IT professionals seek out solutions that provide in-depth visibility into their networks and streamline processes so they can more efficiently catch anomalies.
A recent update to Progress Flowmon Anomaly Detection System (ADS) will address these common customer concerns. Read on for a closer look at how Flowmon ADS 12.3 improves your organization’s threat analyses and cybersecurity strategies.
Two new widgets enable you to assess the security posture and focus on the most critical threats.
The Analysis summary delivers information and actionable insights for security professionals. It compares the selected period with the previous one of the same length—allowing you to see what has changed, what the most important threat actors or hosts of interest are and how the security situation is evolving. This widget can also be added to the Widget or Report chapter.
Note: When editing the Analysis Summary widget, you can select what sections (flows, events, threat score, methods) will be displayed.
You can also switch method codes to full names (e.g., from “DOHDET” to “Communication with DoH servers”).
Figure 1: Two new widgets on the Flowmon dashboard. Analysis Summary is highlighted in green on the left. Threat Score is on the right.
Threat Score can help pinpoint the most critical threat actors and help you prioritize your investigation work. It considers various factors, such as the count of detected events, their priority and the number of targets. Threat Score uses tactics from the MITRE ATT&CK framework to display the metricsin an understandable way. Figure 1 shows the Threat Score widgets on the Flowmon Dashboard, with thetop 10 hosts sorted by their Threat Score.
HOW TO ENABLE THE NEW WIDGETS
To add the new widgets to your Dashboard, simply hit the New Widget button at the bottom of your dashboard or the New Chapter button when creating or editing a report.
The Flowmon security dashboard provides a detailed overview of the current security posture. It allows you to prioritize your next step in investigations, which often requires getting additional insights directly from Flowmon ADS.
This release extends the context menu for IP addresses and methods in Flowmon ADS widgets to make the flow from a dashboard or report to ADS more seamless. You can now quickly go from a dashboard or report directly to ADS by clicking on the IP address or method of interest by selecting the option from the new context menu.
Figure 2: New context menu for IP addresses and methods.
Selecting an option from the menu will quickly open a prefilled view in Flowmon ADS with relevant events or hosts for analysis.
Figure 3: Prefilled values in ADS.
This feature is automatically enabled for Flowmon ADS widgets. You can use it from the dashboard or reports.
Managed service providers (MSPs) typically provide services to multiple organizations. The 12.3 release gets multi-tenancy to allow separate data spaces and isolated configurations for individual tenants on a single Flowmon deployment. ADS now supports tenants defined in the Flowmon Configuration Center. MSPs can manage multiple clients on a single Flowmon deployment without any of their clients being aware of the others.
In the Flowmon Configuration Center, you can specify the flow sources or profiles a tenant can access. You assign these profiles to a particular data feed in ADS. Users can only view data they have been granted access to. This release also updates the REST API and endpoints now include a “tenantId” field, which provides information about the associated tenant.
The Tenants chapter in the user guide outlines specific requirements for using a multi-tenant environment in ADS. Make sure to check the specifics in this chapter, especially if you are using Syslog and SNMP reporting, want to enforce a flow per second (FPS) limit on tenants, are unable to upgrade to version 12.3, or want to learn more about how multi-tenancy works in ADS 12.3.
This is not a compulsory change. After updating to ADS 12.3, you can still use Flowmon in single-tenant mode. You are not required to change your current configuration when you update to 12.3. However, you will have the option to support clients via multi-tenancy.
HOW TO ENABLE MULTI-TENANCY
To enable and configure tenants in Flowmon ADS follow the Configuration Center > System > User Settings > Tenants menu pathway and the steps described on the Tenants page.
Figure 4: Navigating to the Tenants Management screen.
Once you’ve created the desired tenants, you need to create new roles and users for each one. To do this, you need to switch to the specific tenant and then create the roles and users in that tenant. Afterward, you switch to the ADS management screens and configure each tenant according to their specific needs.
The details on configuring tenants and keeping their settings separated are in the “About Tenants” in Flowmon and Flowmon ADS user guides.
After reviewing customer feedback and increased usage of TCP for DNS in modern networks, ADS 12.3 improves the methods for detecting DNS traffic anomalies. Improvements are:
You can configure the changes associated with the DNSANOMALY method in the settings. No configuration changes are required to benefit from the DNSQUERY change.
The latest method instance settings update offers the ability to deactivate specific submethods. This can be particularly helpful when certain submethods are irrelevant to your needs. It can also temporarily turn off detection when you are still in the deployment and tuning processes. Previously, some submethods could get turned off using a specific configuration parameter.
With this change in ADS 12.3, turning off all submethods uses the same process in the UI by navigating to Flowmon ADS > Settings > Processing > Methods.
The Event Detail screen now includes attributes that display the top 20 most relevant targets. These targets are not static but change dynamically as new information becomes available which will provide you with the most up-to-date and relevant data. The relevance of these targets varies depending on the detection method used. For instance, for detection methods like BITTORRENT, COUNTRY, DIRINET, HIGHTRANSF, PEERS and WEBSHARE, the targets chosen are the ones with the highest data transfer rates. For other detection methods, the targets are selected based on the number of flows. We enable this change by default in ADS 12.3.
Figure 5: Top 20 targets shown in the Event Detail screen.
Visit the Flowmon platform page for details of Flowmon and the Flowmon ADS page for further information on ADS module. To have a conversation with an expert on how Flowmon can help improve the security of your networks, then contact us.
For a free trial of Flowmon to see how it can deliver actionable insights for your organization in minutes, visit our free trial page. Our support team can assist during your free trial testing. Use the contact page to start a conversation with the support team.
View all posts from Filip Cerny on the Progress blog. Connect with us about all things application development and deployment, data integration and digital business.
Let our experts teach you how to use Sitefinity's best-in-class features to deliver compelling digital experiences.
Learn MoreSubscribe to get all the news, info and tutorials you need to build better business apps and sites