Traditional signature and rule-based detection approaches like firewall, IDS/IPS or antivirus focus on securing perimeter and endpoints. Effective though they are in detecting initial infection by known malicious code or behavior, they offer no protection beyond perimeter and endpoint - a vast area where insider threats occur. Exploiting this gap is the most common way of stealing data. This is why Gartner analysts and industry experts suggest adding another layer of defense called Network Detection & Response (NDR, see SOC Visibility Triad) capable of uncovering insider threats by detecting the slightest network anomalies that show indicators of compromise.
The analytical view provides context-rich visualization of attacks including MITRE ATT&CK mapping with drill-down analysis for a detailed understanding of what is happening.
Incidents are ranked according to your priorities with an easy-to-use customization wizard that builds upon battle-tested out-of-the-box configuration.
Flowmon ADS can be integrated with network access control, authentication, firewall or other tools for immediate incident response.
Kemp Flowmon ADS includes a built-in IDS collector that receives events from Suricata IDS and allows the system to cover more attack vectors by combining the best of the two signature-less and signature-based approaches. The IDS events are displayed in the UI for filtering and analysis and are included in events detected by ADS as well to supply additional context about the detected incident.
There are many possibilities to integrate the solution with complementary security tools and platforms, whether it is through syslog, SNMP, email, REST API or custom scripts. Flowmon serves as a critical source of information to log management, SIEM, big data platforms, incident handling or response tools.
Leverage your existing infrastructure as sensors that generate NetFlow, IPFIX, sFlow, jFlow or NetStream from network devices and other data sources such as public cloud platforms, firewalls, virtualization platforms and packet brokers.
See which user or hostname has taken part in an attack by collecting authentication system log data and correlating it in Flowmon. Any syslog-enabled authentication service or vendor is supported, including Cisco ISE and AD/LDAP.
Feed your log management or SIEM system with comprehensive logging with context-rich syslog or SNMP messages. Maximize visibility across the IT environment or log events into your ticketing tools automatically.
Integrate Flowmon with firewalls, SDN controllers or other technologies for network access control or incident response to fully automate the reaction to a security incident. Or just script your own mitigation scenario to be triggered when a security event occurs.
Draw on community threat intelligence and detect threats using Indicators of Compromise shared by over 6,000 MISP participants.
Respond to attacks automatically through script-based integration with network or authentication tools. When detecting an event, Flowmon can connect to, e.g. Cisco ISE through pxGrid, and quarantine the malicious IP address.
Understand every suspicious event in its complexity. Context-rich evidence, vizualisation, network data or full packet traces for forensics allow taking decisive actions promptly.
Trigger full packet capture automatically when detecting an event. Thanks to the Rolling Memory Buffer, the recorded packet trace includes network data, even from the period before the attack started. Use a filter to store the particular attack communication only.
Flowmon is a single pane of glass for both teams while respecting their needs. A unique combination of early detection, security event warnings and deep visibility into the network help NetOps and SecOps teams cooperate on incident handling and root cause analysis.
Create custom detection methods flexibly. Red flag malicious, unwanted or otherwise interesting traffic specific to the client's network environment or policies. You only need to create a rule in an SQL-like syntax.
See what user or hostname has taken part in an attack by collecting authentication system log data and correlating it in Flowmon. Any syslog enabled authentication service or vendor is supported, including Cisco ISE and LDAP.
Understand the meaning of detected events in terms of adversary tactics and techniques as described in the MITRE ATT&CK® framework to assess the scope of the breach and anticipate the attacker's next move.
With Flowmon you can rely on a state-of-the-art detection engine that uses entropy modelling and machine learning to detect suspicious anomalies in your network traffic, including APTs, malware, insider and other threats that bypass signature-based tools.
Detect misuse and suspicious behaviour of users, devices and servers. By understanding protocols such as DNS, DHCP, ICMP and SMTP you can reveal data exfiltration, reconnaissance, lateral movement and other unwanted activity.
The system comes with pre-defined configurations for a variety of network types and automatically adjusts the settings after the initial configuration by using a simple wizard. Then, by managing false positives, maximize the relevancy of detected events.
Use out-of-the-box prioritization or apply your own severity rules at a global, group or user level. Create custom dashboards for security, networking, IT helpdesk or managers based on their interests.
Enhance your detection capabilities with the best of breed combination of commercial and community databases. Receive alerts on indicators of compromise and communication with malicious hosts such as C&C domains and phishing sites.
"The Flowmon solution is widely used in our company both by network and security engineers. Everyone receives the most important information necessary for their work."
"Thanks to Flowmon, we are provided with network visibility we previously lacked. Now we can identify the causes of network issues easier than ever before."
Check the SEGA case study
30-days trial with configuration assistance
Try ADS in Your Environment