Published on March 7th, 2018 | by Joel Roy
SS8 Networks| Advanced Network Intelligence and Breach Detection
This guest post was originally written by Daniel Reedy, Media and Communications Manager at Pentester Academy.
A lot has changed in the network security sector over the last 20 years. Attackers have become more sophisticated and they now know their way around firewalls and signatures. “The traditional, preventative model of security isn’t effective as much as it used to be,” says Tony Thompson, Vice President and General Manager of SS8 Networks.
SS8 was founded on improving network intelligence with the intent of recording network communications and deriving investigative information from those communications. The company has since expanded to combat cyber threats with intelligence agencies and businesses.
“We are all about extracting intelligence from network communications, recording and storing that information over a period of time, and then applying analytics to that recorded history of the network communications,” Thompson says.
He says the reason this is important is that attackers hide in communications over long periods of time. By applying analytics over these lengthy periods, enough data is gathered to search for patterns and uncover potential attacks.
“You have to detect and understand what’s happening on the network because the network really is a source of truth for attack behavior…We really believe understanding and having visibility into the network communications is the key to preventing these things going forward and preventing the most advanced attacks.”
Watch the video below as Thompson interviews with Pentester Academy TV (PATV), discussing network intelligence, the layers of network visibility, and the SS8 threat research team.
As Thompson said in the interview above, SS8 primarily differentiates from other security solutions in three distinct ways:
The team’s recursive analytics solution looks at the network’s history, analyzes behaviors over time, and associates those behaviors with specific devices, creating a comprehensive record of the network environment.
Thompson highlighted the SS8 workflow, comparing the team’s strategy to how law enforcement organizations handle bomb threats — waiting is not an option.
“In an enterprise environment, you don’t have time to piece together log information and log data,” Thompson said. “I want to know exactly that device and that user that appears to be compromised so that I can apply appropriate action.”
The third major difference is that SS8 uses HDR (high definition record), a highly detailed summary of the network communications. Using sensor technology that sits passively on a network, SS8 is able to gather vastly more information than netflow records.
“HDRs are like netflows on steroids,” Thompson said. “It’s like 140 different fields of information that we extract from the packet, from the session, from the flow that’s happening passively on the network…We have lots of visibility, and that HDR is really critical to understanding the visibility of the network.”
This visibility combined with detection techniques is crucial in modern security.
“There’s been such a reliance on the preventative type of security measures,” Thompson says. “We’re in more of this mode of visibility and detection that says, ‘let’s assume they’re going to get in’ and one school of thought is ‘who cares if they get in? Just don’t let them back out.”
The concept is essentially that since attackers are able to penetrate the defenses, the team should focus on understanding what has been compromised, what’s at risk, and then be able to remove the malicious devices from the network.
For this network traffic analysis and advanced threat-detection, SS8 has developed its BreachDetect solution. This platform has two primary use cases: One, allowing the user to proactively detect advanced threats and suspicious devices in the environment. Second, allowing the user to manually investigate and threat hunt by querying the network and recorded history. BreachDetect sits passively on the network, recording network traffic, uses a recursive analytics engine that sits in the cloud, and has a discovery interface.
Watch below as Thompson demonstrates the platform.
To watch Access Point and our other cyber security programs, visit and subscribe to our channel Pentester Academy TV.
This post was originally published on PenTesterAcademy.com Blog