Today we are pleased to announce the release of Progress Flowmon 12. Based on feedback from existing Flowmon customers, research into the threat landscape, and the requirements of today's IT teams, this latest release enhances and expands public cloud provider flow log monitoring support and our Anomaly Detection System (ADS).
For organizations deploying applications and services to public cloud providers, Flowmon 12 introduces support for native flow logs from Google Cloud and Microsoft Azure. It also enhances the support of Amazon Web Services (AWS) flow logs to enable organizations to:
- Optimize the costs of your cloud monitoring strategy by leveraging flow logs for broad visibility and with strategically placed Flowmon probes where extra detail is needed.
- Gain comprehensive visibility into your entire hybrid or multi-cloud deployment from a single user interface. Monitor traffic from on-prem, AWS, Azure, Google Cloud, or any combination thereof.
What is the headline news?
The headline changes in Flowmon 12 are improving and expanding flow log analysis support across the primary public cloud services and customer-focused improvements to ADS 12.
Flow logs are a form of network telemetry available natively in public cloud environments. Once ingested, system administrators can analyze them to provide a comprehensive degree of visibility into cloud traffic.
Up till now, the Flowmon solution has only been able to process flow logs from AWS. This meant that organizations had to deploy Flowmon Probe appliances to monitor Azure and Google Cloud infrastructure. While this approach does provide superior visibility, it is also more costly to implement.
Extending native flow log processing in the environments of all three major cloud providers gives you more options to make your cloud monitoring strategy more scalable and sustainable.
Flowmon ADS 12 improves and broadens the arsenal of detection methods available and provides new means to fine-tune the system to provide the best detection accuracy. Feedback from organizations using Flowmon to monitor and protect their networks, along with developments from our R&D team, drove the ADS changes in this release. Changes that originated from R&D include adding a random domain detection method to the Flowmon 12 machine learning-based detection system. This random domain detection is tuned to detect typical malware activity like data exfiltration or incoming command and control activity from malware servers. In response to customer feedback other existing ADS detection methods are enhanced in release 12. For example, the ability to tune detection settings to eliminate false positives is more granular to reduce unneeded alerts going to system administrators.
What are the benefits?
The advantage that the enhanced cloud monitoring functionality in Flowmon 12 gives is two-fold. Firstly, it enables you to centralize hybrid traffic from on-premises and three public cloud providers in one monitoring system. Secondly, it allows you to optimize the costs and visibility of your cloud infrastructure.
Reduce the number of tools
Although each cloud infrastructure provider also offers native cloud monitoring tools, adding them will increase complexity for your IT team. Using multiple tools means they now have more information to aggregate and analyze, especially if you employ a multi-cloud strategy.
Flowmon, however, enables you to gain visibility into your whole infrastructure via a single tool and do so in a cost-effective way.
Optimize cloud traffic mirroring costs
Since cloud infrastructure providers charge extra for traffic mirroring, and processing the mirrored traffic also adds additional costs, using the built-in native traffic mirroring for large-scale monitoring can considerably increase costs.
Flowmon’s ability to process flow logs makes it possible to achieve very cost-effective monitoring throughout the entire cloud infrastructure. The deployment of strategically targeted Flowmon Probe virtual appliances for applications that need deeper monitoring can replace any reduced visibility that occurs by switching from the built-in cloud providers monitoring tools.
Enhance early detection of network anomalies
The additions and enhancements to anomaly detection in ADS 12 bring powerful new capabilities to the table in the battle against cyber threats. A new random domain detection method added to the machine learning-powered detection methods enables customers to detect malware infections within their network infrastructure. Random domain detection allows detection of malicious traffic going to domains used by malware command and controls servers to receive further instructions or as targets used to exfiltrate sensitive data. Customers can quickly identify such incidents thanks to real-time detection that does not need to know the malicious domains beforehand or have the domains the malware is using on existing blocklists. This new detection method also guards against attackers undertaking advanced persistent threats and polymorphic attacks that use multiple attack techniques.
Enhancements to ADS in release 12 improve many existing detection methods by extending some methods to detect new attack vectors or via method revision to provide on-point detection. For example, a TOR method was revised to greatly increase the detection of clients on the network that are trying to use the TOR network. For most organizations, TOR use is an indicator of malicious activity. The TOR detection method has also been enhanced to detect when someone from the TOR network is trying to access an organization's publicly available servers. This is usually a sign that cybercriminals are planning a cyberattack or are looking for vulnerabilities to exploit.
The newly added and enhanced detection methods in ADS 12 are joined by a much more granular tuning engine to deliver highly accurate detections. ADS 12 now provides more options to define false-positive rules to increase the ability to define what events should not raise an alert. These enhancements also include an option to specify the domain or Autonomous System Number (ASN) of legitimate organizations (e.g., Microsoft, Amazon) and their services or websites in false-positive rules to exclude what might otherwise be detected as an anomalous event.
Reporting in ADS 12 has also been enhanced to make it easier to surface and access relevant information via reports that are clearer and easier to read. The reports now have the ability to drill down into ADS metrics and can now link directly to a relevant page in ADS to provide detailed information on the linked topics. This drill-down feature has also been added to the central dashboard to provide enhanced workflows and timely information directly from the management interface.
Some other noteworthy changes in ADS 12 are:
- The SCANS method now also analyzes flow requests with SYN|RST flags.
- The REST API is extended with endpoints to configure SNMP and Syslog reporting.
- Customers can now assign MITRE ATT&CK tactics and techniques to their custom patterns.
A consistent level of visibility
Flowmon 12 is an industry-first solution that provides superior visibility in network environments of any type, leveraging existing network telemetry sources or using its purpose-built lightweight Flowmon Probes. It is the go-to tool to achieve a consistent level of network visibility into various environments via a single pane of glass.
Visit the Progress Flowmon web to find out more details about the solution, or contact your Flowmon Partner Account Manager or sales representative to Trial Flowmon in your environment.