MetaFlows launches SaaS intrusion detection agent
Security analysis and event logs analysed in cloud back-end
By Lucian Constantin | Published: 09:48, 31 January 2012
Network security monitoring startup MetaFlows launched a new Software-as-a-Service product that can be installed on low-cost hardware to monitor network traffic flow, detect possible intrusions and analyse event logs.
The MetaFlows Security System (MSS) is composed of local software agents that can run on inexpensive off-the-shelf hardware and a cloud-based service where the results are stored.
The local MSS sensors capture network events and transmit the corresponding data to the company's cloud system where they get analysed and sorted by priority. Customers can inspect the results using a secure web interface.
Related Articles on Techworld
The sensors can be deployed as standalone appliances or they can be installed on the customer's existing hardware using a Linux-based software package that contains proprietary and open source technology.
The software agent includes BotHunter, an intrusion detection system licensed from SRI International, the open source Snort IDS with generic signatures from the Emerging Threats project, the Flow, NetFlow, Sflow and CFlow network traffic monitoring plugins, log management tools compatible with OSSEC (Open Source Security) and MetaFlows proprietary applications.
The company also offers a package for setting up a honeypot client that acts as a decoy for internal network threats, although this is an optional feature.
One of MSS' key benefits is the low cost associated with its deployment and maintenance when compared to traditional IDS products, said MetaFlows CEO Livio Ricciulli.
This is partly due to the use of open source software, but also because of improvements made to it by MetaFlows. One example is the modifications made by the company to the PF_RING packet capture library in order to support multithreaded Snort instances on multi-core processors.
This allows MetaFlows sensors to process 800Mbps of sustained network throughput when using an eight-core Intel i7 CPU. In comparison, the max throughput that can be processed using a standard packet capture library with a single thread is 100Mbps.
On the server side, the company has developed a threat prediction algorithm similar to the one used by Google's search engine to rank websites. This technology is used to prioritise events, therefore increasing the productivity of network security analysts.
According to Ricciulli, tests performed by the company showed that with a traditional IDS solution, an analyst has to inspect between 20 and 30 incidents before finding one that requires an action. However, because MetaFlows' predictive algorithm uses anonymous statistics from all customers to determine the most serious events, an analyst will have to inspect only six or seven incidents in order to find an actionable one.
The nature of the platform, which allows data from sensors deployed in multiple computer networks of the same organisation to be gathered and inspected in a single place, facilitates better collaboration between analysts.
The company has received research funding from the US Department of Defense and the National Science Foundation.