About CyberFlow Analytics

Established in 2014, CyberFlow Analytics is the leader in network behavior analytics and provide a software only solution that enables end customers and Managed Security Service Providers to secure Enterprise networks and the expanded Internet of Things (IoT) that are attached to the Enterprise with continuous threat defense.  Our solution combines advanced network behavior analytics, software as a service and leading visualization capabilities to provide real-time threat defense for every connected device, not just the traditional IT managed devices such as routers, switches, servers, storage and PCs.  The solution is based on our proprietary software and Binocular Fusion Analytics (patent pending) to learn acceptable normal network behavior to identify malicious activity within milliseconds.  The solution is highly scalable from very small deployments to the largest networks; it immediately begins detecting anomalous activity upon installation.  Importantly, our system was architected to reach beyond traditional networks to secure and monitor extremely large networks consisting of corporate networks and every IP based connected device, the Internet of Things.

The nature of real time threat detection allow security staff to determine very sophisticated Advanced Persistent Threats (APTs) from known and unknown bad actors near instantaneously, certainly, well in advance of log based systems which rely on “after the fact” analysis of collected, aggregated and correlated data.  Our solution is affordable to protect the entire network as opposed to sandbox approaches, which focus on a narrow, but important parts of the network.  Our solution provides easy to use visualization techniques to see the APT and its relationship to the other parts of the network, to identify visually misbehaving network elements with supporting identifying information to immediately take action.  Our solution is differentiated from other security analytics solutions because it doesn’t rely on humans/user behavior as the predictor, it relies on network traffic patterns and the anomalies found in the traffic.   In the IoT market, the vast majority of connected devices will not be users with laptops, smart phones or tablets, they will be machines communicating without user profiles.  Consequently, traditional analytics based on users will be blind to the IoT threats. 

Industry Background

Many companies are rushing to enter the security market, many are focused on improving traditional methods and processes, and however, the sophisticated and damaging criminals are outpacing these traditional methods and processes.  The threats of a decade ago seem immature and unambitious compared to global and well organized and well funded criminals looking to exfiltrate information, or suspend businesses by interrupting commerce, transportation, utilities, retail establishments, financial institutions, governments, militaries and others.  The attack surface historically had been well contained, it was the corporate network consisting of traditional devices; routers, switches, servers, storage, laptops and BYOD.  Today there is no defined boundary for the network, the IoT has moved the network from these traditional devices to include sensors monitoring utilities, health equipment keeping people alive, devices used to scan almost everything from airline baggage to groceries, robots on factory production lines, surveillance equipment, card readers, and the list can go on. 

The majority of Enterprises are planning for IoT, but many haven’t realized that they have been implementing IoT for years and not protecting the Enterprise from these relatively simple devices moving data across its network.  APTs are data, many are hiding in legitimate data packets without distinguishing markers to notify any of the traditional systems that an APT is contained within it.  Therefore, the next generation of analytics and technology must be able to determine bad traffic from good, and do it at network speed, real-time.  This requirement eliminates the previous generation products of looking at network traffic through Deep Packet Inspection, principally because it becomes an unacceptable bottleneck slowing high fidelity, mission critical applications from performing properly on the network.

We sell our product into the public and private sectors, any entity running an IP based network can be compromised and consequently is a potential customer for our solution.  We license subscriptions to large Enterprises and governments to operate within their environments, generally within a private cloud.  Additionally, we license subscriptions to Managed Security Service Providers which they may offer continuous threat detection and a range of other security based services such as analysis, recommendations, and integration to generally smaller organizations.  However, we see a shift in behavior of many business to seek a MSSP so that they may implement the offering quickly without scheduling an internal deployment, train staff and can scale their use as needed.

Factors creating a need for Network Behavior Analytics

The objective of network behavior analytics is to find the most sophisticated security threats by applying anomaly analytics that consists of a series of mathematical models to synthesize network traffic in real-time. Historically, network traffic is collected, aggregated and correlated within the Enterprise network which then is analyzed by tediously hand written rules to filter large volumes of data to determine bad behavior, and is always performed after the fact.  These methods aren’t considered adequate for detecting threats in IoT, 8 out 10 security executives surveyed by SANs felt the IT organization is responsible for managing IoT risks, but over 50% felt as if they were completely unprepared to do so.  Organizations need network behavior analytics to successfully adopt IoT security into the Enterprise security complex to manage all risks from any connected device.  This need is driven by a number of trends, including the following:

  • The proliferation of Industrial Internet connected devices, in addition to traditional PC, servers, routers, switches, tablets, smartphones and laptops.
  • Rapid growth in the number and types of devices connected to the network with embedded software and processors which pose challenges to existing IT security practices
  • Rapid growth of machine to machine communications which don’t generate log data or conform to standards
  • Increasing dependency on manual processes for discovery of connected devices, many of the processes depend on interrogating agents or Active Directory domain logins, neither of which are supported by the connected devices.
  • Preponderance of malware being introduced to the Enterprise network through machine to machine communications