How Netography Fusion^® Works

How It Works

Ingest

The 100% SaaS Netography Fusion platform starts with aggregating and normalizing metadata collected from your multi-cloud and on-prem network. The metadata consists of cloud flow logs from all five major cloud providers (Amazon Web Services, Microsoft Azure, Google Cloud, IBM Cloud, and Oracle Cloud) and flow data (NetFlow, sFlow, and IPFIX) from routers, switches, and other physical or virtual devices.

For those organizations that want to add an extra layer of security before sending their flow data to Fusion, they have the option of deploying NetoFlow Connector software that supports buffering, filtering, down sampling, and utilizes an HTTPS connection.

There are no additional components for you to install for Fusion to begin ingesting metadata from your existing tech stack. Its frictionless deployment model eliminates the additional cost and complexity of legacy appliance-based or agent-based approaches.

Enrich

Fusion then enriches this metadata with context contained in applications and services in your existing tech stack, including asset management, CMDB, EDR, NDR, XDR, and vulnerability management systems. The context can include dozens of attributes, including asset risk, environment, last known user, region, risk score, security workgroup, type of entity, and vulnerability count. Context transforms the metadata in your network from a table of IP addresses, ports, and protocols into context-rich descriptions of the activities of your users, applications, and devices. Enriched metadata accelerates your ability to detect compromise activity that other security controls in your stack have missed, such as anomalous lateral movement and data exfiltration.

Detect

Fusion detects anomalous and malicious activity with Netography Detection Models (NDMs). You have complete flexibility to customize Fusion’s preconfigured detection models as well as create your own models. Netography’s Detection Engineering team continuously create new NDMs as well as update existing models to detect new threats and variants of existing threats. For greater response effectiveness, multiple teams can utilize a single NDM to launch diverse response workflows, ensuring all teams have access to the same critical alerts.

Investigate

With Fusion’s tagging and context labeling, your teams can quickly visualize activity by application, location, compliance groups, or any other scheme. They can accelerate response time by quickly pivoting between dashboards to identify and investigate anomalous or malicious activity. They can also utilize the ability to “look back” to see up activity for up to 12 months prior, to understand the scope and duration of the activity.

Respond

The Fusion platform enables you to implement a range of response workflows quickly, including within the Fusion platform directly, or via built-in integrations with a range of technology partners, including EDR, NDR, and XDR systems, and SIEM/SOAR platforms. Well-documented RESTful APIs give you the ability to automate workflows with your tech stack as well, and Fusion also supports Terraform to enable you to automate the ability to provide visibility and control for scaling infrastructure.

Netography Query Language^®

Netography Query Language® (NQL) is a powerful tool that enables analysts or operators to search enriched flow records by creating and saving custom algorithms. 

You can create custom searches to rapidly analyze, investigate, and respond to anomalous or malicious traffic or incidents. You can also use these custom searches to create automated alerts and remediation workflows to meet your unique requirements.

With NQL you can isolate and analyze specific traffic, geo activity, threat actors, configurations, and more in seconds. It delivers the industry’s most granular and flexible flow record search capability, enabling you to create custom searches and alerts quickly and apply them to new or built-in dashboards.