Network security monitoring startup MetaFlows launched a new Software-as-a-Service (SaaS) product that can be installed on low-cost hardware to monitor network traffic flow, detect possible intrusions and analyze event logs.
The MetaFlows Security System (MSS) is composed of local software agents that can run on inexpensive off-the-shelf hardware and a cloud-based service where the results are stored.
The local MSS sensors capture network events and transmit the corresponding data to the company’s cloud system where they get analyzed and sorted by priority. Customers can inspect the results using a secure Web interface.
The sensors can be deployed as stand-alone appliances or they can be installed on the customer’s existing hardware using a Linux-based software package that contains proprietary and open source technology.
The software agent includes BotHunter, an IDS (intrusion detection system) software licensed from SRI International; the open source Snort IDS with generic signatures from the Emerging Threats project; the Flow, NetFlow, Sflow and CFlow network traffic monitoring plug-ins; log management tools compatible with OSSEC (Open Source Security) and MetaFlows proprietary applications.
The company also offers a package for setting up a honeypot client that acts as a decoy for internal network threats, although this is an optional feature.
One of MSS’ key benefits is the low cost associated with its deployment and maintenance when compared to traditional IDS products, said MetaFlows CEO Livio Ricciulli.
This is partly due to the use of open source software, but also because of improvements made to it by MetaFlows. One example is the modifications made by the company to the PF_RING packet capture library in order to support multithreaded Snort instances on multi-core processors.
This allows MetaFlows sensors to process 800M bps of sustained network throughput when using an eight-core Intel i7 CPU that costs around $1,000. In comparison, the max throughput that can be processed using a standard packet capture library with a single thread is 100M bps.
On the server side, the company has developed a threat prediction algorithm similar to the one used by Google’s search engine to rank websites. This technology is used to prioritize events, therefore increasing the productivity of network security analysts.
According to Ricciulli, tests performed by the company showed that with a traditional IDS solution, an analyst has to inspect between 20 and 30 incidents before finding one that requires an action. However, because MetaFlows’ predictive algorithm uses anonymous statistics from all customers to determine the most serious events, an analyst will have to inspect only six or seven incidents in order to find an actionable one.
The nature of the platform, which allows data from sensors deployed in multiple computer networks of the same organization to be gathered and inspected in a single place, facilitates better collaboration between analysts.
The cost of a low-end IDS appliance is $20,000, Ricciulli said. The subscription for the service is $4,000 per year and the money spent by a company to pay an administrator for it is around $80,000 per year. In comparison, an MetaFlows appliance costs $2,000, the subscription is $99 per month and the administrator’s salary is estimated at $50,000.
MetaFlows is based in San Diego. The company has received research funding from the U.S. Department of Defense and the National Science Foundation.