MetaFlows Announces Virtual Sandboxing in Amazon Cloud: Advanced Feature in MSS Delivers Unlimited Scalability for Sandboxes


Las Vegas, NV, August 4, 2015 — MetaFlows, Inc., a leader in advanced, behavioral network security monitoring, announced today that MetaFlows Security System (MSS) users can now deploy a distributed virtual sandbox using the Amazon EC2 cloud. MetaFlows’ virtual sandbox spawns Amazon EC2 instances. Once the EC2 instance detonates the sample, it is simply wiped out and recycled. This new MSS feature enables users to run exploits exclusively in a virtual environment thus providing unlimited, on-demand sandbox resources.

Exploit samples can be submitted to the sandbox in two ways: discretely by the user, or automatically by the network-level monitoring performed by the MSS. The MSS can extract content from the network stream by either monitoring physical networks, or by performing deep packet inspection in the Amazon EC2 cloud (without requiring access to the networking layer).

“Sandboxing is a key weapon against malware, and users need flexibility and scale to use it properly,” said Frank Dickson, Research Director at Frost & Sullivan. “By initiating sandboxes on the Amazon EC2 cloud, MetaFlows offers sandbox resources on the fly without the expense of local servers.”

Advanced Features Driving MSS Sales

Virtual sandboxing and other exclusive, groundbreaking features (such as advanced multi-session IDS analysis, real-time correlation of collaborative intelligence, and Soft IPS) are driving increasing adoption and sales of MSS; the customer base has increased 400% since 2013. Recently, a cabinet-level department of the US government requisitioned MSS. Other commercial, educational, and government organizations have also acquired MSS. MetaFlows’ products are today enjoying considerable traction with virtually no marketing support because they demonstrably provide an unprecedented combination of cost-effectiveness and sophistication in the detection and prevention of malware and other network-based attacks.

MetaFlows’ MSS product will be on display at Black Hat USA at Paris/Bally’s in Las Vegas on August 5-6 at kiosk I-7. MetaFlows’ engineers will be available for live product demonstrations and deep technical discussions about the numerous innovations unveiled at the conference.

MetaFlows in the Top-20 Security Companies for 2015

CIOReview Magazine has selected MetaFlows as one of the Top 20 Most Promising Enterprise Security Companies in 2015. In the article Cost Effectively Tackling Advanced Security Threats, we outline our approach to the security challenges for the upcoming decade. The internet is shifting from a client/server paradigm to a peer-to-peer, mobile environment.

Your Network Perimeter is Dissolving

breachesHeuristic-based network perimeter defences will become less and less effective because it is like applying medical diagnosis in an environment where new pathogens are created on a daily basis. So, heuristically determining what is bad and what is good may work initially, but it becomes a losing battle unless the network security operators are constantly updating their heuristics. Also, protecting the perimeter is not enough, once something makes it on the inside, the perimeter becomes irrelevant. We have seen that companies adopting this approach can be hacked no matter how much money they spend.

Share Intelligence

internet_graphSingle-vendor network security intelligence feeds have become ineffective due to the sophisticated global cooperation of hackers. Vendors that provide a single box and a single source of network intelligence are selling an inherently flawed promise. Products should be based upon integrating multiple collaborative intelligence feeds. The complexity and interconnectivity of the attacking adversaries requires a similar defense strategy.

MetaFlows has been innovating in these two important dimensions for the past seven years drawing from a thirty year Government-sponsored network security and intrusion detection research. The technical founders of MetaFlows (Livio Ricciulli and Phillip Porras) sharpened their teeth at the Computer Science Laboratory of SRI International, where intrusion detection was first developed back in 1983.

The best part is that these innovations are now commercially available through MetaFlows. The company is improving the security of a large number of networks (big and small) around the world.

MetaFlows at BlackHat 2015

bh15usa_125x125_sponsor_2MetaFlows pleased to announce that we will be an exhibitor at BlackHat USA 2015, August 5th-6th. Please visit our kiosk IC7 to see one of the best IDS/Malware detection systems in the world in action. We will be showing an ongoing, live demonstration of our system in action on a university network processing around 200,000 packets per second. You can witness how malware is caught and stopped in real time as if you were running on your own network. We might even be able to let you drive for a while! Do not miss this opportunity to see the secrets of our success.

MetaFlows Inc. develops SaaS-based, network security software appliances that can reliably find and stop malware hidden in your network. False positives are virtually eliminated by correlating multiple independent flows. False negatives are lowered by combining feeds from Emerging Threats, Cuckoo, VirusTotal, SRI, OSSEC, Trustwave, YARA, ClamAV and Web of Trust.

MetaFlows: SC Magazine Innovators Hall of Fame

sc_logo_21413_345884Our friends at SC Magazine have inducted us into the SC Magazine Innovators Hall of Fame. It is nice to be recognized for our innovations. Importantly, this is purely based on their journalistic curiosity; we give them props for performing their reviews based on sound technical knowledge. We refuse to pay money for recognition. You might think we are old-fashioned but this is how we roll at MetaFlows.hall_of_fame_495827

Their article also points out the importance of monitoring beyond the network perimeter using multi-session correlation. If you are not sure what multi-session correlation can do for you, it is best for you to put it to the test. You will be amazed of what you can find out about your network.

Read the article at SC Magazine’s Website

What We Caught at Supercomputing 2014

  1. Scanners (DNS, MYSQL, SSH, Shodan Indexing, portmap)
    DNS and MYSQL scanning from China, SSH brute force from everywhere, Shodan vulnerability indexing, and one very persistent portmap scanner.
  2. Lots of BitTorrent users kicked off the wireless network for illegal file sharing.
    In previous years torrent users have been mostly ignored since there were no good ways to determine which uses of the torrent software were legitimate and which were not. This year, however, these were not hard to find at all. MetaFlows software automatically decodes the torrent and magnet information to determine exactly which files a user is trying to download as well as which files they are seeding to other users. At first we were very picky about only disabling heavy abusers seeding outbound shares of recent movies and current TV shows. As the conference went on we got a bit more aggressive at reporting on and banning downloaders as well. When the user was not on the wireless, they were sometimes a little hard to pin down:

    “…it was from someone who gave a talk for them and plugged into their network. This person will not be presenting again, so they expect we will not see this activity again. Please let them know if we do.

  3. Spyware on the show floor.
    We saw the return of some MarketScore spyware that we had seen at the Denver conference in 2013. Unfortunately we could not always track down adware/spyware cases on the show floor or the wireless since they were a lower priority.
    snort-policy-violation/malware:1.2001564:ET MALWARE Spyware Proxied Traffic
  4. Inbound telnet scanning and the default IPMI port
    A couple of cases of telnet port 23 being accessible by the outside world were discovered before they could be exploited. One of them appeared to be an IPMI port that someone had accidentally plugged in; it was still configured to the default admin/admin password.

    “We chatted with the two booths that have these machines. The one with the admin/admin account has disconnected that interface. The second booth has disabled telnet. Both booths were very happy that we let them know. Thanks!”

  5. Linux Trojans – default/weak passwords led to boxes being added to a DDoS botnet.
    snort-trojan-activity/trojan:1.2018808:ET TROJAN DoS.Linux/Elknot.G Checkin

    Unfortunately the first of these that we reported was left unresolved and its status as a bot was confirmed when it began sending SYN flood attacks overnight. The host did get attended to the next day, and future cases of this infection were taken much more seriously. Once we got the behavior pattern down we found that the infected host downloads a binary payload from a command and control server.

    After adding the binary source to the blackhole list these infections stopped. Generally the cases that remained were resolved by talking to the user and letting them take care of it:

    “The technical guy said that that IP was just a VM and he will shut it down. We are no longer seeing traffic.”

    “I chatted with the guy in booth WXYZ and he is in the process of cleaning up his Linux box. He was thankful for the information, and commented that he had the default username and password for root on the Linux box.”

  6. Suspicious signs of WireLurker on OS X systems.
    We want to research these a bit more, it looked like there were maybe three OS X machines on the network that were triggering alerts to this “evil” domain.

    snort-trojan-activity/trojan:1.2019667:ET TROJAN OSX/WireLurker DNS Query Domain

    This alert was sometimes also seen with weird DNS alerts:

    snort-policy-violation/dns:1.2014703:ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set - Likely Kazy
  7. Large scale SIP Scanning.
    There was a massive DDoS style scan of the network on port 5060 on the second day of the conference, and we suspect it may have contributed to some infrastructure issues and recommended temporarily blocking off that inbound port at the border if there were no known legitimate services running for it. Hundreds of external scanners to thousands of internal hosts? This one stood out to us right away.

Dissolving Perimeter Defense

New internet trends are inexorably dissolving your network perimeter defense.

  1. Peer-to-peer applications are client-based and therefore poke through your firewalls.
  2. Personal end-to-end VPNs allow bypassing of your perimeter by establishing encrypted channels invisible to your network systems.
  3. Mobile devices freely roam different access points downloading content and then running a myriad of applications within you organization.

These are just a few examples of how your perimeter is becoming irrelevant.

If you think of your enterprise network as your home, perimeter defense is a bit like placing good locks on your doors and windows, and then hoping that no thief can get inside. Unfortunately, as we all know, this is hardly enough. It is conventional wisdom: “If thieves want to get in your house, they will”.


It is becoming exceedingly apparent that this is true for your enterprise perimeter as well. No matter how sophisticated your perimeter is, there is always a way in. The increasing rate of data breaches involving large US corporations is good supporting evidence for this. The damages to brand reputation – and the actual costs associated with a data breach – grow exponentially with the size of the enterprise. Any improvement to the old perimeter defense paradigm is financially valuable.

So what is missing from this equation?

Let’s explore some options by comparison to your home’s physical security.

Option 1: “Keep all your valuables in a bank so that even if they break in, they cannot steal anything.”

BankThis approach is very effective, but it undermines your productivity. Keeping your data somewhere else (where it is more secure) works, but the problem is that you cannot really use it now. If you need quick access to your data for your business operations, you are shooting yourself in the foot. Also, the mechanisms to access your remote data are themselves a problem. If you went to your bank everyday to check on your valuables, you would expose yourself to attacks as soon as you come out the bank, so you are back to square one. Likewise, if you have to transmit your data from a more secure location, you then become vulnerable to the transmission mechanism.

Option 2: “Keep a low profile.”

Low Profile This approach helps, but it often goes against your business objectives and revenue potential. If no one knows about your enterprise, you will not be a target but you also will not be attracting customers.



Option 3: “Build even more perimeter defenses.”

CastleBuilding barriers on the outside of your network naturally discourages communications but additional barriers can constantly get in the way of getting your job done. You are limiting access, or making it more difficult to access your network. The other issue is that you are adding more of what was already ineffective. So, does it make sense to invest more on the same thing?

Option 4: “Invest in your internal defenses.”


If you install motion detectors in your house, you can improve your security. Even if someone makes it inside, they will trip the alarms. Sounds too good to be true? Well, it is. The cyber counterparts of motion detectors are prone to false positives (an alert is generated even though there is no nefarious activity). If you have motion detectors in your house and also own a dog/cat, you will know what I am talking about. Fido will almost certainly make your motion detectors useless. Likewise, demanding and inquisitive users in your network will constantly trip your internal monitoring tools.

Fortunately, in cyberspace we deal with digital information rather than analog images. Refining motion detection in cyberspace is easier than in the physical world. Imagine if a motion detector in your house could detect the motion of an individual coming through your living room, and subsequently also detect that the person opened a drawer in your bedroom. That would be interesting, right? A dog would not trip your house alarm, but someone breaking your perimeter and going straight for your possessions would be caught.

Motion detection alone is not very useful. However, if it is paired with some behavioral analysis, it becomes extremely effective. This what MetaFlows does: motion detection (in the cyberspace sense) plus behavioral analysis.

Diagram of behavioral analysis with MetaFlows

Our behavioral analysis requires that the internal alerts indicate more than one symptom, therefore greatly reducing false alarms. We monitor the behavior of every internal asset (even the ones that “walk in”, like smart phones) and wait to see if they exhibit at least two alerts typical of nefarious activity.

Some Simple Examples:

Successful Password Guessing

  1. We detect that host X performs brute-force password guessing on host A .
  2. We detect that host X receives more than 10 kilobytes from host B (another internal host).

Taken separately, neither alert would not be very interesting, but taken together they become very interesting. Likewise, someone trying several keys in your lock would not constitute an interesting event. Someone opening a drawer in your bedroom also would not be an interesting event. However, someone trying several keys and then opening your drawer a minute later is very interesting.

Malware Installation Through Browser Drive-By

  1. An internal host A is detected downloading an unsigned, unknown executable file.
  2. After a few minutes, host A is now communicating to a known malware controller host Y .

Notice again that separately these events are not useful, but together they are. Likewise, if you see a guest at a party carrying a screwdriver you would not think much of it. If a guest stumbles in a bedroom looking for a bathroom you also would not think much of it. However, if you saw a guest handling a screwdriver in one of your bedrooms, you would ask questions, right?


From the examples above, it is evident that behavioral correlation is useful. We have compiled a number of typical behavioral profiles that catch bad internal behavior. Every day, MetaFlows is helping enterprises of all sizes to catch what traditional perimeter systems can’t. To be clear, we do not advocate removing perimeter defense systems (in fact we also provide some of that ourselves), but we believe that it is futile to invest in products that are exclusively focused on securing the perimeter. Instead, we suggest that you try behavioral correlation and see what you can find hidden in your network. Register at for a free trial!

SC Magazine Review

Industry Innovators: Hall of Fame

The idea behind this Innovator’s service is that one can place sensors strategically around an enterprise and send the outputs to the cloud where advanced processing performs a host of security functions to result in more efficient, faster and more accurate functions than doing the same ones on-premises. Add global intelligence gathering to give depth and breadth to the core data available and you have the MetaFlows Security System (MSS).
In terms of Network Security, SC Magazine knows how to zero in on the important. As part of their end of year review of the best products, they felt inclined to mention us. And not just mention us, but review us.

Read more…

An IPS on Steroids

“An IPS on Steroids: MetaFlows Security System”

The secret behind the MetaFlows Security System (MSS) is that it really is a hybrid application. It collects data on the network and acts on malicious activity. So far, this is just about the same as any intrusion prevention system (IPS). But don’t be fooled. This is not just any IPS. Because it is a hybrid application – local and cloud-based – users get a lot of benefit from the cloud piece that are not available from a standard IPS. For example, a typical IPS gets its updates at whatever update interval the vendor determines. The updates usually are based on the efforts of the vendor’s threat assessment laboratory. Not so for MSS.
Peter Stephenson’s First Look at the MSS

SC Magazine Reviews: A Killer App

This is a killer app. The more we watched this one sort through the data that it was monitoring – over a million events and flows at a major university – and dig down and analyze it, the more we wanted one. This is a very serious service/application that we have to admit also is very cool. This is an intrusion detection system (IDS)/intrusion prevention system (IPS) on steroids. It uses just about every security paradigm that we can think of. It is tied into a network of honeypots all over the world. It allows both IDS and IPS, and it has a level of detail and drilldown that enables solid forensic analysis of events.

Read the article…