2. What is a critical asset? How do you protect the information
on it? What is “normal” with regard to application traffic
between clients and these critical assets? Despite large
investments in security, breaches continue to happen. This
is because we look at the wrong signals in the wrong places.
Layered security, IDS, endpoint tracking, and multifactor
user authentication have done little to prevent credentialed,
authenticated, and trusted users from breaching critical
assets and walking out with the keys to the kingdom.
Existing tools and techniques attempt to diagnose problems
using historical data extracted from logs and recordings
of past network activity. While, to the informed eye, these
may be useful in identifying cyclic trends, they don’t lend
themselves to guiding immediate action necessary to
prevent a breach. It takes behavioral analytics based on
deep packet inspection, real-time digital processing, and
machine learning to understand your critical assets and how
they communicate.
Signature based systems cannot anticipate events. Core
services don’t have deep visibility by design or policy.
Sideband Networks’* SBN* series of physical and virtual
appliances apply custom DPI, live traffic analytics, and
behavioral analysis all targeted to reducing the noise while
delivering actionable knowledge. Catch malicious activities
targeting your critical assets, verify compliance, set early
warning systems, and empower your existing tools with
premium, contextual alerts. You need a friendly man in the
middle, and Sideband Networks is it.
Challenge
Security staffs everywhere are struggling to accomplish
more with fewer resources. Cloud services, virtualization,
guest Wi-Fi, and BYOD users all create their own security
challenges. Meanwhile, databases, DNS server, file servers,
and departmental applications all present attractive targets
for malicious agents that want to steal data and disrupt
operations.
Network devices and computer systems generate a wealth
of information about their communication. Learning that
communication profile allows you to understand what is
normal on your network, and what might represent the first
stages of a breach. Unfortunately, SNMP data and traps,
alerts, security information and event management (SIEM)
logs, Netflow/sFlow records, and bulk recording mechanisms
such as network packet captures (pcaps) create information
overload and prevent you from seeing the signal in the noise.
What you need is a trip wire alerting you to potential security
issues without having to sift through large amounts of data.
Alerts in the thousands are impossible to act on. How do you
make effective decisions without compromising real-time
responsiveness?
Identifying malicious activity with this data can be like
finding a needle in a haystack and can take hours, days,
or weeks to resolve. Investigation is a manual task that
relies heavily on the intuition of experienced network
administrators who are overloaded with events and alerts.
Focusing on perimeter- and user-based security information
often creates an ambiguous or vague diagnosis followed by
an expensive “shotgun” forensic deep dive into the data with
little real information to go on.
2
3. This type of analysis seldom answers the key question,
“Is there unusual activity relative to the assets I’m trying
to protect that I should be focused on at this moment in
time?” Security administrators need powerful tools that
offer smart notifications with an intuitive display of real-
time information in order to quickly analyze and diagnose
network security issues at the first point of contact.
Solution
Sideband Networks tackles this problem by leveraging data
analytics and machine cognition to understand normal
communication behavior and generate premium, contextual
alerts to anomalous behavior. Sideband gathers live
streaming traffic from common monitoring technologies,
including spans, taps, and mirror ports. The family of
appliances can handle over 10 Gbps of live network traffic
and house Sideband’s software for real-time processing and
alerting.1
Sideband employs custom, deep packet inspection (DPI) at
the front line to construct flow information, identifying traffic
using a signature library of over 1,400 applications. From the
resulting rich flow database, Sideband continuously extracts
key metrics in real time and uses them as features for
machine analysis and pattern recognition. These features are
leveraged to build up a behavioral profile, which includes a
detailed characterization of the network’s behavior over time
as well as at different times of the day, week, or month.
Once the solution has characterized the network, Sideband
next continuously compares the observed network behavior
with last known state and historical trends, noting when one
or more features of the network traffic are outside of the
tolerance levels. These occurrences are recorded as events
for processing by the alert generation logic. Operators may
supplement this automated process with their own custom
policies, for example to immediately alert operators to high
traffic volumes to specific IP addresses. When defining
custom policies, Sideband assists operators by mining the
historical profile data to help them understand normal
network behaviors and enabling them to quickly set custom
policies based on these behaviors.
Sideband’s alert generation logic is the secret behind its
ability to deliver high quality, contextual alerts. Events
are rapidly evaluated and correlated using state-of-the-
art pattern matching and machine learning techniques. In
this way, the system recognizes when the network is truly
displaying unusual behavior.
The Sideband SBN Control Panel provides operators with
a concise, easy-to-interpret overview of the key network
and alert behaviors associated with their critical assets.
Operators may use the console to view network activity
profiles, set custom and assisted policies, and filter and
drill down into alerts to understand their contributing
events. A real strength of the Sideband solution is its ability
to integrate with an enterprise’s security management
infrastructure. For example, Sideband generates syslog-
formatted files for easy integration with the leading SIEM
and security management products. Web services-based
integration options allow rich interaction with other security
components to support interactive analysis and real-time
actions.
1
10 Gbps maximum processing rate based on laboratory testing with a system using a 12-core, Intel® Xeon® E5-2695 v2 (2.4 GHz) CPU and 128 GB of ECC RAM. Test performed by Sideband Networks.
3
4. Intel® Technology
Sideband Networks SBN physical appliances are built using Intel® processors, including elements of Intel® Core™ i5 processors,
Intel Core i7 processors, and Intel® Xeon® processor E5 V2. In addition, Sideband Networks SBN virtual appliances support
deployment on a variety of Intel server configurations. Sideband’s solution comes in a variety of capacities to match the
network traffic and the number of assets being monitored, up to 10 Gbps.1
The power of Intel’s advanced hardware and the intelligence of Linux* software extensions enabled Sideband to migrate from
its proprietary processor to Intel® architecture, Linux-based systems. Of particular value to Sideband was the Data Plane
Development Kit (DPDK), a public-domain software library initially developed by Intel that routes network packets from the
network interface card (NIC) directly to Sideband’s DPI application while bypassing the Linux OS kernel. The DPDK’s poll mode
drivers and packet distributor library (PDL) made it possible for Sideband to access real-time traffic with zero copy operations.
As a result, Sideband’s DPI solution provides near line rate layer 2 through layer 7 flow classification at 10 Gbps.1
Scalability is also enhanced with other Intel innovations. Using Intel® Receiver Side Scaling (RSS) and the DPDK’s hardware-
based RSS packet hashing, Sideband sets up multiple ingress queues that are independently classified. This parallel operation
Figure 1. The SBN Control Panel provides operators with an overview of real time asset behavioral information in a web-based interface.
4
5. Fault-tolerance and high availability are critical characteristics of an enterprise-ready solution, and Intel technology enables
Sideband Networks to deliver. Using DPDK’s Link Bonding Library, Sideband provides backup or redundant ports that may
be connected in the live network, which are only activated if the primary link fails either due to cable loss, port loss, or port
misconfiguration.
Through the use of DPDK, Sideband was able to achieve a three-fold improvement in throughput performance, with minimal
packet loss.2
Figure 2. Sideband Networks SBN Communication Behavior Analytics Solution generates detailed, contextual alerts for anomalous behaviors.
2
Improvement in performance based on laboratory testing with a system using a 12-core, E5-2695 v2 (2.4 GHz) CPU and 128 GB of ECC RAM and DPDK v. 1.8 versus an equivalent system without DPDK. Test
performed by Sideband Networks.
5
6. allows Sideband’s SBN series solution to handle high-
capacity networks.
Key Features
Key features of the Sideband Networks SBN Communication Behavior Analytics (CBA) Solution include:
• Leverages custom deep packet inspection and identification with a library of over 1,400 applications
• Extracts over 100 features from flows to build up an accurate behavioral profile of network traffic
• Automatically generates premium, contextual alerts to notify security teams and infrastructure of anomalous behavior
• Allows definition of user-defined policies, and assisted policies derived from observed network behavior
• Provides operators with a concise, easy-to-interpret overview of key network and alert behaviors through an intuitive
web console
• Supports easy integration with SIEM and other security infrastructure through syslog-formatted les and JSON web
services interface
• Deploys in the network on a span or mirror port, or on a network tap for minimal impact on network operations
• Operates on all Ethernet networks – 1 Gbps, 10 Gbps and 40 Gbps copper (option) and fiber Ethernet.
• Delivers visibility into east–west communications showing what’s obscured within your network, to identify activities
associated with an internal breach before it progresses further.
• Available in a variety of deployment options, including 10 Gbps and 2 Gbps rated appliances and as a virtual appliance to
support branch office and cloud deployments.
6
7. Benefits
Sideband Networks’ solution offers substantial benefits for
the enterprise:
• Improves critical asset security. Monitors network
behavior to and from critical assets to alert security
teams to breaches before they happen.
• Automated configuration. Automatically builds a
profile of normal network behaviors at various times
of the day or week to provide new visibility into asset
behaviors.
• Easy to maintain. Leverages advanced behavioral
analytics techniques; no need to develop and maintain
complex threat signatures.
• Small footprint. Agent-less implementation deploys
with no increase in security footprint on clients or hosts.
• Adds value to security infrastructure investment.
Integrates with security infrastructures to add reliable
threat detection to SIEM, firewall, and IDS/IPS systems
with coordinated alerts to save time in responding to
evolving security incidents.
• Helps with policy compliance. Forget to reconfigure
a temporary remote access route to a critical asset?
Sideband verifies changes to the network through
behavioral profiles and generates valuable data for
compliance reports.
Sideband Networks SBN Use Cases
Fully authorized and authenticated privileged user is
compromised
Sideband monitors traffic to critical assets, and a new
or unusual behavior change is tracked and alerted on
deviation within minutes.
Device-to-device trusted connection hijacked by bot
through east-west communications
Changes in traffic flows or high port activities are
identified and tracked. Slight increases create change in
behavioral models and are detected.
Missed or failed server backup
Regular server backup activity is profiled and monitored.
When a backup is missed or incomplete due to a storage
or backup system failure, it is detected and an alert is
generated.
Breach protection for cloud-based deployments
Solution is available as a virtual appliance for data
center deployment and to protect assets in the cloud.
Figure 3. Alert details from the SBN Communication Behavior Analytics Solution provide new visibility into critical asset behaviors.
7
8. Conclusion
Sideband Networks helps organizations maximize the
effectiveness of their security operations by helping them
identify and focus on what is important: their data. Sideband
Network’s SBN Communication Behavior Analytics (CBA)
Solution continuously evaluates the behavior associated
with critical assets using machine-learning technology,
effectively “locking down” the behavior to these assets to
prevent bad actors or policy from destroying your network
or compliance audits.
Sideband adds value to the security solutions employed
to help protect networked environments. Sideband
complements next generation firewalls by focusing on
the east-west traffic associated with sensitive assets,
alerting these systems and their operators to in-progress
threats so they alter their policies and take immediate
action. Sideband’s ability to profile normal behavior and
spot anomalies provides IDS/IPS systems with a means of
responding to zero-day threats between signature updates.
Sideband supports network change management processes
and tools by providing behavioral validation that network
policies are configured correctly. Finally, Sideband helps
leverage corporate investments in SIEM technologies with
premium, contextual alerts delivered to the SIEM console
to help operators identify what is important. In this way,
Sideband is a key component for improving response and
enhancing security operational efficiency.
About Intel
Intel (NASDAQ: INTC) is a world leader in computing
innovation. The company designs and builds the essential
technologies that serve as the foundation for the world’s
computing devices. As a leader in corporate responsibility
and sustainability, Intel also manufactures the world’s first
commercially available “conflict-free” microprocessors.3
Additional information about Intel is available at
newsroom.intel.com and blogs.intel.com and about Intel’s
conflict-free efforts at conflictfree.intel.com.
About Sideband Networks
Sideband Networks’ solutions leverage live data analytics
to develop a real-time view of network behavior, and then
use this information to continuously monitor for the kinds
of anomalous behavior that indicates a data breach, insider
threat, or operational issue. Sideband Networks is based
in the heart of Silicon Valley in San Jose, California. For
more information, visit the Sideband Networks website at
sidebandnetworks.com.
3
“Conflict free” and “conflict-free” means “DRC conflict free”, which is defined by the U.S. Securities and Exchange Commission rules to mean products that do not contain conflict minerals (tin, tantalum, tungsten
and/or gold) that directly or indirectly finance or benefit armed groups in the Democratic Republic of the Congo (DRC) or adjoining countries. We also use the term “conflict-free” in a broader sense to refer to
suppliers, supply chains, smelters and refiners whose sources of conflict minerals do not finance conflict in the DRC or adjoining countries.
8