Flowmon Anomaly Detection & MISP

November 29, 2022 Flowmon, Infrastructure Management

Back in 2021 we have introduced the integration between MISP, a community threat intelligence sharing platform and Flowmon ADS. The integration turns indicators of compromise shared through MISP to actionable intelligence. Flowmon ADS will automatically pick up on latest indicators of compromise using MISP API and leverage those indicators of compromise to detect adversary activities in the target network. The integration is available in Flowmon ADS 11.2 and newer versions. This way anyone can use community threat intelligence to report on malicious activities in the company environment.

How Indicators of Compromise Are Made?

Did you ever wonder how indicators of compromise are created? In addition to cyber security professionals who’s daily job is to reverse engineer malware and publish indicators of compromise, there is a large security community that protects various environments, detects and blocks malicious activities literary every second. This effort produces large volume of logs that contain very interesting information, particularly indicators of compromise in the form of IP addresses of attackers. To unlock the value hidden in the logs, extraction of indicators of compromise and sharing with the community is required.

Flowmon ADS & MISP Integration

This is exactly what we did in the context of our Network Detection & Response capabilities. Flowmon ADS provides various detection techniques based on machine learning, adaptive baselining, heuristics or behavior pattern to detect broad set of adversary activities at scale and without signatures. Coverage of unknown attacks is essential to produce valuable indicators of compromise.

The integration of Flowmon ADS and MISP to feed events into MISP as indicators of compromise. (1) Server running a customer’s instance of MISP platform. (2) Network element, e.g. core switch. (3) Flowmon appliance running Flowmon ADS for advanced threat detection. (4) Port mirroring to Flowmon appliance. (5) Implementation of MISP API to export indicators of compromise extracted from Flowmon events.

The concept of custom scripts in Flowmon ADS is the basis of an integration script that converts an event detected by Flowmon ADS into a standard MISP event with attached indicators of compromise as attributes. Events that are converted to indicators of compromise and exported to MISP are controlled by perspectives and private IP addresses are filtered automatically. Additional IP addresses can be filtered as required. The complete installation manual is part of the integration script, which is publicly available at https://github.com/progress/ADS-MISP.

 

See above event created in the MISP platform automatically from malicious activity detected and reported by Flowmon ADS.

This is our pay back to the cyber security community. Any Flowmon appliance can be part of joint global effort to make the internet more secure place. All Flowmon customers can leverage the integration free of charge together with Flowmon ADS 12.0 or newer.

This work is part of the Cyber security competence for research and innovation (CONCORDIA) project under the grant agreement no. 830297. 

 

Pavel Minarik

As Vice President of Technology at Progress Software, I'm responsible for overarching technology strategy and architecture of our Enterprise Application Experience products such as Flowmon, Loadmaster and What's Up Gold and experimental development in this area.

My vision is to empower enterprises with always on application experience accompanied with secure and well performing digital environment. On premise. In the data center. In private & public cloud. Consolidated picture of the network, applications and security in single Application Delivery, NetOps & SecOps solution with easy to use and flexible user interface providing insight out of the box.

As a senior researcher of Institute of Computer Science of Masaryk University I have participated in several research and development projects in domain of network traffic monitoring, analysis and cyber security. I'm author of more than ten publications in the domain of behavior analysis and several algorithms for traffic processing and anomaly detection summarized in PhD thesis “Building a System for Network Security Monitoring”.