows, user activity, application activity, and even anomaly-based thresholds in correlation decisions. "A number of failed logins followed by a successful login" is often used as an example for event correlation, but what does it really mean? NitroView can detect when a "brute force" condition was performed by a terminated employee, or when it's followed by a rise in detected malware. And the best part? It's easy. Using NitroView's graphical correlation editor, making new rules is simple and logical, so that correlation works for you, and not the other way around.

Zero-day Correlation

While event correlation occurs in real time against collected information, NitroView is also able to correlate information ad-hoc, allowing you to investigate patterns and relationships across event data collected over time. We call it "zero day correlation," because this level of real-time event management allows you to detect new threat indicators, so that you can tune NitroView to detect a threat before it occurs.

Of course, all of this requires extremely fast event processing. It's also one of the reasons why NitroView was built for massive scalability. In short, NitroView's performance advantage allows for the assessment of vulnerability, threat and impact, across both network operations and overall business operations. With the ability to collect more information from more sources (data scalability), the ability to detect threats is improved, resulting in better overall security. With the ability to integrate more systems together (breadth of analysis), the required context of user identity, vulnerabilities, and impact are provided. With the ability to access this broader collection of information with maximum granularity (depth of analysis), the forensic analysis requirements of both SOC operators and compliance auditors are provided. Finally, all of this information is made immediately accessible using NitroSecurity's core data management technology to enable the correlation, reporting, and analysis functions of the SIEM in seconds, instead of hours.

Insider attacks are often simple cases of authorized access abuse. While these are not complex, blended attacks with sophisticated attack vectors, they are often more difficult to detect because they involve authorized users accessing information that is mostly within the realm of expected behavior. Total visibility of the authorized user activity — from file transfers to emails to various queries to IM to social networks — enables security analysts to separate legitimate actions from dangerous mistakes and from actual insider abuse

NitroView provides improved threat detection capability from both inside and outside sources, because it's content aware. Monitoring content allows NitroView to detect inside threats: from accidental policy violations all the way up to fraud and intentional business logic abuse.

NitroView is able to capture logs and events, and retains them for long periods of time with full granularity. NitroView doesn't require that you archive data off of the system every few months, so all of that detail remains available for analysis at any time. NitroView also doesn't make you wait for the answers that you need: searches, relational queries, baselines and trend analysis, and even full details of an entire session are provided in just seconds. Because of NitroView's exceptional speed and scalability even the most complex reports, across billions of records, can be returned in just a few minutes.

This makes NitroView an extremely valuable forensics tool: letting you obtain the actionable security intelligence that you need, quickly and easily. Once you know what you're looking for, retrieving the evidence you need is just as easy, because NitroView stores captured packets with each event, and points you directly to the source log records—making your entire investigative process simple and efficient.