Our mission at Botprobe is to change the entrenched mindset that cyber security and complexity go hand in hand.
The path to cyber simplicity starts by tackling complexity at its root – the big-data involved in threat detection.
At the heart of our technology are our powerful data reduction algorithms that allow us to turn network big-data into reduced, structured data sets that are simple to analyse:
- reduced: less than 10% of a network packet is relevant in cyber threat detection
- structured: most sources of cyber threat produce unstructured data
- simple: faster, more accurate, more cost-effective cyber security
If you are looking for 10 year old Dave who was last seen as a passenger in a red car. Do you stop and search every car, or do you just stop the red cars to see what the passengers look like?
Today, deeply embedded in threat detection, is FOMO (Fear-Of-Missing-Out). Traffic capture tools suck up every field, in every packet, of the entire network traffic stream. Some tools are able to filter down what is capture on a per-protocol basis.
Botprobe is different. We turn full Packet Capture (PCAP) into selective Field Capture (FCAP), thus allowing us to remove around 95% of data that is un-necessary in threat detection.
The detection of most malicious actors can be reduced to a core set of indicator fields. Take the 10,000s of rules available to Intrusion Detection Systems – how many different fields within this core set of IDS analysed protocols are actually used in these rules?
By extracting only the threat related parameters and fields from the traffic flow, Botprobe discards around 95% of surplus data, whilst retaining the threat conversation context. For example, if you only want to extract the QQIC field from all your IGMPv3 traffic, we can give you exactly this – in whatever format you require [xls, csv, json, ipfix, elastic cloud, etc].
- efficient, cost effective data archival of PCAP lakes (such as legal interception data)
- efficient, cost effective long term storage of network traffic for forensics
- efficient, cost effective fed of network traffic into SIEM
Features and Benefits
- highly significant reduction of network traffic volumes (up to 95-97%)
- per protocol, field-by-field extraction
- stream aggregation, when possible
- obfuscated, efficient transportation of captured traffic to collector
- output to csv, xls, json, html, ipfix, elk , etc.
- output to any analysis tool – SIEM, flow collectors, etc.
95% reduction in data means
- faster detection – security analysts and detection tools spend less time preparing data and more time hunting for threats
- increased accuracy – more efficient detection rules means less false positives
- lower hardware costs – our software is optimised for lower-powered devices, thereby reducing cost of hardware
Where does Botprobe technology fit in my organisation?
As more businesses rely on data science to provide insights into cyber security, they start to encounter the big-data challenges posed during threat analysis:
Traffic capture devices sending a ‘copy’ of the network traffic to an analysis engine, effectively doubling the traffic transmitted across the network
A corporate network of 1,000 devices can easily transmit over 2TB of network traffic a day. Typically, this means analysing about 1 to 2 gigabits of data per second. On higher speed links this could jump to 10 or more gigabits per second to analyse – a big ask from any threat analysis tool
Archiving TBs of data a day is costly. Retrospectively analysis these data vaults is difficult and timely. Therefore, most businesses discard this valuable source of threat forensics
To learn more about our technology contact us directly at firstname.lastname@example.org