Passus SA | e-mail: flowcontrol@passus.com | www.flowcontrol.passus.com

N E T F L O W I N T E L L I G E N C E

FlowControl is a dedicated NetFlow-ba-

sed solution for network traffic analy-

sis and threat detection. Combining

the functionalities of a data collector

and analyser, it enables diagnosing the

causes of problems with network con-

nections and bottlenecks. It supplies

detailed information on the user-gene-

rated traffic, communication between

servers and applications used within

the organisation, indicating trends and

applications. Embedded security rules

and threat-detection mechanisms are

able to detect anomaly network ac-

tivities and attacks. It offers a num-

ber of advanced indicators, reports

and summaries based on the practical

experience of Passus engineers gained

during 20 years of work for the largest

companies and institutions.

Key features of the solution

� A high-performance mechanism for network traffic monitoring and analy-sis – one device processes up to 250 000 flows per second.

� Detection of malicious communica-tions based on Threat Intelligence.

� Identification of incidents and secu-rity policy breaches.

� Flexible analytical tools based on big data mechanisms.

� Identification of applications and hosts responsible for network load.

� Visualisation of network relation-ships, including geolocation.

� Functional validation of the QoS poli-cy in place.

� Easy installation and configuration – the basic implementation of the so-lution takes less than an hour.

� Analysis of communication at a sin-gle network port.

� Verification and analysis of Layer 3 segmentation.

Passus SA | e-mail: flowcontrol@passus.com | www.flowcontrol.passus.com

COMPREHENSIVE NETWORK TRAFFIC ANALYSIS

FlowControl comprises two fully integrated modules: XN for network performance moni-toring, and XNS for IT security monitoring. The system records, processes and analyses all NetFlow parameters, enhanced by SNMP data, geolocation and blacklists of suspi-cious or malicious IP addresses. The analysis includes, but is not limited to, the fol-lowing elements: TCP/IP parameters in layers 3 and 4 (source and target IP address, protocol, port), traffic attributes, as well as interface numbers by traffic direction (inbound/outbound), including the IP addresses of NetFlow generating network devi-ces. The XNS module is provided with a number of rules to facilitate threat detection.

FLOWCONTROL XN NETWORK MONITORING FlowControl XN gathers and analyses traffic for network performance and ca-pacity based on the NetFlow protocol.

Fast access to critical information

Critical statistics and indicators fa-cilitate the analysis of network beha-viour patterns and support the detec-tion of anomalies and causes thereof. Interactive charts, tables and diagrams present, inter alia:

� Detailed statistics of the most active hosts, applications and interfaces.

� Network traffic, with a breakdown into incoming and outgoing traffic.

� Lists of connections, including proto-cols, ports, IP addresses and traffic profile for respective connections.

� Bandwidth and interface load gene-rated by applications, services and users.

� Inbound and outbound traffic, inc-luding geolocation of public IP addresses.

� Visualisation of NetFlow-generating devices, including their locations on maps and plans.

A simple and transparent diagram shows the hosts generating the highest traffic, the applications involved, and the interfaces with the highest utilisation rate.

Sudden increase in traffic from/to a host or application may be indicative of some un-desirable behaviour (torrent, botnet) or an attempted DDoS attack.

FLOWCONTROL - A PROMPT ANSWER TO KEY QUESTIONS

9 What applications are used? Are they all legal?

9 Who uses the applications?

9 What servers are the source of the traffic? Are these actually servers?

9 Which servers are reached by the traffic? Should they be reached?

9 What applications generate the highest traffic?

9 Who occupies all the available bandwidth?

9 Is the operator’s incoming traffic properly marked?

9 Which interfaces/routers show the highest load?

9 Is the own and transit traffic being properly routed?

9 Is a sufficient bit rate ensured by the connections?

9 Is the traffic being properly directed?

9 What applications run on the servers?

9 What ports are used by the servers?

9 Where does the traffic come from and where does it go?

9 What servers generate the traffic? Is it legal?

The system enables quick evaluation of the effectiveness of the adopted QoS rules thanks to a clear, graphic representation of the traffic by its classes.

With the traffic broken down into key applications and individual details thereof, network problems related to a specific application may be easily identified.

� Statistics enabling the assessment of proper configuration and imple-mentation of the QoS policy in place.

� Daily, weekly or monthly analyses of historical data.

NetFlow deduplication

� If a duplicate NetFlow comes from multiple sources, FlowControl dedu-plicates data in order to retain a unique entry only.

� Presentation of the actual traffic vo-lume values, regardless of the fil-ters applied.

� Displaying traffic paths based on NetFlow fields received for the same transmission from multiple routers.

Cisco ASA firewall monitoring

� By supporting Cisco ASA/NSEL devi-ces, the system enables full access to network traffic at firewalls, which are often the only layer 3 devices at a specific location.

� With dedicated views, data may be analysed for firewalls only.

� Elimination of inconsistencies in a situation where NSEL statistics are combined with typical NetFlow data sent by other devices.

� Support of NSEL fields that go beyond a NetFlow v5/v9 record.

NetFlow analysis including autonomous systems (AS)

� FlowControl is designed to meet the needs of large enterprises ope-rating multiple connections. It sup-ports the autonomous system (AS) technology for BGP.

� It enables data viewing and filtering based on AS numbers.

� It displays traffic paths since sour-ce/transit AS.

� It presents the sources and targets and traffic distribution across con-nections or operators based on AS.

Grouping NetFlow statistics

� Presentation and analysis of network segmentation for user-defined gro-ups divided by locations, functions or business roles.

� Groups may be analysed both for out-bound and inbound traffic.

Passus SA | e-mail: flowcontrol@passus.com | www.flowcontrol.passus.com

Passus SA | e-mail: flowcontrol@passus.com | www.flowcontrol.passus.com

K FLOWCONTROL XNS IT SECURITYThe XNS module detects threats based on data from the NetFlow protocol and reputation lists. Owing to embedded se-curity rules, it identifies anomalies and security threats across the entire orga-nisation. Key features of the module:

� Utilization of an internationally re-nowned ATT&CK MITRE methodology to define and organise rules in groups.

� Visibility of threats to security at the level of the entire organisation.

� Expanded dashboards with clear vi-sualisation of undesirable activities.

� Detailed management views (KPIs, Da-shboards) with collective statistics.

� Threats grouped according to the ATT&CK MITRE methodology.

� An extensive repository of knowledge on threats and anomalies to SIEM.

� Support for the management of secu-rity processes (Network Forensics, In-cident Handling and Threat Hunting).

� Reduction of the number of false po-sitives by whitelisting for the majori-ty of security rules.

� A constantly developed database of security rules.

Threat Intelligence

The Threat Intelligence module genera-tes alerts from specific categories ba-sed on correlation with reputation lists of malicious IP addresses and suspi-cious countries. It enables grouping of feeds by threat category and prioritisa-tion thereof. Threat examples:

� Detection of security policy viola-tions (TOR, Open DNS, Open Proxy).

� Identification of connections with su-spicious locations or IP addresses.

� Detection of malicious communica-tions (e.g. malware, C2 or botnet).

Threat Detection

The Threat Detection module genera-tes alerts based on correlation and aggregation of appropriate attributes acquired from the NetFlow protocol. It enables the detection of:

� BruteForce attacks on HTTP(s)/FTP, IMAP, SSH, RDP, LDAPS, MS SQL servi-ces, etc.

Security trends may be evaluated based on weekly summaries of key indicators.

Fast access to information on the most common threats detected by the Threat Detec-tion module.

Top 10 IP addresses generating the largest number of suspicious activities.

Passus SA | e-mail: flowcontrol@passus.com | www.flowcontrol.passus.com

� Unauthorised DHCP and DNS servers.

� Host and port scanning.

� Data exfiltration attempts.

� DoS and DDoS attacks.

� Forbidden P2P activities (e.g. BitTorrent).

KEY FEATURES OF THE SOLUTION

High efficiency

� Dashboards are generated without the need of constant data reloading. This makes data navigation and drill-down much faster.

� Support of up to 250 000 flows per second, retrieved from a network of any architectural complexity.

� The load on the network and network devices caused by the solution is negligible.

� With scalable mass storage, data retention periods may be managed in a flexible manner.

Alert system

� Alerts are generated on meeting pre--defined conditions, e.g. upon exce-eding a specific utilisation on a given port or traffic.

� A specific message is sent by email, syslog or an SNMP trap.

� The system enables defining alert--triggering parameters.

Flexible data analysis mechanisms

Intuitive big data components enable all kinds of ad-hoc analyses. The sys-tem enables, inter alia:

� Fast presentation of data relating to the entire network, groups of pa-rameters or individual parameters (port, interface, host, IP) in any time window.

� Easy top-down access – with just a single click, the drilldown mecha-nisms enable viewing of data for a specific port, interface or IP num-ber directly from the table or diagram level.

� System data search using analysis, such as Google search.

� Maintenance of time- and filter-based contexts between individual views.

A map of threats, providing a clear presentation of locations from which attacks origi-nated.

Fast access to information on the most common threats detected by the Threat Detec-tion module.

Easy top-down analyses enabled by information grouping features and drilldown mecha-nisms.

Passus SA | e-mail: flowcontrol@passus.com | www.flowcontrol.passus.com

Passus Group is focused on developing and implementing highly specialised IT solutions for monitoring and improving network and applications performance as well as IT security both in on-premi-se architecture and cloud environments. The Group consists of Passus, Wisenet and Chaos Gears. The Group offers the following solutions and services:

� Solutions for monitoring and ne-twork and application performance troubleshooting.

� IT security solutions, in particular vulnerability detection; network, ap-plication and data security; security incident monitoring and management systems (SIEM/SOC),

� Designing cloud solutions, migration of applications and data to the cloud and support in management and opti-misation of cloud environment.

Our Engineers have implemented some of the largest Application and Network Performance Management and SIEM pro-jects in Poland. Over 20 years of coope-ration with companies and institutions from Poland and abroad has resulted in the thorough knowledge and understan-ding of business and technical factors of these organisations. Our Customer portfolio includes even such demanding partners as the Polish Ministry of Na-tional Defence, T-Mobile, National Bank of Poland, Enea Group, Oncology Cen-tre in Gliwice, Polish Financial Supervi-sion Authority, Orange, PGE, Ikea, PKO BP, PZU, Volkswagen Poland, Rzeszów University of Technology, Orlen, PKP SA Group, Military Institute of Medicine. The Company provides comprehensive services, from needs analysis, through planning, implementation services, ta-ilor-made solutions, employee training, to service and after-sales support.

Passus Group is a partner for Riverbed (Riverbed Premier Partner), Symantec (Gold Partner), IBM, Amazon Web Servi-ces, Fidelis Cybersecurity, Core Secu-rity, NetScout, New Relic, Cisco and Tenable. Passus also has its own R&D team. On the basis of its experience, the team developed its own advanced network sniffing solution, Passus Am-bience, and a NetFlow-based network monitoring system, Passus FlowControl. The Group employs nearly 60 highly qu-alified engineers, programmers and specialists. In addition to many suc-cessful implementations, the team’s competence has been confirmed by nearly 40 individual certificates, inclu-ding: personal security clearance up to “Confidential” and “NATO Secret” clau-ses, CISA, CISSP, Riverbed Certified So-lutions Professional, Cisco Associate and Professional for R&S, Security and Wireless, Core Impact Certified Profes-sional, ISO 27001 Lead Auditor, Riverbed NPM/AMP Qualified Trainer, IBM Certified Deployment Professional Security QRa-dar SIEM, ArcSight Certificate AS Data Platform Technical, Certified Ethical Hacker, Offensive Security Certified Professional. In 2017, the Company ful-filled the requirements of the Polish In-ternal Security Agency and was granted the facility security clearance, which confirms its ability to provide services to institutions and branches of the eco-nomy in the area of access to classified information, both in Poland and in the NATO and European Union.Passus joint-stock company was for-med by spinning off the Networks and IT Security Department from Passus limi-ted-liability company which had opera-ted on the IT market since 1992. Since July 2018, the Company has been listed on the Stock Exchange (NewConnect).