How It Works

Binocular Fusion Analytics

CyberFlow Analytics FlowScape™ is a Network Behavioral Analytics (NBA) solution delivering real-time anomaly detection for securing the Industrial Internet of Things and Enterprise IT using Adversarial Analytics, Threat Intelligence and Advanced Visualization. We have termed this technology “Anomalytics™” for finding anomalies in your network using analytics for all devices, all protocols, all communications whether it is M2M Scada or Enterprise IT. There is a convergence of OT, IT and IoT occurring across the industry and CyberFlow provides a horizontal solution for real-time detection of anomalous high risk activity.

The first element of CyberFlow Anomalytics is Binocular Fusion Analytics which has the potential of identifying anomalies that could be associated with malware or threat vectors that have never been seen before in the industry (e.g. Unknown Threats). All flow data from IoT sensors or network behaviors can be converted into vectors. The Binocular Fusion approach to analytics is a unique patent-pending technology that fuses multiple perspectives of vectors together to reduce noise and increase accuracy of anomaly detection. FlowScape incorporates multiple behavioral models using Binocular Fusion Analytics and clustering analytics known as Self Organizing Maps (SOM) to machine learn and understand the normal business or industrial processes of your organization. The FlowScape system uses unsupervised machine learning which targets unknown threat detection vs. supervised machine learning which uses known threat to train the analytics. The analytics incorporate a number of behavioral models to detect anomalous communication across over 300 dimensions including client behavior, server behavior, protocol behavior, port behavior, internal vs. external communication, etc… For example, a customer may see a billion communications a month coming from a span port on a Cisco 6500 core switch. Each of those communications can be evaluated by FlowScape analytics engine as a potential anomaly in less than 1ms across all models. The FlowScape proprietary software architecture uses various stages of analytics and policy to calculate anomaly scores and risk scores on every communication across the core of your network. A historical behavioral bookkeeping is maintained for ALL IP by IP by Port communications through the lense of these models including tracking one day, seven day and 30 day perspectives for changes in device communication behaviors.  This Binocular Fusion Analytics approach to real-time detection of anomalies is considered best-of-breed in the network behavioral analytics market.


Smart Packet Inspection

The network is the source of truth for all devices, all applications, all protocols involved in this convergence of OT, IT and IoT. The system uses only raw packet meta-data (not Deep Packet Inspection/DPI or NetFlow) to analyze network data flows and then creates statistical behavior “flow records” for each IP by IP by Port communication. This means that no private of confidential information is stored or processed by the FlowScape system (e.g. PCI, HIPAA, or sensitive data). By only watching raw packet envelope information the CyberFlow solution can detect anomalies both in encrypted communications and detection of command and control tunneling across any protocol (e.g. DNS tunneling). In the Industrial IoT world devices may not have users associated with them, by monitoring all network traffic the CyberFlow Analytics FlowScape system can find unknown IoT threat vectors that traditional tools cannot detect. Other vendors may provide User Behavioral Analytics which does not apply to Industrial IoT use cases.

Threat Intelligence

There are three types of anomalies: positive, neutral and negative. Positive anomalies occur when system or network changes are made and you see them propagating across the organization. Neutral anomalies are everyday noise that happens and should be filtered out. Negative anomalies can occur from adversarial cyber activities (cyber attacks) or from operational issues such as malfunctioning devices or misconfigured equipment. Both types of negative anomalies should be escalated to operations staff: Security Operations, Netops, or Industrial Operations (IoT). The context of an anomaly is very important to understand the risk to the organization. In FlowScape a second stage of analytics and policy determine the risk using threat intelligence, geo-location and other contextual information. Custom Black Lists and other intelligence can be added to your FlowScape system to provide further customization and context around anomaly risk.


Advanced Visualization

Visualization of the threat landscape is just as important as the math underneath. CyberFlow has a very unique approach to visualization. It automates aggregation of anomalies into a time-based topology display to show the evolution of breach activity across a kill chain. For Advanced Persistent Threats (APTs) that occur over many months, CyberFlow can track this activity and show the movement of reconnaissance, pivoting, command and control and other connected adversarial activities on your network. 

Software Architecture

The FlowScape software is built using a distributed, virtualized and horizontally scalable software architecture using modern cloud-friendly technology stacks. The FlowScape backend analytics system is centralized and runs in Docker Containers and Virtual Machines (VMs) while the FlowScape sensors are placed out in the premise and connected to TAP/Span ports on core network switches. The backend FlowScape system can run in any cloud, including your data center VMware infrastructure, at the edge in the IoT Gateway (Fog Computing Device) or in a public cloud such as Amazon AWS. The system is DevOps friendly through Docker Updates to enable easy updating of the analytics and threat intelligence. Unlike competitive products that are shipped on appliances with a distributed management overhead, FlowScape is delivered as a software-only solution and has the lowest TCO in the industry for operating and updating the security software.

FlowScape CyberHooks™

The CyberFlow software includes FlowScape CyberHooks to rapidly enable sending high risk anomaly events to external systems. Leveraging an advanced publish/subscribe model, CyberFlow delivers a web services integration layer with an enriched set of anomaly events that can be integrated with Security Information Event Management (SIEM) such as HP ArcSight, Splunk or other external security, operations or network management systems. FlowScape CyberHooks can be configured to support a variety of transports, including industry standard Syslog, SMTP and HTTP webhooks.  Additionally, the FlowScape CyberHooks events can be delivered as a rich JSON message or utilizing industry standard Common Event Format (CEF).

Plug and Play Deployment with Zero Configuration

Customer Security Operations staff are already overworked and overwhelmed with their security tools. They do not have time to learn “yet another security tool”, yet they need to add real-time continuous monitoring for anomalies for both IoT and Enterprise IT. FlowScape software installs in less than an hour with OVA files and requires zero configuration. It begins listening to your network and machine-learning, building up a historical bookkeeping of your client, server and protocol behaviors. The system does not require any configuration to work and generic trained baselines are included in the system to help find high risk anomalies on day one. The longer the system runs, the smarter the system becomes in regards to finding potential risky behaviors on your network. The machine-learned baselines can be re-trained periodically with a few command lines to fine tune the system to your specific environment. The system can be customized if desired to label and identify critical assets, admin servers, and honeypots (or your own custom groups) to further enhance the monitoring capabilities and customize special handling of anomalies for groups of devices.

For More Information

For more information and to see the software in action,
view our YouTube video:

Send questions or schedule a meeting by contacting

CyberFlow Demo