• Dynamic Endpoint Modeling (DEM) is a managed service system comprising real-time network flow data, advanced security analytics, and big-data methods to continuously model all network devices.
• Fully automated, real-time analysis of device level network traffic and patterns of communication.
• Provides high fidelity of security alerts, enabling smarter security actions.

• Limitless scalability

Greatly simplified deployment:

• No specialized hardware to purchase
• No software agents to deploy
• No expertise required

• Save time and money from constantly hiring more expertise while attempting to maintain a continuous vigil to ensure the integrity of systems and data.
• Attain a stronger security posture with a managed automated platform to rapidly identify compromised and misused devices, enable facilitate faster remediation, and reduce the risk and cost associated with breaches.

• Simplify threat detection and response with an advanced security capability available as a SaaS subscription.
• Cost-effective monthly and annual subscription plans.

• Rapidly identifies early stage and hidden indicators of compromise
• 100% functionality in encrypted environments; no “man in the middle"
• No signature lists to update
• No software agents to deploy

Provides continuous modeling across multiple dimensions of analysis:

• Forecast: This dimension supports algorithms that predict device behavior based on past activities, and assesses observed behavior against these predictions.
• Group: This dimension supports algorithms that assess devices for consistency in behavior by comparison to similar devices.
• Role: This dimension supports algorithms that use the dynamically recognized role of the network device to detect activities inconsistent with that role.
• Rule: This dimension supports algorithms that detect when endpoints are breaking established network rules including protocol/port correctness, profile characteristics, and blacklist communication.
• Consistency: This dimension supports algorithms that recognize when a device has critically deviated from its past behavior – both in data transmission and access characteristics.

Threat detection:

• Dynamically scalable analytics engine capable of analyzing along multiple threat dimensions.

Intelligent correlation:

• Analytics engine analyzes endpoint model data in real-time, quickly identifying tangible behavioral events and deviations while eliminating background noise and innocuous events to significantly reduce the number of false positives.

• Configurable alert sensitivity

• Supports all IP-based endpoint types
• Supports all endpoint hardware manufacturers
• Supports all OS types
• Supports physical and virtual endpoints

• From 50–500,000+ endpoints
• Supports IT and operations technology (OT) networks

• Available as a free virtual appliance
• Hardened Linux distribution
• Deployment onto physical and virtual hosts
• Monitoring of both physical and virtual endpoints
• Monitoring selectable by network subnets
• Supports multiple port mirroring and monitoring standards such as SPAN, mirror, and TAP
• Network flow collection up to 10 Gbps per NIC
• Support for multiple NICs
• Extended protocol flagging
• Extended support for DNS
• Supports third-party network flow protocols such as NetFlow, sFlow, and JFlow

• Provides unobstructed visibility into the behavior of all network endpoints and real-time alerts to clear behavioral anomalies and present indicators of compromise.
• Customizable notifications providing flexible notification frequency and distributions.

Highly structured access to detailed security intelligence:

• Simple data visualization and drill-down
• Simple CSV upload to organize and simplify network subnet segmentation presentation

Intuitive end-user functionality to core service features:

• Administration
• Configuration
• Alert notification and workflow
• Forensics and reporting

Convenient configuration of alertable conditions:

• abuse.ch is automatically updated and enforced on all devices
• Custom blacklists and external threat intelligence upload support
• Configurable geo blacklist violations
• Easy accountability for known scanners and SNMP managers

Unified functionality for multiple DEM sensors:

• All traffic directions: 360 degrees of network coverage including north/ south and east/west traffic flows
• All periods of time: Real-time through 6 months of history (standard); longer retention periods available
• All devices: coverage across entire network of devices
• All network perimeters

• All persistent data stored in compressed, encrypted form in key-based systems
• All network communications utilize strong encryption and two-factor authentication

• Integration with existing security tools and dashboards via syslog and API
• STIX integration (coming soon)