This product uses a unique approach to threat detection. It does not depend on agents or deep packet inspection. This helps overcome the limitations of endpoint monitoring in an end-to-end encryption environment. While the most popular deployment is cloud-based, there is an on-premises version as well.
Another benefit of this vendor’s approach is that it can monitor assets that have no way of accepting an agent. This opens threat monitoring to systems such as industrial control networks – SCADA, for example – that have dumb sensors that need to be monitored but for which there is no other way to follow the asset’s behavior because it does not have an operating environment that permits software application – sensor – installation. Thus, Observable Networks is setting itself up to be a reliable monitor on the Internet of Things. A significant percentage of IoT devices are nearly impossible to monitor for breaches.
Observable Networks takes a sophisticated approach to threat monitoring and its approach really takes behavior analytics to the next level. When its tool sees a new device on the network being monitored it models the device’s behavior. The modeling, discovery and monitoring is completely automatic. The result is that the system has a complete footprint of the network being monitored. The modeling is based, largely, on data flows using tools such as NetFlow to gather and feed the network data to the Observable Network instance, whether in the cloud (SaaS) or on-prem.
We dropped into the landing screen, which consists of an impressive circular arc display that shows clearly the network communications activity. Not a lot of detail here, though, so we changed up the display a bit and drilled down. Here we found lots of meat to chew on. We found alerts and drilling further we got a lot of detail to help us resolve any issues.
Some of the things that we saw included geographical unusual access. Attempts – or successes – at accessing an internal asset from outside are covered here. An example of this might be a phishing attempt. Here is an example of where the tool gets really useful. Not only do we have the alert and the ability to dissect it if we wish, we also have supporting observations that give us a good forensic view of what else was going on at the time and was – or might have been – involved. If the target of an attack is a database, for example, we can see potential data exfiltration with just a mouse click. This makes the threat hunting process fast and efficient.
We can set up watch lists for IP addresses that a particular user is interested in monitoring, and, again, if there is a hit we get the supporting observations so we never are left in the dark as to why the tool picked a particular event on which to alert. We liked the Extreme Outlier alerts. Aside from being a rather cool way to describe an unusual event, this capability lets us focus on isolated events that may not happen a lot or may be an extreme departure from an asset’s typical behavior. Because everything happens in near real time, the data that we get are fresh which makes them actionable. These outliers almost never are caught by other tools so here is an important advantage over traditional monitoring.
The setting screen is easy to navigate and has a lot of granularity as to how you can configure the product for your environment. There are straightforward ways to connect to your trouble-ticketing tool and there is a solid integration with Splunk. Addressing the difficulties in managing complicated environments, Observable makes hybrid deployments – cloud (SaaS) and on-prem – a good alternative to trying to force-fit your environment into a one-size-(supposedly)-fits-all monitoring tool.
This is an unusual approach to the hard problems associated with depending on agents and their limitation to see what’s going on at the enterprise’s endpoints. And, while we would not necessarily characterize Observable as an endpoint tool, in reality that’s what it is in function, if not form.
Product Observable Enterprise & Cloud
Company Observable Networks
Price For cloud-based deployments, pricing can be as low as $2.50 per million lines of log data processed. For on-premise deployments, pricing starts at $2.75 per endpoint per month.
What it does Network security technology and advanced threat detection services that identify compromised and misused networked devices currently escaping detection by network security tools.
What we liked Unique approach to monitoring activity on the enterprise, especially when the activity we’re monitoring resists monitoring because it cannot take agents or because end-to-end encryption precludes the use of deep packet inspection.
The bottom line This is a solid threat monitoring and analysis tool, but if you have either end-to-end encryption (i.e., point-to-point from an asset to an endpoint) or IoT devices, this really is a must for your enterprise.