Full packet-based cyber threat hunting solution
Network Black Box is a differentiated next-generation NDR (Network Detection and Response) solution that supports automation of security operations through full traffic inspection based on full packet capture.
Capture & Collection1 — Detection2 — Hunting3
— Forensic4 — Response5
Next-generation NDR solution with all 5 core features
It continuously collects packets without loss in environments with high-speed, high-capacity traffic and provides efficient scalability even in large-scale networks through distributed storage.
Effective packet collection control without loss by collecting, parsing, and filtering packets in real time using the Smart Packet Collection & Control (SPC) technology that stores packets without loss in a high-speed, large-volume traffic environment.
Distributed Packet Storage (DPS) technology is used to distribute and manage packet data databases by distributing them to multiple packet data nodes in a parallel distributed structure that is appropriate for the target network size, and processing large amounts of data.
Using Application Metadata Extraction (AME) technology, we analyze the type of application of the packet that occurred, extract metadata according to RFC standard specifications, and index it.
Detect and respond quickly to anomalies and known/unknown threats using collected raw packets, metadata, session data, and original file and body content data.
Detects known attacks occurring on the network using Signature-based Intrusion Detection (SID) technology, detects standardized attack behaviors with high accuracy, and highlights detected patterns on the low packet analysis screen to provide intuitive confirmation of detection validity.
By using user behavior-based detection (BAD, Behavior-based Anomaly Detection) technology, users' network activities are converted into metadata, usage frequency is analyzed and databased, and based on this, violations of regulations and internal abnormalities are quickly identified.
Using Content Threat Detection (CTD) technology, data transmitted through the network is stored and analyzed, various user behaviors are identified, and the original files and contents are restored, and then malware is detected and important internal data is leaked externally.
By synthesizing various collected data and security threat detection, etc., and utilizing analysis such as security threat intelligence and attack tactics matrix, we proactively hunt for potential threats within networks and systems to prevent security incidents in advance.
Hunt for advanced persistent threats (APTs) with chaining characteristics of security threats by using scenario-based threat correlation detection (STC) technology for detected abnormalities, abnormal sessions and contents, and threat detection.
Using MITRE ATT&CK based Intelligent TTPs Analysis (MIA) technology, we matrix the tactics, techniques, and procedures used by hostile actors to hunt for potential threats before achieving the final goal.
Using Digital Asset Threat Profiling (DTP) technology and Device Attribute Based Asset Classification and Management (DAB-ACM) technology, information and behavior history in packet data for all digital assets observed on the protected network are comprehensively collected to hunt for potential risky assets.
By analyzing network traffic and data using technology that quickly searches and extracts desired data from massive packet data, all activities on the network are tracked and quickly identified as detected and hunted security threats.
Improved search speed by utilizing Packet Search Acceleration (PSA) technology, ultra-high-speed packet search by designing a database refined solely for search purposes and a search algorithm specialized for the database.
Classify and manage user activities (email, social media, file uploads, etc.) using Deep Content Search (DCS) technology, and analyze/restore data to match the latest patterns through decoding pattern updates and packet rebuilding for new services.
Packet Stream Database (PSD) is a table structure and algorithm that can quickly check whether key information (IP, country code, network group) matches.
We provide a rapid response function by linking security equipment and security operation centers that can directly block and control all collected and analyzed information, as well as detected and hunted information, through various methods of linkage.
From the packet collection stage to data extraction, and from the detection and hunting stage, all information obtained is selected and transmitted to other systems as needed in a standardized SYSLOG format in the form of CEF.
Utilizing the built-in REST API function, all stored data and detection and hunting history are provided through automated information collection or on-demand information provision from external systems, providing rapid detection confirmation and response functions from external systems.
Rapidly confirms detected and hunted security threats through network forensics and sends control commands to security devices that can provide immediate information or directly control blocking or isolation, thereby linking rapid security threat response functions.