LiveAction ThreatEye Screenshot

Optimise your entire network
from Core to Edge to Cloud

Threat actors no longer break in, they simply log in. They operate inside encrypted traffic, navigating across your network undetected. Conventional security solutions aren’t cutting it, it’s time for a new approach.

The ThreatEye NV network detection and response platform is purpose-built for network security, combining next-generation data collection, advanced behavioral analysis, and streaming machine learning for threat detection and security compliance.

AI-Driven Analysis of Encrypted Traffic

ThreatEye - Deep Packet Dynamics

Deep
Packet Dynamics

150+ Packet Traits & Behaviors in networked environments with multiple providers, multiple domains and multiple clouds.
Agnostic to Packet Contents.

ThreatEye - Machine learning

Machine
Learning

Scalable real-time analysis of Deep Packet Dynamics.
Specially developed for the security of corporate networks.

ThreatEye - Analysis of encrypted network traffic

Analysis of encrypted traffic

Detect what others miss. Actionable Intelligence. Eliminate Encryption Blindness. Validate end-to-end encryption compliance.

Encrypted Traffic Visibility
is the Key to Security

Increased adoption of encrypted network protocols is causing the erosion of network visibility for security teams.

Legacy tools are losing transparency. Encrypted Traffic Analysis, the application of machine learning applied to deep packet dynamics, is the perfect solution for analyzing encrypted traffic without the need for decryption.

Save downtime with faster detection through industry leading real-time detection analysis. Designed to process millions of events per second, ThreatEye NV’s multi-stage analysis pipeline is fueled by analyzers – or models – engineered to analyze network traffic without multiple passes over the data stream.

Analyzers are architected specifically for network security and scale via parallel processing.

LiveAction ThreatEye -Navigation Dashboard - Screenshot

LiveAction ThreatEye - Alerts Dashboard - Screenshot

Detect threats,
that others miss

ThreatEye’s Deep Packet Dynamics (DPD) is agnostic to packet contents and is used to create a historical inventory of traits and behaviors for profiling and fingerprinting, a technique that works equally well with both encrypted and unencrypted traffic.

Machine Learning models are applied to identify advanced behavioral threat actor anomalies including phishing, unauthorized remote access (RDP/VPN), reconnaissance, lateral movement, C2, tunnelling, hands-on-keyboard, and data exfiltration.

Decrease Time to Investigate
SOC Enabled

Enable the effectiveness of the SOC by increasing the speed of response. ThreatEye NV’s multi-stage analysis pipeline correlates and enriches traffic with findings detail, risk scores, and MITRE ATT&CK labeling.

Using ThreatEye NV, you can respond in real-time and accelerate triage with integrated packet analysis.

LiveAction ThreatEye - Alerts Chart - Screenshot

LiveAction ThreatEye - Visualizations - - Screenshot

Customisable Dashboards
and Advanced Reporting

ThreatEye NV provides multiple workflows to help the professional analyst build a profile of their network supporting out-of-the-box dashboards and customizable reporting, highlighting and prioritizing concerns that need immediate attention.

The longer it takes to identify threat actor activity, the more successful their attack will be.

Ensure Platforms Conform
to Security Standards

ThreatEye NV provides encryption-policy specific alerting and reporting for security compliance.

The increased adoption of encryption to secure applications calls for a greater need to ensure all platforms conform to the encryption standards of the enterprise.

LiveAction ThreatEye - IP-Filter - Screenshot

ThreatEye NV Datasheet

Introduction
Introduction of LiveAction ThreatEye NV

Bsiness continuity and operational resiliency are under attack and challenged at an unrelenting pace. Traditional security tools attempt to stop attacks by using deep packet inspection or rules-based monitoring on unencrypted traffic, which is no longer sufficient.

In Q2 2021, 91.5% of malware arrived over an encrypted connection. Attackers are always looking for an advantage to go undetected, hiding activity within encrypted channels to exploit a blind spot or a gap in security architecture.

Maintaining visibility has grown increasingly complicated and challenges both NetOps and SecOps teams. While encrypted traffic has been standard practice to drive privacy, its strength and effectiveness has and will continue to evolve, increasing the blind-spot for threat actors to operate within.

For organizations to make an immediate impact against adversaries and stay ahead of tomorrow’s threats, a different security strategy is needed.

Encrypted Traffic Visibility is the Key to Security

Eine neue Herangehensweise: Die ThreatEye NV Network Detection and Response (NDR)-Plattform wurde speziell für die heutige Netzwerksicherheitsumgebung entwickelt und kombiniert Datenerfassung der nächsten Generation, fortschrittliche Verhaltensanalyse und maschinelles Lernen für die Erkennung von Bedrohungen und die Einhaltung von Sicherheitsvorschriften.

Unbeeindruckt von der Verschlüsselung kombiniert ThreatEye NV die Merkmale und Eigenschaften des Netzwerkverkehrs mit einer auf maschinellem Lernen basierenden Streaming-Analyse.

Im Gegensatz zu Verkehrsanalyselösungen, die auf DPI-Technologien basieren, nutzt die ThreatEye-Plattform Deep Packet Dynamics (DPD) zur Analyse von Verkehrsströmen.

DPD liefert detailgetreue Datenflussaufzeichnungen mit über 150 Merkmalen für jeden Datenfluss – und das alles ohne Prüfung der Nutzdaten. Packet Dynamics, gekoppelt mit maschinellem Lernen, bietet einzigartige Möglichkeiten, verschlüsselten Datenverkehr wieder sichtbar zu machen.

Key Benefits

  • Detect threats and anomalies that others miss – ThreatEye’s Deep Packet Dynamics (DPD) is agnostic to packet contents and is used to create a historical inventory of traits and behaviors for profiling and fingerprinting, a technique that works equally well with both encrypted and unencrypted traffic. Machine Learning models are applied to identify advanced behavioral threat actor anomalies.
  • Threat Detection in Real-Time – Reduce operational outages with faster detection through industry-leading real-time detection analysis. Designed to process millions of events per second, ThreatEye NV’s multi-stage analysis pipeline is fueled by analyzers – or models – engineered to analyze network traffic without multiple passes over the data stream. In addition, analyzers are explicitly architected for network security and scale via parallel processing.
  • Eliminate Encryption Blindness – Increased adoption of encrypted network protocols is causing the erosion of network visibility for security teams. As a result, legacy tools are losing visibility. Encrypted Traffic Analysis, the application of machine learning applied to deep packet dynamics, is the perfect solution for analyzing encrypted traffic without decryption.
  • SOC Enabled – Decrease Time to Investigate and Respond – ThreatEye NV’s multi-stage analysis pipeline correlates and enriches traffic with findings detail, risk scores, and MITRE ATT&CK labeling. Using ThreatEye NV, you can respond in real-time and accelerate triage with integrated packet analysis.
  • Validate End-to-End Encryption Compliance – ThreatEye NV provides encryption-policy specific alerting and reporting for security compliance. The increased adoption of encryption to secure applications calls for a greater need to ensure all platforms conform to the encryption standards of the enterprise.
  • Secure Your Entire Network – From Core to Edge to Cloud – The ThreatEye NV solution includes lightweight, easy-to-deploy software sensors available for deployment anywhere and everywhere visibility is needed.
  • Cohesive Response – ThreatEye NV interconnects seamlessly with existing security tools like SIEMs, SOAR, and Threat Intelligence. Workflow automations with products like Cisco SecureX can take immediate action on security events to quarantine hosts or block threats. SIEM integration can provide correlation with EDR events and malicious activity on previously unseen encrypted channels.

Metadata Enrichment

LiveAction ThreatEye NV - MetaData-Enrichment

Die Sonde von ThreatEye NV extrahiert ein umfangreiches Metadatenset mit mehr als 150 dynamischen Paketmerkmalen, um die Erkennung von Bedrohungen und Anomalien, die Reaktion, die Suche, die Forensik und die Erstellung von Berichten zur Überprüfung der Compliance zu unterstützen.

Da sich die auf der Paketdynamik basierenden Metadaten auf die Eigenschaften und das Verhalten von Paketen und nicht auf deren Inhalt konzentrieren, funktioniert diese Technik der Datenerfassung sowohl bei verschlüsseltem als auch bei unverschlüsseltem Datenverkehr gleichermaßen gut.

Examples of metadata enrichment include:

  • Byte Distributions
  • SPLT (Sequence of Packet Lengths and Times)
  • Jitter
  • Producer/Consumer Ratio
  • Retransmits
  • Connection Setup Time
  • Round Trip Time
  • Setup Latency RTT
  • Per Flow Metrics
  • Intra-flow Statistics
  • Extended Flow Attributes
  • TCP Metrics

  • Behavioral Metrics
  • L7 Appl. Classification
  • Internal Network Labeling
  • Country Code
  • ASN
  • Latitude / Longitude
  • Service Provider Type
  • JA3 / TLS Fingerprint
  • DNS
  • OS Fingerprint
  • MITRE @TTACK – TTPs

Streaming Analysis

LiveAction ThreatEye NV Streaming Analysis

ThreatEye NV is powered by a streaming machine learning engine (MLE) that ingests the high-fidelity metadata generated by its software probes.

ThreatEye NV’s ML engine is purpose-built for network security. Unlike traditional batch processing, streaming ML is fueled by analyzers —or models— engineered to analyze network traffic without multiple passes over the data stream. Analyzers are architected for specific use cases and scale via parallel processing.

Threat Detection Analyzers

  • Unexpected Encryption
  • Unexpected Plaintext
  • Unassigned Encryption
  • New Encryption Detection
  • New Encrypted Client Certificate
  • New Encrypted Server Certificate
  • New Encryption Protocol
  • New Encryption Protocol Version
  • New Encryption Cipher
  • New Encryption Service (network, host)
  • New Encryption User
  • New SSH Client
  • New SSH Server
  • New TLS SHA1
  • New TLS Version
  • Encryption on IANA reserved port
  • Encryption on IANA unassigned port
  • Encryption Handshake Cache
  • TLS Policy –TLS 1.1 vs. 1.2 or 1.3
  • Unauthorized DNS server
  • Unauthorized TLS version
  • Phishing Attempt Detection
  • TLS self-signed certificate
  • TLS certificate expired
  • TLS certificate mismatch
  • Malicious JA3 Fingerprint
  • Malicious SHA1 Certificate
  • TLS with no SNI
  • TLS connections not carrying HTTPS
  • TLS obsolete version
  • TLS weak cipher
  • TLS suspicious ESNI usage
  • TLS Uncommon ALPN
  • SSH/SMB obsolete protocol
  • HTTP suspicious user-agent
  • HTTP numeric IP host contacted
  • HTTP suspicious URL
  • HTTP suspicious protocol header
  • HTTP Suspicious content
  • Malformed packet
  • Unsafe protocol used
  • Suspicious DNS traffic
  • XSS (Cross-Site Scripting)
  • SQL Injection
  • Code Injection/Execution
  • Binary/.exe application transfer
  • Known protocol on a non-standard port
  • RDP on a non-standard port
  • Risky ASN

  • Risky Domain Name
  • Desktop of File Sharing Session
  • Keystroke Detection
  • Failed/Successful RDP Login
  • DNS Tunneling Detection
  • Connection-Status
  • Unauthorized Application Use
    • DHCP
    • FTP
    • NTP
    • RDP
    • SMB
    • SMTP
    • SSH
    • TELNET
  • Allowed Servers (DNS, DHCP, NTP, et al.)
  • New Local Server Inference (DNS, DHCP, HTTP, HTTPS, etc.)
  • IP Watchlist
  • IP TTL Anomaly
  • OS Fingerprinting
  • Brute Force Attempt Detection (RDP/SSH/VPN)
  • Brute Force – Successful Connection After Brute Force Attempt
  • Device Producer /Consumer Ratio Change
  • Ratio Device Connection Jitter
  • Timing Histogram
  • Domain Frequency
  • Passive DNS Caching
  • DOH Detection (DNS over TLS/HTTPS/QUIC)
  • DNS Change Detection
  • DGA Domain Detection
  • Suspicious DGA domain contacted
  • DNS suspicious traffic
  • Threat Intelligence – IP Reputation
  • Threat Intelligence – Domain Reputation
  • Custom Threat Intelligence (Bring Your Own List)
  • DNS Tunneling
  • LOG4J Scanning Detection
  • LOG4J Request Detection
  • Hands-on-keyboard (Keystroke Detection)
  • Lateral Movement
  • Degradation
  • Data Staging
  • Excess Usage
  • Excess Interaction
  • Data Exfiltration

Inform and Take Action

ThreatEye NV’s SaaS offering includes SOC-enabled dashboards to increase responsiveness. The dashboards support SOC analysts’ workflows and are fully customisable to meet all requirements. ThreatEye NV also supports response capabilities to inform as well as take action.

All data is available in real time and via RESTful API and integrates important complementary technologies. Individual integrations can be tailored to the needs of your company. ThreatEye NV’s powerful integrations are capable of remediation and action based on the customer’s technology stack.

Investigate and Hunt:

  • Integrated continuous packet capture with single-click pivot-to-PCAP SPLT (Sequence of Packet Lengths and Times)

Available Integrations include:

  • ElasticSearch
  • DataDog
  • Azure
  • InfluxDB
  • Splunk
  • Kafka – real-time streaming
  • Crowdstrike
  • Cisco Secure X
  • Cortex XSOAR

Response Actions include:

  • email
  • webhook
  • index
  • logging
  • slack
  • pagerduty
Deployment

ThreatEye NV is a SaaS offering with software sensors deployed as containerized software applications. his containerized approach allows the solution to be deployed either onpremises, in a private or public cloud, or a mixture of both (Hybrid Cloud).

Regardless of the deployment option, ThreatEye NV’s software components scale to ingest network data directly from physical or virtual network taps at wire-speeds up to 40Gbps.

Find out more about ThreatEye’s POC programme today.

ThreatEye software is available on an annual subscription basis. Support included.

Minimum Requirements: ThreatEye NV hardware recommendations are based on standard internet traffic composition per bandwidth. Therefore, the network traffic mix may affect performance.

BandwidthSpecifications
1 Gbps4x Processor Cores CentOS 7 or other Docker compatible Linux OS 16GB memory4GB storage 2x 1G network interfaces (One for management, one for monitoring)
10-20 Gbps48x Processor Cores CentOS 7 or other Docker compatible Linux OS 64GB memory 128GB storage Recommended Intel X710 2x10G (SFP+) network interface card and 1x1G for management
40 Gbps48x Processor Cores CentOS 7 or other Docker compatible Linux OS 96GB memory128GB storage Napatech SmartNIC 4x10G (SFP+) network interface card, and 1x1G for management

Contact Us
Datasheet Download - LiveAction ThreatEye NV - AI-supported analysis of encrypted network traffic
Datasheet - ThreatEye NV

We will be happy to consult you and look forward to hearing from you!