Businesses and government agencies are at risk of an increasing array of information security threats such data theft, malware, denial-of-service attacks and even compromise by insiders. No single security control or policy can address all threats. Instead, IT needs to deploy multiple measures. A key challenge for InfoSec professionals is to collect and integrate data on security events from the array of security controls deployed to protect assets. This is where security analytics comes in.
NetBeat MON from Hexis Cyber Solutions, is a security analytics product designed to help protect medium-sized businesses, specifically ones with multiple locations.
In a nutshell, NetBeat MON is a monitoring appliance that observes network activity within any network and its devices. Hexis presents the benefits of the product as supporting "network hygiene." That is, understanding and managing the contents of network traffic using tools such as packet capture and analysis, network flow analysis and intrusion detection.
Combining open source tools
Hexis Cyber Solutions did not reinvent the proverbial wheel when it comes to network monitoring, but it did combine well-established open source tools to bring cost-effective, consolidated monitoring to a broader market. NetBeat MON combines the features of five open source network monitoring tools: ntop, Wireshark, Suricata, Snorby and dumpcap.
- Ntop is a network traffic sorting tool that supports IPv4 and IPv6. The tool allows you to sort IP traffic using multiple criteria, including source, destination and protocol.
- Wireshark is a network protocol analysis tool that allows for both live traffic capture and offline analysis, including voice over IP. Information captures with Wireshark can be viewed in either a GUI or the TTY-mode TShark utility, and packet lists can be assigned a color scheme to help with sorting and analysis.
- Suricata is a tool developed by the Open Information Security Foundation. The tool is used for monitoring network traffic, as well as providing combined intrusion detection system/intrusion prevention system functionality. Admins can also write rules to specific protocols, as opposed to receiving ports.
- Snorby is a network security monitoring tool built using Ruby on Rails. Reporting features include the ability to classify events into predefined or custom categories for future reports. Additionally, the tool can integrate with OpenFPC, a packet capture tool.
- Lastly, dumpcap is a tool for network traffic dumping. Dumpcap captures packet data in pcap-ng files, although libpcap formatting is also available. Features include customizable UIs, automated patching and remote management, as well as analysis, NetFlow and packet capture capabilities.
The deployment of NetBeat MON is dependent upon an organization's operation. The product requires the deployment of individual appliances at each of its locations. These appliances are either configured as a Master or a Minion unit upon setup -- the capabilities and duties of each unit follow. The Master unit will most likely be deployed at an organization's central office, allowing for centralized management of the Minions.
Each unit offers 8x DIMM RAM slots, 4 x 3.5-inch hard drive bays (hot-swappable), and an Intel i350 Dual Port GB Ethernet port. The NetBeat MON racks are built on Intel Xeon processors. See here for a full specification list.
As for purchasing and support, the NetBeat MON appliance is available only through channel partners. Single-call support is provided for one year after purchase, after that it is $1,500 per unit per year. The Hexis support team can answer questions regarding the open source tools that make up NetBeat MON, but does not provide direct support. Hardware issues are solved by sending the malfunctioning device back for repair.
No business or organization is too small to be the target of malicious cyber activities. Small and midsize business with limited resources can leverage open source security analytics tools without breaking their capital expenditure budgets.
Unfortunately, unless someone on staff is familiar with the implementation details of the range of open source tools in use, then deploying and maintaining a set of well integrated applications is difficult. NetBeat MON relieves some of that burden with a consolidated package of security analytics tools that does not demand an enterprise-scale budget to pay for it.
Editor's note: Hexis Cyber Solutions was recently acquired by WatchGuard, which may impact the NetBeat MON security analytics product line.
Part one of this series explains the basics of security analytics products
Part two of this series examines the use cases for security analytics
Part three of this series looks at how to procure security analytics products
Part four of this series compares the best security analytics products on the market