IT infrastructure monitoring cannot take place without a thorough network traffic analysis. Due to the need for high-performance parsing of network traffic copies and Netflow, a dedicated network probe has been added to the Energy Logserver. It enriches the collected data
in the system, thanks to which it improves the work of both network administrators and SOC workers.
The architecture of the ELS Network Probe solution allows for real-time reception and analysis of gigabits of data from network traffic and tens of thousands of flows per second within one instance. Extensive and distributed environments can have many probes implemented that cooperate with each other and present a complete picture of communication.
The Network Probe module can be divided into two basic functionalities.
First of all, it is an efficient Netflow traffic collector that collects data from sources using various types of protocols, such as: Netflow v5, IPFIX v9, jflow, sflow, or NetStream. We recommend the survey wherever there is a large volume of data that would be difficult to accept as part of the basic implementation of the Energy Logserver Log Management Plan system.
The second very important feature is the passive collection of network traffic copies, which allows you to look more closely at the analysis of events within the monitored IT / OT network. Such analysis goes beyond the standard scope offered by IDS class solutions. Many popular protocols are supported.
The probe helps to easily detect suspicious or dangerous behavior on the network, and at the same time helps to identify the source of the problem. Network Probe provides security analysis capabilities to automatically detect illegal transactions and communications. By comparing them with the IoC databases provided by Energy Logserver, which contain information about signatures, IP addresses, hashes of infected files, or domain names and URLs, we are able to significantly accelerate the work of security incident analysis. Based on behavioral analysis, the module is able to recognize zero-day attacks and identify non-standard behaviors of network users.
The analysis of L2-L7 traffic copies also enables the network performance testing, providing information on the correct operation of DNS, DHCP, Server Response Time (SRT) and Round Trip Time (RTT). The probe also provides information about the applications in use on the network and their use by users, and thus supports the process of identifying potential performance problems.