Based in Sunnyvale, California, Awake Security’s solution uses a combination of supervised and unsupervised machine learning and other analytical techniques to detect suspicious traffic. The product can be deployed all-in-one (sensor and analytics) in a single unit or in a distributed fashion, where the sensor and the analytics hub are separated. The sensor can be deployed as a physical or virtual appliance across IT, OT and IoT networks, as well as in the cloud to protect Amazon Web Services (AWS), Azure and Google Cloud Platform (GCP) workloads. Awake uses machine-learning-based, encrypted traffic analysis to find threats in encrypted data, without needing to decrypt. Awake does not provide a decryption engine for Secure Sockets Layer/Transport Layer Security (SSL/TLS) traffic.
Awake does not block attacks natively. Awake’s approach is to integrate with orchestration solutions (e.g., Splunk Adaptive Response or Demisto) or endpoint solutions (Carbon Black) to perform quarantine or trigger remediation playbooks. For example, customers use these mechanisms to block domains and IPs at the firewall or proxy and to take devices offline. Awake sells the solution as an annual subscription, based on aggregate throughput. Virtual appliances are available at no charge, and physical devices are available for a fee.
Based in Columbia, Maryland, Bricata’s detection capabilities include signature and behavioral techniques (including supervised, but not unsupervised, machine learning). It uses two IDS/IPS engines, Suricata and Zeek (Bro), simultaneously. Suricata provides signature-based threat detection. Zeek enables stateful, behavior-anomaly-based threat detection. Bricata also licenses Cylance’s INFINITY technology for threat detection. Zeek generates network metadata that populates Bricata’s repository. The repository comes with a threat-hunting environment for manual threat detection.
Bricata’s architecture is composed of two main elements. Sensors (physical or virtual) are deployed on the network and perform PCAP, metadata generation and intrusion prevention system/intrusion detection system (IDS/IPS) functions, including dropping packets. A Central Management Console (CMC) repository is typically deployed in a data center. The CMC processes and analyzes the data collected from the sensors, and it provides an interface for threat hunting. Bricata does not decrypt SSL/TLS traffic, although it provides a built-in mechanism for JA3 fingerprinting of SSL sessions.
Bricata offers subscription licensing based on the aggregate throughput of the traffic being monitored. Customers purchase physical sensors and CMCs; however, virtual instances are free of charge. Hardware warranty, software maintenance and Bricata support are included in the subscription price. Higher levels of support are available at an additional charge.
Headquartered in San Jose, California, Cisco plays in the NTA market with Cisco Stealthwatch. Stealthwatch’s data source is primarily NetFlow records and is deployed as a physical appliance, a virtual appliance or a SaaS solution. Through its Flow Sensors, Stealthwatch provides Layer 7 application visibility by gathering application information, along with on-demand PCAP. Stealthwatch can also ingest data from cloud platforms, such as AWS, Azure and GCP, as well as from Kubernetes environments. It also has the option to run on-demand PCAP. Full PCAP is not natively supported. Stealthwatch leverages various techniques for analytics, including signature-based detection, statistical analysis, and both supervised and unsupervised machine learning. Cisco integrates with Cisco Talos Intelligence Group for threat intelligence feeds.
Stealthwatch is sold as a term-based subscription based on the necessary flows per second, network device count or total monthly flows, depending on the product and deployment infrastructure. The subscription includes virtual flow collectors and the management console; however, additional fees are required for the appliance-based version of the product. The cloud version of Stealthwatch uses a combination of sensors for customer premises and API connectivity to flow sources in public clouds. Stealthwatch is integrated with the Cisco Identity Services Engine, which allows it to quarantine hosts. Stealthwatch does not decrypt traffic, but uses Encrypted Traffic Analytics (ETA) to detect malware and ensure cryptographic compliance. The product’s core market is midsize-to-large enterprises.
Headquartered in San Francisco, California, Corelight’s solution is based on open-source Zeek (formerly known as Bro). Corelight has added enhancements that focus on scale, manageability and data enrichment. The solution consists of a range of physical and virtual sensors. These sensors analyze network traffic across multiple protocols, execute in-line detection analysis, and forward the events and parsed data logs to a customer’s SIEM or data lake. The Bro/Zeek scripting framework provides an optional feature that allows customers to write their own detection content. This is a popular approach for advanced customers that can optimize detection capabilities for their own environment.
Corelight’s detection capabilities include heuristic analysis and statistical analysis, but no machine learning. However, some Bro/Zeek customers have used the Python machine learning library to do both supervised and unsupervised machine learning. Corelight also performs some simple pattern-matching (signaturelike) detection. Corelight does not collect and analyze NetFlow or IPFIX records; however, the Corelight sensors generate metadata, which can be stored and analyzed for forensic analysis using third-party tools. Corelight does not decrypt SSL/TLS traffic, although it provides a built-in mechanism for JA3 fingerprinting of SSL sessions.
The solution is licensed on a subscription basis, which includes service and support, as well as hardware, software and a technical account manager. Enterprise support (e.g., hardware replacement) is available separately.
Based in Dublin, Ireland, Corvil is an NPMD vendor that has adapted its IT operations solutions for NTA with a solution called Corvil Security Analytics. It operates on metadata derived from raw network packets, applying signature-based detection using Snort rules, proprietary rules, protocol analysis and reputation-feed-based traffic matching. The reputation-feed-based traffic matching leverages feeds from Emerging Threats ETPro IP and Domain reputation feeds, as well as abuse.ch (SSL Blacklist). Corvil offers basic, unsupervised machine learning, but it does not provide supervised machine learning. Corvil Security Analytics is sold as a hardware appliance, and can be complemented by host-based software sensors.
Corvil Security Analytics is priced on a perpetual-license basis, with customers choosing the appropriate appliance type based on network traffic rates. Hardware appliances support up 80 Gbps line rate capture and up to 300TB of storage. The use of the Corvil virtual sensor is free. Corvil appliances can decrypt SSL and TLS traffic, and they support JA3 fingerprinting of SSL sessions. The product’s core market is the large enterprise.
Based in Cambridge, U.K., and San Francisco, California, Darktrace’s Enterprise Immune System is built on unsupervised machine learning technology. The company states that it relies on more than 50 unsupervised learning approaches. Darktrace can be deployed to secure physical (IT and OT), virtualized, infrastructure as a service (IaaS) and SaaS environments. Deployment options include Darktrace appliances, software sensors and connectors that are installed passively in the customer’s network or cloud. A master appliance correlates behavior across the organization’s infrastructure. Darktrace Antigena, an optional product that provides autonomous response capabilities, uses multiple techniques (e.g., TCP Reset, applying Active Lists via firewall integrations) to automatically mitigate threats to the customer’s environment.
The pricing model for Darktrace software is a subscription service based on the size of the company and the distribution of the deployment. A popular service option is the Threat Intelligence Reports, which analyze the most significant threats detected by Darktrace’s technology. Pricing for Antigena Network is 50% of the license value for the Enterprise Immune System.
Based in Seattle, Washington, ExtraHop started as an IT-operations-focused NPMD vendor. The company has expanded its focus to security buyers, by adapting its packet analysis technology for the NTA market. The product, Reveal(x), performs real-time stream processing of raw network packets and applies its unsupervised machine learning algorithms to detect behavioral anomalies. The metadata extracted from the packets is tracked, allowing Reveal(x) to identify behavior indicative of an attack by comparing against a number of proprietary unsupervised models. Reveal(x) is sold as a hardware appliance or a virtual appliance.
Licensing for Reveal(x) is on a subscription basis, priced by the number of critical assets that are being monitored. The physical appliances are sold as a separate one-time cost, while virtual and cloud appliances are free. Hardware appliances support up to 100 Gbps line rate capture and up to 2PB of storage. Reveal(x) can ingest third-party threat intelligence feeds, based on the standard Structured Threat Information eXpression (STIX) format. The solution supports SSL/TLS and perfect forward secrecy (PFS) traffic decryption at line rate.
Based in Washington, D.C., Fidelis offers a security platform (Fidelis Elevate) that combines IDS, NTA, network sandboxing, web and email data loss prevention (DLP), endpoint detection and response (EDR), asset classification, and deception. The Fidelis Elevate platform collects Layer 7 metadata for many protocols. Fidelis primarily uses supervised learning for north/south network traffic analysis. It leverages unsupervised machine learning to build a risk score (Alert Threat Score) for each alert, helping with event triage. The solution includes a threat intelligence feed to catch identified attacks and supports open-source and third-party threat intelligence sources. Fidelis supports event-triggered, full PCAP and can store up to one year of metadata for retrospective analysis.
Metadata can be aggregated from multiple sensors in an appliance (Fidelis Collector) and stored for one year or longer. The solution can send TCP resets, or block if deployed in-line, and can integrate with Fidelis’ endpoint and response solution for additional response capabilities. The vendor offers multiple physical and virtual sensors, including a generic one for all protocols, and specialized versions for mail, web, cloud and data center traffic. Fidelis does not decrypt SSL/TLS traffic.
Fidelis Cybersecurity uses a traditional, perpetual-sale model for its physical appliances, with an annual support fee. The solution can be complemented with managed detection and response (MDR) and threat-hunting services. The vendor offers its cloud management solution as a subscription.
Based in Milpitas, California, FireEye’s SmartVision solution can be implemented as part of FireEye Network Security, as well as non-FireEye environments. SmartVision uses a combination of signatures, machine learning and heuristics, as well as its MVX engine (primarily sandboxing technology) to detonate suspicious objects moving over Server Message Block (SMB) protocols. SmartVision includes FireEye’s IPS engine. FireEye leverages an indicator correlation engine, along with a custom signature database with rules generated from cyberattacks. SmartVision also relies on machine learning capabilities. Customers can deploy SmartVision on FireEye NX appliances or on virtual appliances. SmartVision does not decrypt SSL/TLS traffic.
When enabled on an NX appliance, SmartVision is capable of monitoring network traffic in north/south and east/west directions, and all detections occur on the NX sensor directly. The pricing model for the SmartVision Edition is a subscription based on aggregate throughput. As many as 20 virtual sensors are provided for free. Service and support are included in the price of the subscription.
Based in the Czech Republic, GREYCORTEX’s MENDEL solution uses behavioral techniques (supervised and unsupervised machine learning) and signature-based detection. A detection rule set that it licenses, the Emerging Threats ETPro, is one aspect of its signature-based capability. Sensors (physical and virtual) are deployed in the customer’s network, and they forward flow records, application metadata and signature-based events to collectors that analyze the information. Sensors and collectors can be combined in a single appliance. MENDEL is capable of decrypting SSL/TLS traffic.
GREYCORTEX has also developed a solution for monitoring OT networks. It provides visibility into several protocols that are common in SCADA environments, and it also uses machine learning and signature-based detection mechanisms. GREYCORTEX mainly targets Europe, the Middle East and the Asia/Pacific (APAC) region. Two pricing models are available. Customers can purchase the sensors and collector appliances and purchase a perpetual software license. Alternatively, they can purchase a subscription, which includes monthly fees for the appliances and service and support.
Based in Beijing, China, Hillstone Networks is a network security vendor, with a regional headquarters in Santa Clara, CA. The vendor introduced its NTA product, named Server Breach Detection System (sBDS), with two appliances in 2017. Hillstone’s NTA product extracts Layer 7 metadata and applies clustering, an unsupervised learning algorithm, to identify deviation from normal activity. sBDS also includes an IPS and an antivirus engine. It also implements some limited deception features (for example, emulating the answer of a web server). Each appliance embeds a management and monitoring interface, and centralized cloud monitoring is also available (Hillstone CloudView). sBDS integrates with Hillstone firewall to add blocking capabilities. Hillstone sBDS does not decrypt SSL/TLS traffic.
Hillstone NTA primarily targets the data center, with many dashboards focused on this use case. The vendor prices its NTA solution using the traditional appliance model, with upfront cost for the hardware, and subscription and support as yearly fees. It also offers NTA as a service, where the cost of the devices is included in the yearly subscription.
Based in Santa Clara, California, HPE-Aruba has acquired Niara, which had been targeting UEBA opportunities in 2017. Since 2018, HPE/Aruba has been repositioning the Niara technology, now known as IntroSpect, to compete in the NTA market. The solution is available in two packages: IntroSpect Standard (the NTA product) and IntroSpect Advanced (adds UEBA and log source features). IntroSpect collects and analyzes packet level information, as well as logs, and it provides user attribution and investigative support. The product is integrated with Aruba’s ClearPass NAC offering to provide automated response; however, HPE-Aruba also sells it as a stand-alone solution. Detection relies heavily on behavioral techniques (supervised and unsupervised machine learning, heuristics, and statistical analysis), and it includes a rule engine that can be programmed to look for specific conditions. IntroSpect does not decrypt SSL/TLS traffic.
Key components of IntroSpect’s NTA solution include Real Time Packet Processing (RTPP) and a centralized Analyzer. The RTPPs can be physical or virtual appliances. Customers purchase RTPP (virtual appliances are free) and the Analyzer appliance, along with a software license subscription for the Analyzer (based on the number of users, systems and devices in the customer’s network).
Based in Fulton, Maryland, IronNet’s solution uses sensors that are implemented in the customer’s network and an analytical back end that can be hosted on-premises, in the IronNet cloud or in AWS. Historically, the sensors have been physical appliances, although IronNet plans a virtual sensor for 2019. The solution supports full PCAP and stores approximately three days of PCAPs and approximately 90 days of session metadata. IronNet’s detection capabilities are based on signatures, machine learning and other analytical techniques. The solution has an add-on capability that enables enterprises to share behavioral intelligence with peer enterprises and, optionally, with government to enhance the detection of industry-sector-wide campaigns. IronNet’s sensors do not decrypt SSL/TLS traffic. However, they can analyze the SSL/TLS traffic and identify malicious activity during a session.
IronNet targets large enterprises that are concerned about attacks from nation states. Customers must purchase the hardware sensors and the associated software. They pay a flat monthly fee for the analytical back-end component.
Based in Redwood City, California, Lastline’s Lastline Defender solution uses a combination of techniques, including supervised and unsupervised machine learning, deep learning, deep packet inspection, NetFlow record analysis, and other analytics to detect malicious network behaviors and suspicious traffic. Lastline’s sandbox technology is embedded in its Defender solution to analyze files and determine whether they contain malware. The sandbox analysis is also used to feed training data to Defender’s detection capabilities. The solution has a flexible deployment model. Customers can install Lastline sensors on their networks and use the Lastline cloud to support the detection capabilities. Alternatively, customers can install all Lastline components on-premises, and they can protect workloads in public clouds. Lastline can inspect SSL/TLS traffic when deployed in-line as an explicit proxy.
Lastline can automatically respond to (for example, block) incidents that it detects. It also has several technology partnerships that enable customers to automatically respond to incidents detected by Defender. The solution has integrations with endpoint vendors, including Carbon Black and Tanium; network vendors (Check Point, Palo Alto Networks and Fortinet); SIEMs; security orchestration; automation and response (SOAR) solutions; and email and web gateways. The pricing model is a per-user/per-year subscription. Software sensors are provided free of charge. These sensors include the Suricata IDS and are enhanced with Lastline’s custom protocol analysis, as well as components that perform email inspection and static file analysis. Lastline sensors can be deployed in-line for blocking malicious traffic or deployed as a span/tap on the network, and deployed as mail transfer agents (MTAs).
Headquartered in Kennebunk, Maine, Plixer offers the Scrutinizer product for NTA. Scrutinizer is deployed on-premises with hardware or virtual appliances, but can also be deployed in a private cloud, a hybrid cloud and as SaaS. The solution’s primary data source for analytics is flow data, in addition to collecting data from VMware ESXi, Cisco ACI and AWS flow logs. Plixer does not natively support full or on-demand PCAP, nor the decryption of packets. Scrutinizer leverages signature-based detection, heuristic detection and statistics analytics, but does not support supervised or unsupervised machine learning. Heuristic detection involves analyzing traffic behavior, with persistent flow risks assessments as an example. Scrutinizer supports threat intelligence feeds for host and domain reputation, as well as offering historical forensics for incident responses.
For on-premises virtual and hardware deployments, the product is sold as either a three- or five-year subscription and is based on the number of devices exporting flows and metadata. For SaaS deployments, a three- or five-year subscription plan is also available and is based on the volume of collected data. Scrutinizer’s flow support has been extended with vendor-specific templates for a number of hardware vendors, including Cisco, Juniper and Palo Alto Networks, giving them access to a broad set of metadata. Plixer Scrutinizer is also sold to IT operations for performance monitoring and is a fit for midsize and large enterprises.
Based in Milpitas, California, SS8 is a security company that was recently acquired by private equity firm HighBar. SS8’s NTA solution is available in the form of virtual appliances, both for the sensors and for its centralized management and monitoring platform (Security Analytics Platform). SS8 sensors sit out of band, and extract Layer 7 metadata from raw network packets. The technology uses unsupervised machine learning to highlight outlier devices on the network. It also leverages more-traditional signatures to detect known attacks. SS8 does not decrypt SSL/TLS traffic.
SS8 licenses its solution in the form of a subscription, based on the total average traffic throughput and the duration of data retention. Its largest target markets include industrial, financial and governmental agencies in North America.
Headquartered in San Jose, California, Vectra’s NTA product (Cognito Detect), uses hardware and virtual sensors to forward and store a proprietary set of traffic metadata to the analytic engine (Cognito Brain). The vendor’s detection engine combines supervised and unsupervised machine learning algorithms to detect attacker behaviors. It uses several deep-learning models (e.g., recurrent neural networks and long short-term memory) when necessary. The vendor also implements heuristics for known bad behaviors (such as port scan detection) and enables customers to import specific indicators of compromise (IOCs) to quickly identify a recent prominent attack. Vectra aggregates individual alerts into security incidents for an individual host, with on-demand, full PCAP for forensics investigation. The vendor also offers a dedicated view called Attack Campaigns to track attacks across the enterprise network. Vectra partners with other security vendors, endpoint protection, firewalls, SIEM and SOAR to provide response capabilities. Vectra does not decrypt SSL/TLS traffic.
Vectra offers specialized detection for data center and cloud use cases. It sells sensor hardware (virtual sensors are provided free of charge), then licenses its technology per concurrent active device, with different prices for clients and servers. Support is included in the per-device subscription. The vendor also offers additional subscriptions, such as regular reviews performed by vendor’s security analysts, or a recently launched, cloud-based metadata search engine, Cognito Recall.