Flowmon
Flowmon ADS
Flowmon Anomaly Detection System (ADS) is a security solution that uses machine learning to detect anomalies hidden in the network traffic. It complements conventional security tools and creates a multi-layered protection system capable of uncovering threats at every stage of compromise.
Experience ADS
Flowmon ADS
What Flowmon ADS can do for you:
  • Seals the gap between perimeter and endpoint protection
  • Use machine learning to detect unknown and insider threats
  • Gain detailed insight into encrypted traffic
  • Reveal malicious behaviors, attacks against mission-critical applications and data breaches at any point of the threat lifecycle
Customers using ads
Automation
Threats are detected instantly and automatically.
Noiseless insight
Machine learning and other sophisticated algorithms combined to deliver accurate insights.
NetOps and SecOps together
Flowmon ADS is a common grounds for collaboration on incident resolution.
Low and slow stage detection
Attacks are detected before traffic spikes, preventing danger from escalating.

Key Features and Benefits

Automation
Threats are detected instantly and automatically.
Noiseless insight
Machine learning and other sophisticated algorithms combined to deliver accurate insights.
NetOps and SecOps together
Flowmon ADS is a common grounds for collaboration on incident resolution.
Low and slow stage detection
Attacks are detected before traffic spikes, preventing danger from escalating.
Early threat alerting
Behavior pattern recognition detects threats in their infancy.
Low rate of false positives
Behavior patterns, reputation feeds, and IoCs to complement NBA.
Short incident response time
Context-rich incident visualization for instant remediation.
SecOps ecosystem integration
The solution is integrable with event logging, ticketing and incident response systems.
Early threat alerting
Behavior pattern recognition detects threats in their infancy.
Low rate of false positives
Behavior patterns, reputation feeds, and IoCs to complement NBA.
Short incident response time
Context-rich incident visualization for instant remediation.
SecOps ecosystem integration
The solution is integrable with event logging, ticketing and incident response systems.

Advantage at Every Stage of Compromise

Traditional signature and rule-based detection approaches like firewall, IDS/IPS or antivirus focus on securing perimeter and endpoints. Effective though they are in detecting initial infection by known malicious code or behavior, they offer no protection beyond perimeter and endpoint - a vast area where insider threats occur. Exploiting this gap is the most common way of stealing data. Insider threats can only be uncovered by detecting the slightest anomalies that show indicators of compromise.
Flowmon protection scheme

How It Works

1
Detection Process
Flowmon ADS uses several detection mechanisms that combine into one versatile capability that can examine network traffic from several points of view and thus cover a wider array of scenarios.
Machine learning
An attacker is trying to brute-force their way past security. Using entropy modeling, Flowmon ADS picks up the repetitive nature of the attack and identifies it as a dictionary attack.
Adaptive baselining
One device has exceeded the average for DNS queries several times over a short period of time. In other words, this device is an outlier to the rest of the devices in the network indicating it is being used for data exfiltration.
Heuristics
The system registers the following symptoms: a device has contacted a number of other devices worldwide, selected some of them, ran simultaneous downloads from them, all of which ended at the same time. The conclusion is that the device is using bittorrent.
Behavior patterns
Inbuilt intelligence which has learned standard traffic patterns for different network protocols red flags an ICMP communication normally used for diagnostic and control purposes. The packets in this communication are much larger than normal, indicating that a payload is being transferred. Further investigation reveals exfiltration of user credentials controlled by malware.
Reputation databases
Flowmon threat intelligence keeps itself up-to-date with the latest reputation feeds and indicators of compromise. It uses the blacklist method to compare the network against reputation databases and can detect, for instance, communication with a botnet command center.
Signature-based detection
Flowmon ADS incorporates Suricata IDS for signature-based detection. It can pick up suspicious patterns in the detection and operate with them in the ADS user interface as normal detected events.
2
Report and Visualise

The analytical view provides context-rich visualization of attacks with drill-down analysis for a detailed understanding of what is happening.

3
Segmentation and Prioritization

Incidents are ranked according to your priorities with an easy-to-use customization wizard that builds upon battle-tested out-of-the-box configuration.

4
Response

Flowmon ADS can be integrated with network access control, authentication, firewall or other tools for immediate incident response.

Use Cases Covered by ADS

Detection of insider threats
Detection of insider threats
Whether incidents are caused by a careless user or malicious intent, protect your network from the inside.
Troubleshooting and forensics
Troubleshooting and forensics
Next-generation network monitoring provides actionable insights into the network in order to find, analyze and fix issues easily.
Unknown threat detection
Unknown threat detection
Thanks to behavior pattern recognition the system can discover unknown threats in early stages before any damage is done, providing zero-day protection.
Incident investigation and response
Incident investigation and response
Machine learning and data analytics work in unison to provide administrators with contextualized intelligence to reduce response time.

iconfinder_ic_video_library_48px_3669182.pngExperience Flowmon ADS in Action

webinar
Hacker's Fingerprints
See several hacking scenarios (DHCP and DNS spoofing, port scanning, fake certificates) and how they can be dealt with using anomaly detection and root-cause analysis.
Explore the Real Usage
The-hackers-fingerprints-thumbnail.png

Integrations

There are many possibilities to integrate the solution with complementary security tools and platforms, whether it is through syslog, SNMP, email, REST API or custom scripts. Flowmon serves as a critical source of information to log management, SIEM, big data platforms, incident handling or response tools

Network telemetry

Leverage your existing infrastructure as sensors that generate NetFlow, IPFIX, sFlow, jFlow or NetStream from network devices and other data sources such as public cloud platforms, firewalls, virtualization platforms and packet brokers.


and more
User identity

See which user or hostname has taken part in an attack by collecting authentication system log data and correlating it in Flowmon. Any syslog-enabled authentication service or vendor is supported, including Cisco ISE and AD/LDAP.

Check the partners
Logging and reporting

Feed your log management or SIEM system with comprehensive logging with context-rich syslog or SNMP messages. Maximize visibility across the IT environment or log events into your ticketing tools automatically.

Check the partners
Attack blocking

Integrate Flowmon with firewalls, SDN controllers or other technologies for network access control or incident response to fully automate the reaction to a security incident. Or just script your own mitigation scenario to be triggered when a security event occurs.

Check the partners

IBM QRadar application

The two-way native support of IBM QRadar and Flowmon ADS is a powerful symbiotic system. Where IBM QRadar collects and processes information from all devices in the network, Flowmon ADS provides detailed insight into network operations, information on operational issues, anomalies and suspicious behavior.
Check the IBM QRadar application Whitepaper
IBM-Qradar-logo

ADS Features

Advanced Action Triggering

Respond to attacks automatically through script-based integration with network or authentication tools. When detecting an event, Flowmon can connect to, e.g. Cisco ISE through pxGrid, and quarantine the malicious IP address.

Learn More
Attack Evidence and Analysis

Understand every suspicious event in its complexity. Context-rich evidence, visualisation, network data or full packet traces for forensics allow taking decisive actions promptly.

Attack Recording Automation

Trigger full packet capture automatically when detecting an event. Thanks to the Rolling Memory Buffer, the recorded packet trace includes network data, even from the period before the attack started. Use a filter to store the particular attack communication only.

Learn More
NetOps and SecOps Integrated

Flowmon is a single pane of glass for both teams while respecting their needs. A unique combination of early detection, security event warnings and deep visibility into network help NetOps and SecOps teams cooperate on incident handling and root cause analysis.

Seamless Integration with SIEM
Report detected events via integration with SIEM systems, surveillance and incident handling systems. QRadar integration is available via native Flowmon app, REST API and syslog.
User Defined Methods

Create custom detection methods flexibly. Red flag malicious, unwanted or otherwise interesting traffic specific to the client's network environment or policies. You only need to create a rule in an SQL-like syntax.

Learn More
User Identification

See what user or a hostname has taken part in an attack by collecting authentication system log data and correlating them in Flowmon. Any syslog enabled authentication service or vendor is supported, including Cisco ISE and LDAP.

Learn More
AI Based Detection

With Flowmon you can rely on a state-of-the-art detection engine that uses entropy modelling and machine learning to detect suspicious anomalies in your network traffic, including APTs, malware, insider and other threats that bypass signature-based tools.

Learn More
Behavior Patterns

Detect misuse and suspicious behaviour of users, devices and servers. By understanding protocols such as DNS, DHCP, ICMP and SMTP you can reveal data exfiltration, reconnaissance, lateral movement and other unwanted activity.

Learn More
Configuration Wizzard

The system comes with pre-defined configurations for a variety of network types and automatically adjusts the settings after the initial configuration by using a simple wizard. Then, by managing false positives, maximise the relevancy of detected events.

Learn More
Early Detection
Detect network anomalies and incidents in near real-time. The status of detected events is continuously updated with additional information until the detection finishes.
Prioritisation and Reporting

Use out-of-the-box prioritisation or apply your own severity rules at a global, group or user level. Create custom dashboards for security, networking, IT helpdesk or managers based on their interests.

Threat Intelligence

Enhance your detection capabilities with the best of breed combination of commercial and community databases. Receive alerts on indicators of compromise and communication with malicious hosts such as C&C domains and phishing sites.

Customer Using ADS

"The Flowmon solution is widely used in our company both by network and security engineers. Everyone receives the most important information necessary for their work."

Robert Grabowski Security Expert

"Thanks to Flowmon, we are provided with network visibility we previously lacked. Now we can identify the causes of network issues easier than ever before."

Check the SEGA case study

Masahiro Sato CTO

Try Flowmon ADS in Your Network

30-days trial with configuration assistance

Try ADS in Your Environment