At Progress Flowmon, we continue to develop and improve the Flowmon product family. The latest update takes the core Flowmon product to release 12.3 and updates our industry-leading Anomaly Detection System (ADS) to version 12.2.
In this blog, we highlight several of the improvements.
Flowmon 12.3 Improvements
Here are the main highlights from the latest Flowmon 12.3 release.
New Navigation Menu for Dashboards and Reports - This release improves ease of use and the user experience by unifying and simplifying access to the feature screens in Dashboards and Reports. A new menu on the left side of the console (see picture below) makes it easier to navigate quickly through Flowmon platform across all the installed modules.
The notifications experience in Dashboards and Reports it is now more intuitive and aligned with other Flowmon modules.
New Documentation Platform - Flowmon 12.3 documentation now uses the online Zoomin Platform. Adopting this platform allows us to focus on the content rather than the delivery engine, resulting in a better experience for the Flowmon user community.
Links to documentation, such as the Help entry in the new Navigation Menu, will open a link to the Zoomin site in the new window of the web browser. In case that Internet access is not possible, or if the Zoomin site is not reachable, Flowmon will revert to a local PDF copy of the documentation.
New Historical Trends Display Option - A new chart that compares current and historical data within a Profile has been added (see picture below). It’s available also as a Dashboard widget, within Reports as a Report Chapter and in the Analysis section in Monitoring Center. Using this Historical Trends view provides insights into traffic volume trends and can help with proper capacity planning. Find out more about Historical Trends in this blog.
Updated to PHP 8.1 - The PHP version used throughout Flowmon is updated to release 8.1. This brings performance improvements and enhanced stability.
Flowmon ADS 12.2 Improvements
Here are noteworthy improvements in ADS 12.2.
IDS Events Visualization & Analysis Browser Updates - Flowmon ADS supports the signature-based Suricata IDS (Intrusion Detection System) since 2020. It augments the behavior based AI-powered detection in Flowmon ADS to deliver additional context and insights for SOC and other cybersecurity teams. Flowmon IDS Probe employs the Suricata IDS engine.
With the release of ADS 12.2, events produced by Flowmon IDS Probe get visualized in the same way as events produced by the behavioral-based detection engine. A new IDS event analysis options with the same visuals and workflows that Flowmon users are familiar with has been added (see picture below).
Using this new IDS view users can drill down into IDS events as they are used to doing for ADS events. The IDS event detail also contains related IDS events and related flows with links to the Monitoring Center for quick analysis at a flow level. This new functionality in Flowmon ADS is also available on central Dashboard as Widgets and in the Reports as Report Chapters.
Users of Flowmon Probe can easily enable this feature by installing the free-of-charge Flowmon IDS Probe package available from our support portal. The package installs Suricata on the Flowmon Probe and, after configuration, exports IDS events via Syslog to the Flowmon Collector with Flowmon ADS.
AI-Assisted Analysis and Threat Score Summary - Assessing the overall security situation using Flowmon ADS has been improved and easily accessible to whole user base in ADS 12.2. The Analysis page in Flowmon ADS now contains summary information that provides actionable insights prioritized according to the level of severity. You can think of this feature as an AI cyber analyst that does the first level of analysis and heavy lifting for you using embedded experience of Flowmon professionals. At a glance, cybersecurity professionals can now get a focused view of the most critical information in a summary that includes details such as:
- Information on the flow data rates (and rate of change).
- The host with the highest number of events.
- The hosts with the highest threat scores.
- Activities that are new to the monitored network, such as attack methods.
- Activities that have seen significant increases.
The image below shows a typical summary screen.
The summary compares the selected period with the previous one of the same length, allowing users to see what has changed, the most important threat actors or hosts of interest and how the security situation evolved and changed.
The threat score is a new metric used in ADS to help pinpoint the most critical threat actors or hosts of interest. It takes into consideration factors such as the count of detected events, their priority based on selected Perspective, the number of targets, various tactics from the MITRE ATT&CK framework and more. It is a dynamic metric calculated per data view so threat score for individual hosts may change based on the selected time interval or Perspective.
Threat score is calculated for all IP hosts on the network so that ADS can sort the most concerning hosts to the top of the list for cybersecurity teams to see and deal with quickly. Another update in this release is that sorting of the BY HOSTS view now uses the threat score to help cybersecurity defenders see the most significant threats to the network (see image below).
Improvements to the DICTATTACK Detection Method - Improving the detection methods within Flowmon ADS is a continuous process. For this 12.2 release, we have improved the DICTATTACK method that discovers dictionary attacks aimed at various network protocols. The improvements will reduce false positives on long-lasting connections, more precise detection results for services such as HTTP & HTTPS and for network services that use multiple network ports.
Application & Platform Mapping to IP addresses - Flowmon ADS 12.2 has embeds an additional network intelligence to map IP addresses to SaaS applications and platforms. This will simplify and streamline the event analysis and investigation process by showing information about the service associated to a specific IP address (see the picture below for an example). The information about SaaS application or platform is indicated across the whole user interface as a small icon with details available upon request (drill down). Event targets in the Event details are now organized also based on the associated application or platform.
Detection of the Use of Specific Applications - Shadow IT can be a significant threat when users run applications not approved or supplied by an organization’s IT team. ADS 12.2 can report events based on the detection of specific applications. IT teams, cybersecurity professionals and management teams can then investigate the use of these applications to make informed decisions on whether the users need them, or if the organization should direct them to use other sanctioned alternatives provided by the IT team.
Using this new functionality will streamline the detection of unapproved SaaS apps and potentially dangerous applications like unapproved VPN software. It will also reduce the risk due to banned applications, for example, social media apps not allowed on Government networks (TikTok being a topical example).
We have added a new type of local blacklist that is using network intelligence about SaaS applications, providers and cloud platforms to pick those of your interest as a custom blacklist.
MITRE ATT&CK Mapping Updated to Version 13 - The MITRE organization updated their ATT&CK frameworks to version 13 in April 2023. This release of ADS has been updated to map network activities and reporting information to this latest MITRE ATT&CK framework.
Updated to PHP 8.1 - As with the core Flowmon 12.3 release, the ADS 12.2 PHP version gets updated to release 8.1, improving performance and stability.
Find Out More
Visit the Flowmon platform page for details of Flowmon Architecture and the Flowmon ADS page for further information on our Network Detection and Response solution. To have a conversation with an expert on how Flowmon can help improve the security of your networks, then contact us.
For a free trial of Flowmon to see how it can deliver actionable insights for your organization in minutes, visit our free trial page. Our support team can assist during your free trial testing. Use the contact page to start a conversation with the support team.