Use Cases

At the heart of our ethos is “simplicity in cyber security.”

We believe central to this is less data, but better data.

Our intelligent data-capture algorithms integrate seemlessly into existing security infrastructures, to reduce superfluous network traffic by up 95%.

Threat

Mitigation

 

Cyber

Forensics

 

Network Traffic Capture*

Home worker network protection

The Problem

Since Covid-19 lock down in January 2020, the number of employees working from home has increased significantly. At the same time, the number of cyberattacks has increased, with attackers focusing on compromising home networks to obtain confidential information (intellectual property, customer data, business accounts, etc.) or gain access to the corporate network. The most likely route for an attacker is via a vulnerable device on the home network (family member PC, webcam or other IP enabled device) rather than via the home worker’s laptop.

Today’s Workflow

Today, remote users, working from a home office or satellite office, are protected by anti-virus and VPN technology. This protected the end-point device (the user’s laptop). This provides no protection against malicious compromise of the network (malware, or hacker) where, once access is achieved, will pivot to the corporate network via the VPN, or sit on the satellite office network to siphon data.

The Botprobe Solution

Botprobe’s Home Worker Security solution, sits on a remote worker’s network, to compliment AV and VPNs. As we as enhancing the protection of the home worker, the primary function of Botprobe is to identify malicious activity on the home network before it can breach the corporate network.

Botprobe Benefits:

  • Protection of corporate network, as well as increasing home worker protection
  • Feeds network traffic into SIEM for intrusion detection rules
  • Increased accuracy and speed of detection
  • Simple plug-and-play device
  • Affordable solution that scales well for many home workers

For more information: https://botprobe.co.uk/homeworker/

 

 

Network traffic into SIEM

The Problem

SIEM is an elemental part of an organisations Security Operations Centre, providing the ability to correlate logs from different devices to detect threats and perform root-cause analysis. Network traffic is a vital source of threat information. However, big-data volumes of network traffic make it costly to feed into SIEMs that charge per GB for ingestion and storage.

Today’s Workflow

Today, it is possible to feed packet capture PCAP directly into a SIEM. However, the volumes of traffic data mean it is very costly to ingest TBs of data a day. Alternatively, a limited subset of data from small, key domains can be fed into SIEMs, but the use of this limited data for full network threat detection/protection is questionable.

The Botprobe Solution

Botprobe’s intelligent hardware and software probes selectively capture traffic for threat detection. Achieving significant volume reductions of up to 95-97%, means it is cost effective to feed network traffic into SIEM from multiple probes distributed across the network infrastructure. Network traffic can be correlated against other logs for improved security analysis.

Botprobe Benefits:

  • Increased security protection as the visible threat surface can be extended to include the entire network infrastructure
  • Improved security as device logs can be correlated against network traffic
  • Improved security as powerful SIEM search and alerting languages can be used on network traffic (see “SIEM-based IDS” use case)
  • More data makes it easier and faster for analyst to get to root-cause of a threat

 

SIEM-hosted IDS

The Problem

SIEM is a critical element in an organisations Security Operations Centre, providing the ability to correlate logs from different devices to detect threats and perform root-cause analysis. Network traffic is a vital source of threat information. However, big-data volumes of network traffic make it costly to feed into SIEMs that charge per GB ingestion and storage.

Today’s Workflow

Today, it is possible to feed alerts from IDS solutions, such as Snort or Suricata, into a SIEM. Whilst this is useful in correlation against other device logs, the information from the IDS alerts is often limited.

Today, IDS is a distributed solution, with multiple IDS devices located at critical locations in a network. Each one of these units needs updating when new rules are released.

The Botprobe Solution

Botprobe’s intelligent hardware and software probes are able to cost effectively feed network traffic into SIEM (see “Network traffic into SIEM” use case). This makes it possible to apply powerful SIEM search languages to create detailed IDS rules. Should the ingested traffic trigger an Intrusion Detection rule in the SIEM, the analyst has all the relevant network traffic from before and after the trigger available for investigation. Using SIEM as a central IDS means only one single source of detection rules to maintain.

Botprobe Benefits:

  • Increased security protection as the visible threat surface can be extended to include the entire network infrastructure
  • Improved security as device logs can be correlated against network traffic
  • Improved detection as powerful SIEM search languages can be used create modern IDS rules
  • Improve detection as network traffic is available to search before and after an alert
  • Improved security as one single set of IDS rules to maintain
  • More data makes it easier and faster for analyst to get to root-cause of a threat

 

SOC analyst empowerment

SOC network traffic analysis

Traffic capture on high-speed backbones

PCAP Mining*

Forensics software use cases:

PCAP lake reduction for long-term storage

The Problem

Many organisation have PCAP lakes – terabyte or even petabytes of network traffic that has been retained for a reason – such as legal interception or during a breach. This is expensive to store. If an analyst is required to examine data in these lakes, finding the data needed is difficult and slow, even before the data can be analysed.

Today’s Workflow

Today, PCAP lake data analysis is possible, but very inefficient. Anyone who has had to analyse a 2GB file in a PCAP analysis tool, will appreciate how slow this can be. Imagine doing this with a 100GB file. Techniques such as compression can make storage more efficient, but analysis is slower as data first needs to be uncompressed. Indexing makes searching data quicker, but does not address storage volumes. Capturing flow streams is an alternative to full packet capture, addressing storage volumes and ease of analysis. However, the packet fields available for capture is limited meaning the all-important contextual threat information could be lost.

The Botprobe Solution

Botprobe’s forensic tool siphons PCAP lakes to extract just the data required for storage. This is not based on compression, indexing or flows. Instead individual fields can be extracted from protocols, significantly reducing the volume of data that requires storage (up to 95%-97%), without losing the contextual fields required.

Captured traffic data can be output as csv, xls, json, ipfix, elastic cloud, etc.

Botprobe Benefits:

  • Significantly reduces PCAP lakes (up to 97%) for cost effective long term archival
  • Siphons by individual protocol field so threat context is retained
  • Allows for faster, simpler analysis of data

 

Post-breach network traffic forensics

The Problem

The sheer volume of traffic on corporate networks makes it difficult to capture network from across multiple broadcast domains and store the traffic – such as for use in network forensics following a breach. This means that organisations are ignoring a vital source of data that should be used in threat detection and root-cause analysis.

Today’s Workflow

Today, it is possible to capture network traffic with a packet sniffer. Due to traffic volumes, sniffers are typically limited to capturing traffic on small broadcast domains, and typically this is used for investigating and trouble-shooting network transmission issues. Often can be used for real-time investigation into cyber security issues, but the volumes of traffic mean investigations are limited to certain broadcast domains.

For prolonged traffic capture, such as long term investigation or data archival for root-cause analysis, storing captured traffic is expensive and post capture analysing is slow, difficult and inefficient.

The Botprobe Solution

Botprobe’s intelligent hardware and software probes capture ONLY traffic that is useful for cyber security. All other superfluous traffic gets ignored. Typically up to 95% of traffic can be discarded. This makes it very efficient to store the remaining 5% of traffic long term. This traffic capture efficiency makes it possible to have probes in each broadcast domain capturing traffic for full network visibility.

Captured traffic data can be output as csv, xls, json, pcap, ipfix, elastic cloud, etc.

Botprobe Benefits:

  • 95% reducing in data volumes makes network traffic storage affordable
  • With only 5% of traffic to analyse, it is much faster and simpler to interrogate the data
  • Support for multiple output formats means integration into existing security analysis solutions is possible, so inherent security/SOC platforms do not need to be replaced
  • Makes it possible to continuously capture and store traffic, as part of root cause forensic analysis of traffic, to understand what was happening before a breach

 

Threat-replay against historic network traffic

The Problem

New intrusion detection rules are released daily. IDS tools (such as Snort or Suricata) can only apply this new rule to traffic that is analysed after the update. Therefore IDS tools will only analysis for this new rules post update. What is malicious event took place in your network before the new detection rules were applied?

Today’s Workflow

Today, it is difficult to apply new rules retrospectively to historical traffic. One cannot go back in time to apply these. The other option is to capture all network traffic and archive it, which is costly and inefficient. (see “PCAP lake reduction” use case above).

The Botprobe Solution

Botprobe’s intelligent hardware and software probes can efficiently capture network traffic for long term storage, with data volume reductions approaching 97%. Traffic captured by Botprobe and stored as csv, json, ipfix, etc, can be reconstructed back into PCAP format and replayed into IDS devices that have been updated with the new ruleset. Making it possible to go back in time to see if your network was infected before the rule was created.

Botprobe Benefits:

  • retrospective IDS analysis on network traffic provides strong security protection

 

* these use case are ALL only possible as we reduce network traffic by 95%