Threat Defender analyzes the network in real time and correlates millions of network traffic events over time and across network flows to detect patterns and connections between seemingly unrelated communication events. Threat Defender sets up policies and complex rule scenarios to manage network traffic based on the detected behavior. Unlike in conventional solutions, these policies are enforced with immediate effect as soon as anomalous behavior suggests a threat to the network.
The conventional method of traffic correlation uses off-the-rack SIEM systems. These systems correlate the data based on logs provided by firewalls, servers and endpoint devices. The danger with this approach is that these logs were created by potentially infected devices and cannot be trusted. Importantly, the standard SIEM system only correlates events and behavior in retrospect -- after a device has already been compromised.
cognitix Threat Defender takes an entirely different approach to solve these problems. Threat Defender detects changes in network behavior and reacts automatically in real time using behavior-based policies. Threat Defender is not dependent on the integrity of the device logs because it models the network behavior to implement policies on the network level. Threat Defender analyzes the communication between the devices in real time and from within the network. This allows it to see the actual device behavior. Threat Defender tracks and examines various communication parameters (such as protocols, source and destination IP addresses, etc.) over time and across traffic flows to implement the inline real-time correlation. It filters the network traffic for specific behavior patterns. Threat Defender can instantly take the required actions to mitigate the effects of any undesirable or suspicious behavior it detects. It enforces the behavior-based rules, such as isolating the affected devices and blocking their traffic. This holistic approach to network security takes the behavior and relationships between devices in the entire network into account instead of individual events.
Take, as an example, a device that has been infected by encryption-based ransomware. The device will spread the ransomware by communicating with other devices. When the first neighboring device is contacted, the endpoint security of the target device will notice and log the problem. The Threat Defender intervenes at this point, drastically reducing reaction time. The infected device is isolated before it can spread the virus, nipping the infection in the bud. The interactive reporting, using multiple intuitive predefined and personalized dashboards, ensures that the required policies are in place and that the infection can be contained in real time and without human intervention.