IT professionals seek out solutions that provide in-depth visibility into their networks and streamline processes so they can more efficiently catch anomalies.
A recent update to Progress Flowmon Anomaly Detection System (ADS) will address these common customer concerns. Read on for a closer look at how Flowmon ADS 12.3 improves your organization’s threat analyses and cybersecurity strategies.
Analysis Summary and Threat Score Widgets in Dashboard and Reports
Two new widgets enable you to assess the security posture and focus on the most critical threats.
Analysis Summary
The Analysis summary delivers information and actionable insights for security professionals. It compares the selected period with the previous one of the same length—allowing you to see what has changed, what the most important threat actors or hosts of interest are and how the security situation is evolving. This widget can also be added to the Widget or Report chapter.
Note: When editing the Analysis Summary widget, you can select what sections (flows, events, threat score, methods) will be displayed.
You can also switch method codes to full names (e.g., from “DOHDET” to “Communication with DoH servers”).
Figure 1: Two new widgets on the Flowmon dashboard. Analysis Summary is highlighted in green on the left. Threat Score is on the right.
Threat Score
Threat Score can help pinpoint the most critical threat actors and help you prioritize your investigation work. It considers various factors, such as the count of detected events, their priority and the number of targets. Threat Score uses tactics from the MITRE ATT&CK framework to display the metricsin an understandable way. Figure 1 shows the Threat Score widgets on the Flowmon Dashboard, with thetop 10 hosts sorted by their Threat Score.
HOW TO ENABLE THE NEW WIDGETS
To add the new widgets to your Dashboard, simply hit the New Widget button at the bottom of your dashboard or the New Chapter button when creating or editing a report.
Streamlined Event Analysis Workflow
The Flowmon security dashboard provides a detailed overview of the current security posture. It allows you to prioritize your next step in investigations, which often requires getting additional insights directly from Flowmon ADS.
This release extends the context menu for IP addresses and methods in Flowmon ADS widgets to make the flow from a dashboard or report to ADS more seamless. You can now quickly go from a dashboard or report directly to ADS by clicking on the IP address or method of interest by selecting the option from the new context menu.
Figure 2: New context menu for IP addresses and methods.
Selecting an option from the menu will quickly open a prefilled view in Flowmon ADS with relevant events or hosts for analysis.
Figure 3: Prefilled values in ADS.
This feature is automatically enabled for Flowmon ADS widgets. You can use it from the dashboard or reports.
Multi-Tenancy
Managed service providers (MSPs) typically provide services to multiple organizations. The 12.3 release gets multi-tenancy to allow separate data spaces and isolated configurations for individual tenants on a single Flowmon deployment. ADS now supports tenants defined in the Flowmon Configuration Center. MSPs can manage multiple clients on a single Flowmon deployment without any of their clients being aware of the others.
In the Flowmon Configuration Center, you can specify the flow sources or profiles a tenant can access. You assign these profiles to a particular data feed in ADS. Users can only view data they have been granted access to. This release also updates the REST API and endpoints now include a “tenantId” field, which provides information about the associated tenant.
The Tenants chapter in the user guide outlines specific requirements for using a multi-tenant environment in ADS. Make sure to check the specifics in this chapter, especially if you are using Syslog and SNMP reporting, want to enforce a flow per second (FPS) limit on tenants, are unable to upgrade to version 12.3, or want to learn more about how multi-tenancy works in ADS 12.3.
This is not a compulsory change. After updating to ADS 12.3, you can still use Flowmon in single-tenant mode. You are not required to change your current configuration when you update to 12.3. However, you will have the option to support clients via multi-tenancy.
HOW TO ENABLE MULTI-TENANCY
To enable and configure tenants in Flowmon ADS follow the Configuration Center > System > User Settings > Tenants menu pathway and the steps described on the Tenants page.
Figure 4: Navigating to the Tenants Management screen.
Once you’ve created the desired tenants, you need to create new roles and users for each one. To do this, you need to switch to the specific tenant and then create the roles and users in that tenant. Afterward, you switch to the ADS management screens and configure each tenant according to their specific needs.
The details on configuring tenants and keeping their settings separated are in the “About Tenants” in Flowmon and Flowmon ADS user guides.
Improved Detection for DNS Traffic
After reviewing customer feedback and increased usage of TCP for DNS in modern networks, ADS 12.3 improves the methods for detecting DNS traffic anomalies. Improvements are:
- A new parameter called “IgnoreInternal” was added to the “TCPDNS” submethod in “DNSANOMALY”. Enabling this parameter will trigger an additional check that ensures the destination IP is external. This will help remove detections of large DNS transfers via TCP protocol that do not leave the monitored network.
- ADS 12.3 increases the “TCPTransferLimit” parameter range to allow up to 100MB of TCP traffic in 5 minutes, improving submethod sensitivity.
- The ”UnusualServer” submethod in “DNSANOMALY“ is updated with a new parameter called “ClientsToExclude”. This parameter allows users to specify DNS servers that may occasionally act as DNS clients, such as recursive DNS servers attempting to resolve a client domain.
- We have improved the ”DNSQUERY” method to deliver more accurate results for DNS requests sent over TCP traffic. We adjusted the method to count one request as one flow for TCP traffic instead of one request as one packet, which is valid for the UDP protocol. This change will lower the number of false positive detections for DNS requests sent via the TCP protocol.
You can configure the changes associated with the DNSANOMALY method in the settings. No configuration changes are required to benefit from the DNSQUERY change.
Submethods Can Be Turned Off in the Method Instance Configuration
The latest method instance settings update offers the ability to deactivate specific submethods. This can be particularly helpful when certain submethods are irrelevant to your needs. It can also temporarily turn off detection when you are still in the deployment and tuning processes. Previously, some submethods could get turned off using a specific configuration parameter.
With this change in ADS 12.3, turning off all submethods uses the same process in the UI by navigating to Flowmon ADS > Settings > Processing > Methods.
Top Targets Added to Event Attributes
The Event Detail screen now includes attributes that display the top 20 most relevant targets. These targets are not static but change dynamically as new information becomes available which will provide you with the most up-to-date and relevant data. The relevance of these targets varies depending on the detection method used. For instance, for detection methods like BITTORRENT, COUNTRY, DIRINET, HIGHTRANSF, PEERS and WEBSHARE, the targets chosen are the ones with the highest data transfer rates. For other detection methods, the targets are selected based on the number of flows. We enable this change by default in ADS 12.3.
Figure 5: Top 20 targets shown in the Event Detail screen.
Find Out More
Visit the Flowmon platform page for details of Flowmon and the Flowmon ADS page for further information on ADS module. To have a conversation with an expert on how Flowmon can help improve the security of your networks, then contact us.
For a free trial of Flowmon to see how it can deliver actionable insights for your organization in minutes, visit our free trial page. Our support team can assist during your free trial testing. Use the contact page to start a conversation with the support team.