October 03, 2016
Depends on configuration.
- Ease of Use:
- Value for Money:
- Overall Rating:
- Strengths: Its new UI is its strongest feature in that it gives extremely flexible access to the rest of the strong functionality.
- Weaknesses: None that we found.
- Verdict: NetDetector always has been a good series for Niksun, but this new version tops everything they’ve done so far – except, perhaps, for the Eagle (see our First Look review, October 2015). Again this year, we bring the NetDetectorLive into the lab as SC Lab Approved, our highest award. Watch next year for an in-depth review of a year in a production environment.
NIKSUN has been a staple in our lab for several years and has always been one of our dependable workhorses. This latest version is no exception. However, there's a lot that's new here and we were impressed immediately. The most obvious update is to the user interface. But, we're getting ahead of ourselves.
When we received the appliance we installed it in our test bay. We fired it up and started through the initial configuration. Nothing. Dead on arrival. A panic call to NIKSUN support brought an engineer from the New Jersey offices to our lab in Michigan USA. Verdict was that the boot disk was damaged in transit. A new disk, a new OS image, and we were on the road. We finished configuration, connected it into our honeynet - the sensor port with no IP to our network tap and the management port to our internal network. Slick and quick.
Then we went to our lab computer and browsed to the management network. Yes...browsed. For those of you who are long NIKSUN users, that is a foreign term. NIKSUN has had its own interface forever. No more. It now sports a slick UI - web-based - that allows the user to create whatever desktop he or she wants. That means any desktop. Since the product sees everything as a report, all you need to do is drag in what you want - onto the screen, with no icons or code to write - and save it as your own report. Once you have the screens you want - and they may include the NIKSUN out-of-the-box reports - you have a fully customised UI that meets your specific needs. That could include specialised monitors that have your custom drill-downs.
We set up a suite of reports after we enabled the event monitoring - all events are defined using SNORT rules - and settled in on a particular project we are working on in our honeypot. We ran several other monitors - each with its own purpose - and we hoped that NetDetectorLive would give us a deeper dive into what the bad guys were doing as they attacked and probed us. We were not disappointed. Drill-downs got us exactly where we wanted to be and we were able to collect some interesting artifacts. Since we can reproduce an attack down to the bit level, we had about as good a picture as you're likely to get.
NetDetectorLive moved right into our lab, settled in between our PacketSled and our open source Maltrail and started giving us good data immediately. Once we had the dead disk replaced and the box up, it took us under a half-hour to configure and start collecting data. We monitor our honeypots 24/7 and this tool is going to give us exactly what we need to decode attacks and probes in detail. We can say with pretty firm assurance that just about anything you have in your SOC will give you more in the context of NetDetectorLive. This tool can stand on its own or it can augment your other monitors to give you a much deeper dive.
One of the nice things that we found was that since we monitor several open sources of indicators of compromise and some of them produce specific SNORT rules for particular indicators, we can copy/paste those SNORT rules into NetDetectorLive and that adds to our event detection and capture.
Support is superb, cost is very reasonable. You can go from the small system we have to a fully loaded box with lots of mass storage and there are virtual versions as well. The website gives you what you need to deploy and make the best use of the tool.
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
Junior Penetration Tester, Hertfordshire, to £35k + benefits
Infosec People - England, Hertfordshire
Cyber Security Architect
CYBER EXECS - London (Greater)
SOC Analyst, Aldershot, £47-56k + package
Infosec People - Hampshire, England, Aldershot
Senior Security Engineer
Loveworklife Recruitment - United Kingdom
Sign up to our newsletters
SC Magazine UK Articles
- Tesco Bank allegedly ignored warnings of hack from Visa
- Investigatory Powers and Digital Economy Bills could threaten economy
- Updated: A million German routers knocked offline by failed Mirai botnet attack
- Microsoft update left Azure Linux virtual machines open to hacking
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- ICYMI: CEO Sacked; MS Zero-day; Passwords dropped; Ransomware wild, charging hack
- 9.2 million medical records for sale on darkweb
- ICYMI: Tesco warned; IP Bill threatens economy; German routers offline; Azure trojan; Gooligan fraud
- Data centres are on the move - where will they end up?
- 90% of ITDMs believe IAM is crucial to digital transformation success
- Research: Hacked companies could see customer exodus if breached
- Misconfigured drive exposes locations of explosives used by oil industry