An IPS on steroids: MetaFlows Security System

The secret behind the MetaFlows Security System (MSS) is that it really is a hybrid application. It collects data on the network and acts on malicious activity. So far, this is just about the same as any intrusion prevention system (IPS). But don't be fooled. This is not just any IPS. Because it is a hybrid application – local and cloud-based – users get a lot of benefit from the cloud piece that are not available from a standard IPS. For example, a typical IPS gets its updates at whatever update interval the vendor determines. The updates usually are based on the efforts of the vendor's threat assessment laboratory. Not so for MSS.

MSS sends its security and log events from the on-premise application to the cloud where they are correlated with all of the events from the protected enterprise, as well as from other protected enterprises on the MetaFlows user network. These events are anonymized and correlated with the events from the client's network to significantly limit zero-day threats. All of the enterprise's historical data, configuration and reporting are kept in the cloud and are called on as needed to provide what the company refers to as “predictive correlation.” In theory, that is a pretty neat trick. In practice, it is quite impressive.

At a glance

Product: MetaFlows Security System

Company: MetaFlows

Price: Software starting at $99/month; appliances starting at $299/month 

What it does: This IPS on steroids offers proactive/predictive capabilities that are derived from a global sensor field and then correlated in the cloud in near real-time.

What we liked: This is an excellent approach to the types of fuzzy threats – e.g., zero day, mutations, threat obfuscation and more – that are typical today.

What we didn't like: Nothing. As usual, we vetted this one thoroughly before bringing it to you and we could not find any negatives to report.

MSS works on two levels: alerting and forensics. At the alerting level, the MSS notifies on an event and takes whatever action the user has set for that type of event within their rules. As a forensic tool, MSS allows significant drilldown to provide an historical view and a lot of detail that is useful in a forensic examination of a security event.

Malware and security events are detected locally by the MSS sensors on the enterprise. They are processed in what the vendor refers to as “layers.” The first layer is the typical IPS functionality that one would expect from a system of this type. The second is described as multiple session. This correlates events and behavior seen locally. 

The third layer is the multiple domain layer. This is where the MSS gathers in intelligence globally and, using a proprietary algorithm, scores events and correlates them. The algorithm is, according to MetaFlows, similar to Google's page-ranking system. This layer adds “operational awareness” to the mix. From our evaluation of the MSS, this operational awareness is critically important to the product's success because it gives context to otherwise isolated data. This layer probably is the most important differentiator for the MSS. It is here that the system looks at events globally and compares that intelligence to the particular protected enterprise. 

The bottom line is that the MSS mixes the best of both the local sensor and the cloud-based analysis. Between these two functionalities MSS is able to deal with the here and now, as well as with emerging threats. 

Pricing for the tool is reasonable given what it offers in the way of proactive protection. Support is available by email and by direct contact with support engineers via WebEx. Deployment is simplicity itself and users can deploy in a wide variety of configurations – from software to a physical appliance, preconfigured and ready to roll.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.