Network Traffic Analysis

Dig Deeper into Your Network and Cloud Traffic to Find Malicious Activity

Detect and Analyze Threats in Your Network Traffic

Cyber attackers typically leverage multiple tactics to evade security tools, but in doing so they also create more opportunities for analysts to find them. Network traffic analysis (NTA) technology captures, processes, and analyzes network traffic to detect and investigate data that may indicate a cyber-attack. Typical network traffic analysis solutions use a combination of machine learning, advanced analytics and rule-based detection to detect suspicious activities on enterprise networks.

NTA is All About Visibility

Network traffic analysis is the anchor for threat detection and response by providing deep visibility into all the other tactics and techniques that attackers use to explore your network, expand control, and entrench themselves.

Fidelis Network® provides visibility across all ports and protocols and digs deeper into the traffic to analyze connections, flows, packets and metadata in real-time, while also enabling retrospective analysis. With Fidelis you can automatically pivot to an integrated Endpoint Detection and Response solution, which is critical to containing and minimizing resolution time of a detected threat.

Retrospective Detection with Fidelis Network Traffic Analysis

Not only does Fidelis provide real-time analysis, but also automated, retrospective analysis that gives your security team increased visibility to look back at their systems over the last 360 days and thoroughly analyze what happened during a breach. Now you can understand how a cyber security defense was breached, what the threat did, and what needs to be done to prevent future breaches.

Metadata: The Secret Sauce to Network Traffic Analysis

The value of metadata is that it is easy to query, facilitates faster and deeper investigations and is much more cost-effective than storing full PCAPs. While other network traffic analysis solutions can collect some metadata, Fidelis Network is unique in its ability to go well beyond the high-level “stream” metadata and collect “rich metadata” from inside the session. For instance, with a web session, other vendors collect the source and destination IP, URL, and in some cases minimal header information. In contrast, Fidelis collects all of this plus more, including rich metadata from within the web session itself.

Fidelis Network® collects rich metadata including:

WHO
domain user, webmail user, FTP user, email address, device ID, organization name

WHAT
filenames, SHA256, MD5, content tags, malware name, malware type

WHEN
from present day/time to as far back as you want to store data

WHERE
source, destination, country, IP address, organization, url, domain

HOW
protocols, applications, file type, user agent, custom protocols, obfuscated files and scripts

Improving Visibility with Network Traffic Analysis

“One of our favorite takeaways from using a platform such as Fidelis Elevate was being able to exercise the concept of holistic visibility, meaning the environment is ingested, analyzed and treated as a single unit. Holistic visibility allows for threats to be analyzed and neutralized faster, and lets organizations make confident decisions that truly affect enterprise security.”

Matt Bromiley, Analyst, SANS

Read the Report

Network Traffic Analysis Use Cases

Advanced attacks are designed to evade traditional prevention and detection techniques. Fidelis Network identifies threats traversing the network as well as through AWS and Azure traffic.

Visibility Across Your Network
and Cloud Traffic

Attackers know where to hide in your network traffic, but Fidelis provides bi-directional visibility across every port and every protocol. Attackers have nowhere to hide.

Data Loss Prevention

Fidelis inspects all content going across the wire to identify and prevent data exfiltration. Every email is scanned in its entirety against a rigorous policy engine to ensure the protection of sensitive data.

Threat Detection

Fidelis Network leverages numerous detection techniques to identify threats at different stages across the kill chain, including supervised and unsupervised machine-learning techniques, deep packet and deep session inspection, malware detection, sandboxing, asset inventory, and more.

  • Real-time: Each packet and session is broken down and reassembled in real-time for immediate detection and analysis.
  • Retrospective: Provide rich metadata that enables retrospective detection and analysis going back many months.

Incident Response

Fidelis Network is used in IR investigations to help mitigate damage and recover from an incident. Since Fidelis Network and Endpoint are seamlessly integrated, incident responders can gain substantial improvements in speeding alert investigation and resolution.

Fidelis automatically validates that a threat detected via network traffic has in fact compromised an endpoint or multiple endpoints in the environment, and provides incident responders with the ability to automatically take an action, such as isolating impacted endpoints from the network.

What Customers Are Saying

"We used Fidelis Network to evaluate IOCs and threat hunt with 100's of Gigabits of data. It does a great job of building a story of what a threat actor may be doing on the network. With its insight, we were able to find a correlation of a beacon that was phoning home on a variable of 3-6 month...
Read the Full Review

Key Benefits of Fidelis’ Network Traffic Analysis

Fidelis Network is a robust solution that:

  • Provides visibility across all ports and all protocols
  • Bi-directionally scans all network traffic to reveal network and application protocols, files, and content via sensors that can be placed at the gateway, internally, in the cloud, and at both the email and web gateways
  • Conducts real-time analysis of raw network packet traffic or traffic flows
  • Monitors and analyzes north/south traffic and as east/west traffic
  • Differentiates between normal and anomalous network and cloud traffic
  • Leverages machine learning and analytics to detect network traffic anomalies
  • Provides rich metadata that enables retrospective detection and analysis going back many months
  • Profiles TLS encrypted traffic based on metadata and certificates, determining human browsing versus machine traffic, and leveraging data science models to detect hidden threats
  • Consolidates similar alerts and the related context and evidence to speed alert triage
  • Integrated with Fidelis Endpoint to automate relevant response actions based on what has been detected

Eliminate Blind Spots with Network Traffic Analysis

Learn More