IBM SysFlow

2020: Output of the tool

In January, 2020 IBM released the tool open source which allows to look for security concerns in cloud and container environments. It is about the SysFlow program.

According to the SiliconANGLE edition, modern monitoring systems of security register actions of a system with high extent of detailing, is frequent up to separate events, such as changes of files. Such detailed control can be useful, but it also creates a large number of noises because of which it is difficult to detect cyberthreats. Researchers of IBM Frederiko Arauzho and Teril Taylor compared this process "to search of a needle in extremely big haystack".

IBM opened source codes of the tool revealing security concerns in a cloud

SysFlow reduces the need for additional specialists in information security. The tool collects operational data from this system and squeezes these data in the scheme which shows a system behavior at the high level, but not separate events, such as HTTP requests. Local events are also displayed, but SysFlow connects them with the corresponding templates instead of providing the context necessary for the detailed analysis.

In the blog IBM of Arauzho and Taylor imparted an example of the scenario of cracking in which SysFlow can be useful: the hacker finds the vulnerable Node.js server in network of the company, loads a harmful script on this server and then puts at risk the confidential database of clients.

While modern instruments of monitoring can process only flows of the disconnected events, SysFlow is capable to be connected to each stage of the attack on a system" — researchers explain. — For example, SysFlow precisely displays attack destruction chain steps: process of node.js is intercepted, and then converted with a remote harmful server on port 2345 for loading and accomplishment of the harmful scenario.[1]

Notes