Garda Monitor

The main articles are:

• IT Service Management (ITSM)
• Security Information and Event Management (SIEM)

Garda Monitor is a software and hardware complex for investigating network incidents.

2023

Certification "Garda Monitor" version 3.1 in Belarus

The system for identifying threats and investigating network incidents "Garda Monitor" version 3.1 of the "Garda" group of companies is certified in Belarus. According to the requirements of the Technical Regulations of the Republic of TR 2013/027/BY, the decision is ready for use in the country.

The NDR system "Garda Monitor" has passed the necessary tests of the National Compliance Confirmation System. The results confirm that the system performs the declared functions and protects against modification of critical parameters using a mechanism for monitoring the integrity of its own components.

"NDR (Network Detection and Response) is a fundamental monitoring tool for the modern center for countering cyber attacks (SOC)," said Pavel Kuznetsov, Product Director of Garda Technologies. - Even if attackers meticulously hide traces of their presence on endpoints in the corporate network, signs of their activity can be detected by analyzing network traffic. The successful practice of using the system in Russia will now help the Belarusian business to respond to incidents in a timely manner and stop threats, and joint use with such protective equipment as Deception, Anti-DDoS and Threat Intelligence services will significantly increase the cyber resistance of enterprises. "

The NDR system "Garda Monitor" detects threats both by traditional, signature methods and by two types of ML models. The analytical module allows you to quickly process information security incidents, and extensive integration capabilities - respond to incidents using all available tools, including specialized information protection tools and network equipment.

In addition, the certified version of Garda Monitor has improved the functionality of behavioral analytics and threat classification, the company noted.

"Garda Monitor 3.1" with "Recent Events" section

On May 29, 2023, Garda Technologies introduced an updated version of the system for identifying threats, classifying them and actively responding to threats, Garda Monitor 3.1: improved functionality of behavioral analytics, classification and distribution of threats.

Based on best practices in the NDR segment, the Latest Events section has been added to the system to identify threats and investigate network incidents, which allows you to analyze and respond to all identified threats in one window.

The widget "Distribution by Threat Type" has been added to the interface. It displays the identified events in terms of time, shows in which categories, in which types of threats, which events were recorded, thereby simplifying the analysis and conduct of incident investigations.

Event cards contain detailed information on the fields of interest, their appearance is dynamically rebuilt depending on the necessary details. From the event, you can go to the section indicating where it was detected, see the context and access the network stream on which the trigger occurred. Data sources are either triggered by policy filters or results identified by behavioral analysis.

Detection of anomalies in the Garda Monitor is carried out using an ML model of behavioral analysis, which is based on the analysis of network traffic. For training, the user determines the parameters that the model should track and specifies its term. Upon expiration, the system allows you to compare the current data with the model forecast and, in case of deviations, notifies you of anomalies. This release has improved the display of data. Now, by default, the system shows all the data on the two-hour interval, shows bursts that can be visually compared with the values ​ ​ from the model - to estimate deviations.

In addition, behavioral models without training have been added to Garda Monitor 3.1. They allow you to detect threshold events by the number of established connections, the amount of data transmitted, slow system scanning and periodic requests (beacons) for external resources. Thus, it became possible to identify the latest botnets and access C&C without signatures and IoC.

{{quote "The presented release is a big step forward for the development of the product, a kind of transition to another class," said Stanislav Gribanov, head of the Garda Monitor product at Garda Technology. - In addition to fully controlling network traffic over SPAN/TAP and NetFlow, the product began to identify threats to two types of ML models using only NetFlow data. An improved analytical system allows you to quickly process information security incidents and, when integrating with SIEM, transmit not "raw" syslog, but identified incidents. Active response through the Garda Monitor API allows you to block malicious resources by automatically sending ACLs to routers, as well as transmitting incidents to IRP/SOAR systems. }}

Garda Monitor integrates with other solutions of the company, allowing you to ensure the cyber stability of the business. For example, using in conjunction with Garda Scout opens up the ability to identify threats in encrypted traffic without using ssl fingerprint available in Garda Monitor. Sharing with Garda Stalker allows you to expand the ability to detect threats by connecting data streams with compromise indicators (feeds) and their retrospective search.

Compatibility with Alt 8 SP OS

On March 30, 2023, the company BASEALT announced that three Russian products of the system developer "" information security Garda Technology were certified tested at once and confirmed compatibility with "": domestic OS "" Alt 8 SP for Garda Camouflage depersonalization, databases the agent of the base system "" protection data and the Garda DB NTA-system "Monitor."Gardaí The joint use of software products will allow organizations to create a trusted digital environment for working with confidential and. information personal data More. here

2022: Obtaining FSTEC certificate for compliance with level 4 of trust

The Garda Monitor NTA system of Garda Technology has received a certificate from the Federal Service for Technical and Export Control No. 4613. The product meets the information security requirements of level 4 of trust and is allowed for use in state information systems up to and including the first security class. Garda Technologies announced this on November 29, 2022.

"Garda Monitor" refers to NTA (Network Traffic Analysis) class solutions, used to identify information security threats at the network level and investigate information security incidents. The solution increases the transparency of what is happening in networks, detects the presence of attackers in them and is an integral tool of any SOC (Security Operations Center). The network traffic recording function allows you to conduct full-fledged investigations and eliminate the reasons that lead to the possibility of malicious actions.

The solution is applicable in all business sectors: from industrial and production enterprises to financial organizations and IT companies. With a clear interface and a well-developed set of analytical tools, Garda Monitor allows you to solve security problems with minimal labor.

When building monitoring and response processes, specialists want to get the most seamless transfer of information between security systems, "said Pavel Kuznetsov, Product Director of Garda Technology. - Therefore, when developing, we focused on the maximum efficiency of the solution. This was expressed both in the high performance of the Garda Monitor system, and in the flexible integration capabilities that allow the system to interact with all technological components of SOC.

2021

Suricata 6 Signature Support

On November 10, 2021, the Russian vendor of information security solutions Garda Technologies (part of ICS Holding) announced that it had updated and expanded the functionality of network analysis, detection and investigation of network incidents of the Garda Monitor NTA system using the introduction of user script calling technology.

Garda Monitor collects and records data on all IP connections, detects various signs of malware and suspicious activity in network traffic. The solution allows you to detect even incidents on the network that have passed by other security systems. The complex is often used by large enterprises as a "last chance system" when the incident occurred contrary to all existing security systems, and it is necessary to restore the course of events in order to understand what happened, how and why, and what to do to prevent incidents from repeating themselves, the company said.

Garda Monitor analyzes network traffic, uses a combination of signature analysis and machine learning to detect attacks, suspicious activity on the corporate network and investigate network incidents. The updated version adds support for signatures in Suricata 6 format.

The solution analyzes the behavior of network applications and traffic, showing connections by protocols. Garda Monitor detects more than 250 protocols, including remote control protocols (TeamViewer, RDP, etc.), traffic tunneling protocols (OpenVPN, CiscoVPN, etc.), network game protocols (Warcraft, Battlefield, etc.), as well as instant messengers, social networks and TOR.

In addition to the usual export of information about the incident to SIEM and notification to mail, it became possible to respond to incidents using Python scripts. This makes it possible to integrate Garda Monitor with any external systems, for example, with TheHive IRP system.

Another innovation of the "Garda Monitor" is the blocking of network connections on routers running OCCisco Nexus, which allows you to block unwanted connections, for example, to command centers of botnets from the internal network.

Garda Monitor becomes a daily tool for the operational work of security specialists in a large network infrastructure, including when building SOC: it detects malicious activity in network traffic, monitors long sessions, transmits data to incident response systems through calling user scripts, conducts investigations with subsequent elimination of incidents and allows you to create security policies to prevent their recurrence.

Integration with ESET Threat Intelligence

Manufacturers of information security solutions Garda Technologies (part of ICS Holding) and ESET have joined forces to increase the speed of detection and investigation of network incidents. This was reported to Garda Technology on March 3, 2021. Now the Garda Monitor system for analyzing network traffic is integrated with the ESET Threat Intelligence (ETI) service.

Such a technological partnership provided the Garda Monitor system with access to the ESET Threat Intelligence reputation base. The regularly updated database contains information about the activities of cybercriminals, in particular, about the current activity of botnets and fake Internet resources involved in cyber attacks.

ETI allows Garda Monitor to detect threats in a timely manner, detect attacks on the perimeter and within the organization, analyze and block malicious traffic. ESET technologies aggregate data using over 100 million collection points around the world.

Users of the Garda Monitor, equipped with ETI, will be protected from compromising the corporate IT infrastructure. Implementation and use do not require additional load on information security specialists.

Garda Monitor users' access to the ETI file cabinet makes it easier to investigate network incidents. ETI collects security data relevant to different systems. This increases the security of the company, especially in a situation where employees use a variety of devices and software, said Alexander Pirozhkov - Head of ESET Threat Intelligence

Шаблон:Quote 'author = noted Ilya Urazbakhtin - Head of the Information Security Competence Center "Garda Technologies"

2020

Ability to automatically detect traffic from new devices and services in a given network segment

On December 21, 2020, the Russian developer of information security systems Garda Technologies (part of ICS Holding) presented an updated version of the network traffic analysis system and investigation of network incidents of the NTA (Network Traffic Analysis) - Garda Monitor class with the ability to automatically detect traffic from new devices and services in a given network segment.

The system implements the ability to monitor the used IP addresses, MAC addresses, DNS names of devices and recipient ports (services) in a given network segment. Garda Monitor automatically detects traffic from a new device or service. The disappearance of traffic will also be revealed. The information security specialist can now specify the network segments of interest and specify for them the observed objects, the training period and the permissible intervals for the absence of device or service traffic. There is a transition from event information, directly to traffic.

Automatically updated reputation lists of IP addresses, domains and - URL addresses have been added according to the following categories: botnet activity, use, malware phishing resource access, cryptomining, access to suspicious resources, access to hosts supporting DNS query technology on top. HTTPS The system also provides the ability to add custom automatically updated signature and list sources.

The industrial protocols of DNP3, MODBUS, OPCUA, S7Comm became possible. Each protocol is disassembled to the level of commands.

Along with receiving statistics from the router using the NetFlow protocol, Garda Monitor has added support for the sFlow v2/v4/v5 protocol.

The functionality of the domain has been significantly improved. authorizations Added support for multiple servers search authentications and root directories, LDAPs support, and/authentication SSLTLS.

The interface of the network intelligence facts section has been redesigned. Added the ability to display the nodes that have been explored on the network map.

Adding Anomaly Detection to Network Traffic

On April 7, 2020, Garda Technology also announced the release of an update to the Garda Monitor network incident analysis and investigation solution. Now the system is endowed with the function of detecting anomalies in network traffic.

Using behavioral analytics (EBA - Entity Behavior Analytics) technologies, Garda Monitor detects significant deviations in device behavior. Among them: a sharp surge in traffic, an increase in the number of network connections, an increase in the number of unique ports used simultaneously. Thus, the system can detect the use of tunnels, SSH UDP and the like, operation harmful ON in the form of, and boat networks viruses the like, suspicious activity such as a single burst of traffic from a node, errors in network settings, servers workstations and services of the company, for example, in the form of constant attempts to connect to an inaccessible port.

To detect anomalies in network traffic, the system must be configured and trained. To do this, the security officer must specify the observed network segments and properties by which deviations are required. The system displays the behavior profile of the device over the studied time period for the detected anomalies.

The system also has a function of automatic updating of reputation lists supplied by the competence center according to information security Garda Technology. Since the introduction of updates in the complex, you can get access to the current information IP addresses of command centers of botnets and - URL addresses, on malware the facts of calls to which the system immediately notifies the security service.

Ability to view user authorization history on an enterprise network and configure write and store rules

On February 28, 2020, Garda Technologies released an updated version of the Garda Monitor product to identify and investigate network incidents. The system now has the ability to view the history of user authorization in the enterprise network and configure data recording and storage rules.

As the developer noted, Garda Monitor is used to quickly identify signs of violations of enterprise information security policies. Among them are detection of malicious activity, attempts to exploit vulnerabilities and illegal access, as well as access to compromised resources. The system instantly informs the security service about violations.

Traffic analysis is based on automatically updated decision rules to identify intrusion into the enterprise network infrastructure. They are provided for the convenience of users of the system by the Garda Technologies Information Security Competence Center. To solve the problem of traffic analysis, the Garda Monitor system provides a flexible search by the properties of network connections with the display of results in the form of tables and diagrams with the ability to obtain the contents of a network connection in pcap format. To receive notifications about incidents by mail or in SIEM, it is enough to configure the appropriate filter, the developer claims.

According to the developer, the updated version has the ability to view the history of user authorization on workstations. With its help, you can identify the facts of disclosure, theft or compromise of account data users. User authorization for an account from an enterprise account has also been added domain thanks to support for integration. to puncture LDAP

Users of the Garda Monitor can configure traffic recording rules, for example, disable recording SSL of content, which saves the amount of disk space used. The system provides the ability to set a separate storage time for statistics and content of network connections, for example, statistics are stored for two weeks, and content - only three days. It became possible to view application protocol data TCPUDP from/traffic. This allows you to get more complete information about the analyzed stream without using third-party tools, noted in Garda Technology.

According to the developer, the updated solution has the ability to extract text from HTTP, mail and TELNET traffic streams. Filters have been implemented to search the extracted text. For the convenience of working with the system, a "Knowledge Base" of detected protocol gardatech.ru has been added, which allows you to find out the purpose of the protocol of interest without leaving the complex. In addition, users can customize the color scheme for displaying protocols and specify names for services that receive connections on a specified port.

Garda Monitor analyzes network traffic, uses a combination of signature analysis, machine learning and advanced analytics to detect attacks, suspicious activity on the corporate network and investigate network incidents.

2016: Release of PAC "Garda Monitor"

On September 20, 2016, MFI Software announced the release of the Garda Monitor firmware solution.

The product continuously monitors and records all enterprise traffic with indexing, fast search and event playback over any period of time.

Interaction diagram "Garda Monitor," (2016)

The product can be used to provide information security management, monitoring the integrity of the network infrastructure over data transfer protocols in IP networks.

The ability of the Garda Monitor to record and reproduce all traffic in retrospect allows detection of all open ports prohibited by the company, control of data leaks, recording and notification of technical failures, cyber attacks and viral activity.

The product meets the needs of large distributed organizations within the borders of regions, centers for monitoring and incident response (SOC), computer forensics experts.

Despite the high level of development of information security technologies, incidents that have passed by security systems remain. Garda Monitor gives a specialist the last chance to identify and investigate an incident directly in the company's network traffic. The Garda Monitor system has become a logical addition to the Garda information security solutions group, which already includes the Garda DB database protection system and the Garda Enterprise DLP system. Now the Garda suite of solutions provides a full range of active and passive protection against internal threats to data security. Vladimir Ponomarev, Deputy General Director of MFI Soft

Garda Monitor supports more than 50 up-to-date protocols, including HTTP, POP3, FTP, SSH, and high-performance storage with traffic speeds of 10 Gbps and higher.

The solution can be integrated with SIEM systems, stores all data streams in their original form for replay, and supports a distributed infrastructure.

It has analytics tools with a tiered reporting system.

Functionality

• Detection of anomalies in traffic: bursts or drops in network activity, use of non-standard ports, protocols, applications.
• Determine the geographic location of the source and distribution target, record metadata.
• Storing streams in raw form for replay of traffic in the information security laboratory.
• Traffic classification by protocols (HTTP, POP3, FTP, SSH, more than 50 protocols).
• Full-text search on intercepted data and reconstruction of objects according to the following criteria:
  • by source and destination MAC addresses;
  • by Vlan ID;
  • according to IP protocol version (header Version field IPv4 or); IPv6
  • by source and destination IP addresses;
  • by source and destination ports;
  • by transport layer protocol type;
  • by application protocol type;
  • by the fields of protocols, protocols for HTTP sending mail messages, IM messages, etc.;
  • by the length of the packets.

• Flexible filter system
  • instant criteria search, including detection of encrypted traffic.

• Integrate with SIEM systems and export data.

Properties

• High performance: 10 Gb/s traffic analysis, storage of more than 100 TB of data.
• Unlimited traffic recording and online data access for any period of time.
• A library of pre-installed policies for detecting incidents and the ability to configure your policies for real-time online traffic control.
• Interactive reports and analytics of incoming and outgoing traffic, incident statistics.
• Does not require third-party licenses.