Payload and Event Reporting by MetaFlows CEO Livio Ricciulli, Part III
By Joshua L. Konkle on January 31, 2012 5:00 AM
MetaFlows is a network security monitoring tool implementing some unique capabilities in today’s ever-changing security environment.
MetaFlows Security System uses a combination of open source and proprietary technologies to reduce costs and support off-the-shelf hardware
By Lucian Constantin, IDG News Service
January 30, 2012 10:20 AM ET
Network security monitoring startup MetaFlows launched a new Software-as-a-Service (SaaS) product that can be installed on low-cost hardware to monitor network traffic flow, detect possible intrusions and analyze event logs.
SaaS-based Global Correlation System Cuts False Positives, Improves Productivity
SAN DIEGO, CA, January 30, 2012 — MetaFlows, Inc., a startup focused on leveraging emerging cloud and virtualization technologies for the next generation of network security solutions, has developed a Software as a Service (SaaS) product that allows IT managers to easily implement high-performance Intrusion Detection/Prevention Systems (IDPS) using standard, off-the-shelf hardware. This technology allows users to load balance existing IDPS applications (like Snort or Suricata) on commodity multi-core processors like the Intel I7, thus slashing the cost of network security hardware by at least an order of magnitude.
Until now, only proprietary machines that cost around $50,000 could run parallel streams of traffic on an IDPS system. The MetaFlows Security System (MSS) is a software-based solution that can divide traffic into multiple streams and process each of them on a separate CPU core to monitor up to 10 Gbps of sustained network throughput on standard, off-the-shelf servers costing $4,000 or less. The MSS extends the capabilities of common hardware to do packet filtering and web filtering as well, providing effective protection against cyber threats.
But perhaps the biggest achievement of the MSS software is that it lets users find security issues more quickly and more reliably. This is because the MSS performs intra-domain correlation of an unprecedented range of security event information (Network and Host IDS, Event Logs, Vulnerability Data), flows and dynamic reputation intelligence feeds.
“MetaFlows SaaS ensures security analysts deliver qualitative reporting by minimizing routine data center configuration and false positives, and it does this while minimizing capital and operational costs,” said Joshua Konkle, CISSP #39157 and Vice President of DCIG
The MSS’s, real-time, browser-based security console ranks events using a new predictive global correlation system mathematically similar to Google’s page ranking algorithm. Important events show up at the top and users can prevent, quickly investigate and remediate security and usage policies issues before they become critical.
“Businesses and other organizations benefit from our software because it affords them a level of security, network awareness and processing efficiency that has only been available to enterprises with large security budgets,” said Livio Ricciulli, CEO and Chief Research Scientist of MetaFlows. “MetaFlows customers get that same performance and even better security through more accurate event and flow analysis for a tenth of the price.”
For a video demonstration of the MetaFlows Security System, please visit https://www.metaflows.com/resources/webvideo/.
Network security monitoring is a constantly changing environment of both tools and methodologies. Most of them today, however, have used a lone “cowboy” mentality where datacenter solutions operate independently. MetaFlows is changing that. Today, I am continuing my interview with MetaFlows CEO Livio Ricciulli, discussing how their product is optimizing network security monitoring and performance.
Enterprise organizations face the daily challenge of ever-growing threats to their network and IT infrastructure. Not only are these threats growing, but they are constantly changing as well, forcing companies to adapt by changing not only their tools but also their training. Today, I’m talking with MetaFlows CEO Livio Ricciulli about howMetaFlows is addressing these problems by delivering network security monitoring using the “Software as a Service” model.
The MSS now allows to perform vulnerability scans. Right-click on a record and choose the host/port combination to scan. A report will be created in real time once the scan is done and the results will also be stored as Log events to be retrieved through the historical queries. The scans can be slow, so be patient once you initiate a scan.
Our event analysis interface was improved to provide more correlation between Flow, IDS, and Log events. Snort events are blue, Service discovery and User discovery events are yellow and Log event are red. Each of these categories can be under the source or destination IP address or the Event column. If the events are under the source or destination addresses it means that they have been associated with that address (or group of addresses) only. If the events appear in the Event column, it means that they have been associated with that flow or group of flows (both source and destination addresses were associated with that event).
We improved the way we calculate packet received (RX) and packet drop (DR) rates. RX+DR should now be exactly the total of what the box is seeing. RX is the actual Snort processing rate and DR is the rate of packets Snort is not able to process either because the OS drops them or Snort drops them.
We have added two rule files (country_code.rules and e8country_code.rules) that contain all the country codes. Clicking on a country will treat all IP addresses from that country to have a bad reputation. This can get kind of noisy in certain environments. Keep in mind that this was developed for an entity that does not like their computers
to talk to foreign countries. In most open networks with IM, P2P, and/or International reach these rules might not be very useful and should not be turned on.
Clicking on rules in the country_code.rules will cause direct Snort hits any time a TCP or UDP flow to that country is established. Clicking on you own country would cause EVERY flow to generate a Snort alert (please do not do this).
Clicking on rules in e8country_code rules (recommended) will cause a positive rank hit if a home machine talks to the selected countries AND there are other relevant, suspicious events coming from the same home machine.
You cannot modify the country rules (for now).
MetaFlows has developed 10 Gbps functionality using off-the-shelf hardware.
Previously, MetaFlows measured the performance of PF_RING with Snort inline at 1 Gbps on an I7 950. The results were quiet impressive.
In MetaFlows latest testing, the Development Team reports on their experiment running Snort on a dual processor board with a total of 24 hyperthreads (using the Intel X5670). Besides measuring Snort processing throughput varying the number of rules, they also (1) changed the compiler used to compile Snort (GCC vs. ICC) and (2) compared PF_RING in NAPI mode (running 24 Snort processes in parallel) and PF_RING Direct NIC Access technology (DNA) (running 16 Snort processes in parallel).
