Skip to main content

The Value of Enriched Metadata in Netography Fusion®

The Netography Fusion® Network Defense Platform (NDP) analyzes enriched metadata to detect compromise activity that other security controls have missed, such as East/West movement and data exfiltration.

Enriched metadata enables you to visualize lateral movement, decrease dwell time, reduce blast radius, and eliminate threat actors in your multi-cloud and on-prem network.

Context-Rich Visualizations at Your Fingertips

Netography Fusion combines context attributes from your tech stack with multi-cloud and on-prem metadata to convert endless tables of IP addresses, ports, and protocols into high-fidelity, context-rich alerts. You can continuously monitor the activities of your users, applications, and devices without the cost of deploying appliances, taps, or agents.

You see the presence of threat actors in your network in real-time and can understand the scope of their activity, enabling you to respond before they threaten business continuity.

Fusion uses context attributes from your asset management, CMDB, EDR, NDR, XDR, and vulnerability management systems to enrich the metadata already in your multi-cloud and on-prem network. These attributes can include last user, asset owner, MAC address, asset classification, agent version, group, vulnerability count, and CVSS rating and score.

Some use cases where enriched metadata delivers value when other detection technologies have failed:

  • Compromise Detection: Visualize lateral movement, decrease dwell time, reduce blast radius, and eliminate threat actors. It detects the presence of threat actors in your network who have bypassed your other security tools, enabling you to respond in real-time before they can threaten business continuity.
  • Incident investigation and threat hunting: Your analysts and investigators can conduct detailed forensic analysis of East/West and North/South activity between servers, endpoints, and unmanaged devices after a security event.
  • Identifying Zero Trust violations: Monitor trust boundaries within a single location, multiple regions, or globally, and dynamically update trust boundary rules when you add new segments or modify existing segments
  • Monitoring encrypted communication: Legacy tools that rely on deep packet inspection (DPI) cannot analyze encrypted data. Fusion can monitor activities in Zero Trust network architectures that have blinded DPI-based tools.

Flow is the Foundation of Enriched Metadata

The Fusion platform starts the process of creating enriched metadata with the collection of cloud flow logs and flow data from your multi-cloud and on-prem network. This metadata contains information related to communications between devices, such as source and destination IP addresses and ports and protocols used.

Flow data is an extremely valuable data source because it provides real-time visibility into activity across your hybrid network without the need to deploy costly appliances to inspect every packet. It is also encryption-agnostic, providing essential visibility in environments that have been encrypted to satisfy Zero Trust requirements as well as unencrypted environments.

The Fusion platform ingests cloud flow logs from all five major cloud providers: Amazon Web Services, Microsoft Azure, Google Cloud, IBM Cloud, and Oracle Cloud. It also ingests flow data (NetFlow, sFlow, and IPFIX protocols) from routers, switches, and other physical or virtual devices in your network.

The Fusion platform is 100% SaaS and it eliminates the requirement to deploy expensive sensors, taps, or agents to collect the flow data. This frictionless deployment model means that you can gain critical visibility in all segments and locations, and not just those few where you have deployed sensors or taps.

The Value of Enriched Metadata in Netography Fusion®

Use individual or combinations of attributes to create visualizations and generate alerts on compromise activity, Zero Trust governance violations, or misconfigurations. Example: a Finance notebook communicating with multiple devices in the OT network and attributes included with the detection.

Adding Essential Context

However, flow data by itself causes your analysts to have to conduct time-consuming additional investigations to collect the essential context they need to understand the significance of any anomalous activity they observe.

To address the lack of context in the flow data and cloud flow logs, Fusion enriches the metadata with context already contained in applications and services in your existing tech stack, including asset management, configuration management database (CMDB), endpoint detection and response (EDR), network detection and response (NDR), extended detection and response (XDR), and vulnerability management.

Context from your tech stack is a critical component of the unique value the Fusion platform delivers to SecOps, NetOps, and CloudOps teams. The Fusion platform uses context to transform the metadata in your network from a table of IP addresses, ports, and protocols into enriched metadata that provides context-rich descriptions of the activities of your users, applications, and devices.

Fusion can ingest dozens of attributes to enrich your metadata, including asset risk, environment, last known user, region, risk score, security workgroup, type of entity, and vulnerability count.

Fusion has a library of built-in integrations to add new context sources quickly, and you have the ability to integrate context from other applications not listed (including custom apps) via our API. Some examples of the value our integrations deliver are:

  • Microsoft Defender XDR: You can search any of the dozens of data schemas within Microsoft Defender XDR for context, giving them access to potentially hundreds of context attributes with which to enrich your metadata:
    • Devices managed by Microsoft Defender for Endpoint
    • Emails processed by Microsoft 365
    • Authentication events, domain controller activities, and cloud application activities monitored by Microsoft Defender for Identity and Microsoft Defender for Cloud Apps
  • Wiz: You can see malicious activity targeting your vulnerable cloud assets as well as detect assets that have already been compromised, enabling you to eradicate threat actors that are active in your network.
  • Crowdstrike: You can add asset, organizational, and usage context from CrowdStrike’s Falcon Endpoint Detection and Response (EDR) platform to accelerate compromise detection and threat hunting, enforce policies like Zero Trust and HIPAA, and respond to audit requests.

Take a Self-Guided Tour

See how Netography Fusion works