Skip to main content

Solution Brief

Netography Fusion® for Monitoring Multi-Cloud Networks

See Anomalous & Malicious Activity Anywhere in Your Multi-Cloud Network

View/Download PDF

Having your critical data, workloads, and applications distributed across multiple cloud platforms is a common characteristic of many modern networks. Unfortunately, you also lack critical observability within and across your virtual private clouds (VPCs) and virtual networks (VNets). The result is an observability gap that prevents you from detecting and responding to anomalous or malicious network activity in your cloud platforms before business disruptions occur. 

 These gaps prevent your teams from quickly identifying compromises, misconfigurations, spikes in usage, or compliance violations. As a result, you face significant operational and economic risks caused by service disruptions, unexpected data fees, and regulatory penalties.

Limitations of Current Approaches to Multi-Cloud Monitoring, Detection, and Response

Traditional approaches to monitoring network activity within and between VPCs and VNets include:

  • Deploying multiple proprietary tools for aggregating cloud flow logs, monitoring, detecting, and investigating network activity from each platform vendor.
  • Deploying third-party tools that rely on outdated data collection techniques, such as capture agents installed on each instance, virtual network taps, or traffic mirroring.
  • Manually stitching together data from these disparate approaches to attempt to identify cross-platform activity.

“We needed to guarantee that any VPC or VNet that lights up in any region will be monitored–because the risk is that a compromise will occur in an unexpected VPC or VNet and when we go to investigate, we’ll find out that no logs are available.”

— Cloud Security Architect, B2B SaaS Provider

Other tools in your cloud security stack, like cloud native application protection platforms (CNAPPs), are not engineered to monitor the network layer—they focus on the application layer. Consequently, they cannot deliver real-time visibility into unwanted network activity and its potential impact.

Regardless of the approach you use and your teams’ objectives, you face two common challenges when trying to monitor activity within and across your multi-cloud environments:

Lack of Standardized Data
Each cloud provider offers its own version of flow logs, which differ in the type of data provided, the format, and the timeliness of the data generated and analyzed by its native tools. Combining them into a unified consumable format is a heavy lift for most teams.

The same issues apply to aggregating and normalizing data from multiple third-party tools. The lack of standardization creates a massive normalization effort that requires a deep understanding of the data generated by each cloud provider and vendor to make it usable to detect potential risks or active compromises.

With no single platform that aggregates network data from within and across multiple clouds and provides a unified real-time view, teams have limited capability to detect unwanted activity.

High TCO
Like the lack of standard approaches to data monitoring, each cloud vendor differs in their detection, investigation, and response architectures.

AWS, for example, requires you to install multiple tools to monitor your activity within and between VPCs:

    • Guard Duty to detect activity
    • Detective to conduct triage, investigate, and threat hunt
    • Security Lake for data analytics and retention
    • Cloud Watch for observability and logging

Cloud vendors also vary in pricing models, and lines between basic and premium plans quickly blur based on the volume and type of VPC or VNet log data ingested and stored and features selected. Your fees can escalate for detailed monitoring and insights, custom metrics and dashboards (when possible), and advanced analytics.

In addition, using third-party agents, taps, traffic mirroring, integration with streaming services, and multiple query languages will drive up your complexity and costs.

Netography Fusion Delivers a Holistic View of All Network Activity in Multi-Cloud Environments

Netography Fusion detects anomalous and malicious activity anywhere in your multi-cloud network in real-time. Fusion is a 100% SaaS, cloud-native platform designed to deliver high-confidence alerts that your security, network, and cloud operations teams can act on before operational disruption occurs. Fusion’s frictionless architecture, use of context-enriched metadata, AI-powered detection, and integrated response workflows eliminate the challenges caused by other approaches to monitoring multi-cloud networks.

Frictionless Architecture: Fusion’s frictionless deployment model and unlimited scalability mean it can protect any size organization by eliminating the need to deploy multiple proprietary tools or third-party products. Its 100% SaaS architecture leverages your existing tech stack and eliminates the need to deploy sensors, agents, taps, or probes to collect network data. 

By not requiring you to install and maintain additional devices, Fusion significantly lowers your TCO and accelerates your time-to-value. You can also start ingesting new flow logs in minutes from anywhere in your multi-cloud network. This enables you to start seeing anomalous activity within minutes or hours, not days or weeks.

Data Collection: Fusion aggregates and normalizes your network metadata from anywhere you want visibility in your multi-cloud or hybrid network: 

  • AWS VPC flow logs, AWS Transit Gateway flow logs
  • IBM Cloud VPC flow logs
  • Google Cloud Platform (GCP) VPC flow logs
  • Microsoft Azure NSG flow logs, Microsoft Azure VNet flow logs
  • Oracle Cloud Infrastructure (OCI) VCN flow logs
  • NetFlow v5, NetFlow v9, NetFlow v10 (IPFIX) flow logs
  • sFlow logs

Context Enrichment: It then enriches the metadata with context attributes from your tech stack. Fusion can ingest dozens of attributes to enrich your metadata, including asset risk, environment, last known user, region, risk score, security workgroup, type of entity, and vulnerability count.

Fusion incorporates context already contained in your applications and services, including asset management, cloud-native application protection platforms (CNAPP), configuration management database (CMDB), endpoint protection agents (EPP), and vulnerability management.

The context attributes ingested from your tech stack convert endless tables of IP addresses and ports into context-rich visualizations and high-fidelity alerts that reduce your time to respond by identifying the significance of the activity.

AI-Powered Detection: Fusion’s AI-driven analytics generate high-confidence alerts when it detects unwanted activity that your platform-specific tools and legacy detection and monitoring technologies can’t see. The Fusion platform detects anomalous and malicious network activity with over 300 open Netography Detection Models (NDMs) that you can customize to deliver high-fidelity alerts to your CloudOps, NetOps, and SecOps teams.

With Fusion, you can:

  • Monitor New VPCs and VNets automatically: Discover, onboard, configure, and monitor any new or changed VPCs or VNets that spin up in your network.
  • Close Your Observability Gaps: Know what your users, applications, data, and devices are doing and what’s happening to them across your multi-cloud environments.
  • Accelerate Your Response to Compromises and Anomalies: Detect and respond in real-time before threat actors disrupt operations or misconfigurations spike costs or result in compliance issues in any size environment:
    • Pre-compromise reconnaissance (external-to-internal activity), such as brute force attacks and external use of internal services.
    • Post-initial-compromise lateral movement (internal-to-internal activity) such as network scanning, brute force attacks, and ransomware staging over SMB.
    • Post-compromise data exposure and exfiltration (internal-to-external activity) such as communication with known C&C/C2 infrastructure, anomalous data transfer over SSH and DNS, and data exfiltration to Amazon S3 buckets and private cloud storage services.
  • Initiate Incident Investigation & Threat Hunting: Map the scope and impact of any incident with comprehensive observability of East/West and North/South activity; conduct forensic analysis with context-rich historical data. Fusion’s capacity to retain up to 12 months of historical data will accelerate your teams’ ability to investigate any activity.

Response: The Fusion platform enables you to implement a range of response workflows in real-time. Respond from within the Fusion platform directly or via built-in integrations with a range of technology partners:

  • Push alerts to communication applications for distribution to diverse teams.
  • Send alerts to AIOps and IT management systems for automated remediation.
  • Forward alerts to SIEM and SOAR platforms for correlation with alerts from other security events to improve their detection fidelity.
  • Quarantine devices using integrations with EDR or XDR tools.
  • Block or redirect traffic from threat actors or reroute traffic for further analysis automatically using BGP, RTBH, Blocklist Manager, Flowspec over BGP, API, and DNS orchestration.

Single Platform, Multiple Use Cases

Fusion gives you a single, cost-effective, unified view of anomalies, compromises, misconfigurations, and trust boundary violations within and across your multi-cloud or hybrid network before they can create business or operational risks.

You can use Fusion to address a range of use cases, including:

  • Frictionless NDR: Detect malicious activity like lateral movement within and across your multi-cloud network to decrease dwell time of threat actors before they can cause costly operational disruptions or threaten business continuity. 
  • Accelerate Investigation & Threat Hunting: Conduct incident investigation and threat hunting with analysis of East/West and North/South activity after a security event or anomalous activity, using context-rich historical data.
  • Zero Trust Planning and Enablement: Observe network usage for segmentation planning and pre/post deployment metrics. Monitor trust boundaries within a single location, multiple regions, or globally, and dynamically update the trust boundary rules when you add new segments or modify existing segments.

If you’d like to learn more about Netography Fusion, contact us for more information, a demo, or to get started with a free trial.

About Netography

Netography is the leader in holistic network security and observability. The Netography Fusion® platform is the fastest and easiest way to detect anomalous and malicious activity in your multi-cloud, single-cloud, or hybrid network. Fusion is a 100% SaaS, cloud-native platform that provides frictionless detection and response to compromises and anomalies at scale in real-time without the burden of deploying sensors, agents, or taps.

Based in Annapolis, MD, Netography® is backed by leading venture firms, including Bessemer Venture Partners, SYN Ventures, and A16Z. For more information, visit netography.com.