Panoptic Sensor


Panoptic Sensor®

Network Intrusion Detection is an absolute requirement in today's cybersecurity environment.

No security stack is complete without it.

We spent 15 years developing and honing and going beyond a NIDS platform which resulted in our own Panoptic Sensor® and Panoptic SIEM®.

The Panoptic Sensor® and Panoptic SIEM® are included, license-free, with the onShore Panoptic Cyberdefense® SOC service suite.

Coupled with Panoptic Cyberdefense® our sensor provides powerful detection at the perimeter and laterally in your network and in your cloud workloads.

The onShore Security Panoptic Sensor® is one of the most advanced network sensors in the industry with direct-driver memory access for real-time processing. It combines network IDS with log, anti-malware, host detection systems, and more system correlation into one of the most advanced detection systems available. It also serves as the on-premise or virtual log collector for the cloud-based Panoptic SIEM.

The onShore Panoptic Sensor differs from most in that parallel, sensor algorithms allow for the creation of correlation rules at the sensor so that actionable events are identified before they reach the SIEM. All network data, security data, and log data are fed into the sensors. Tuning at the sensor can be integrated with threat hunting exercises for increased gains in accuracy. We don't squelch non-threat events but rather incorporate them into a true picture of your network so anomalies are found and APTs are detected sooner. All network data, security data, and log data are fed into the sensors. Some additional special sensor features include malware machine-learning detection, producer/consumer ratio alerting, host behavior profiling, DNS sink-holing, SNMP trap capture, and syslog capture.

Panoptic Sensors are typically sized to take full packet captures, not just net-flow, with up to 2 days of buffer, empowering our analysts to investigate threats and anomalies that others can't.

Automated Threat Detection

Using multiple parallel sensor processes, the onShore Panoptic Sensor collects full packet captures from your network and identifies threats, anomalies, and compliance violations.

Advanced Log Collection

Logs can be accepted from almost any source, even if not in syslog format or attainable only by API. This prevents vendor lock-in and incompatible systems.

Full Packet Capture

Our sensors include multiple 40Gb ports optimized for high-volume traffic. We start with 1TB of storage but upgrade to any amount targeting 2 days of look-back packet captures. And we always deploy in HA pairs.

Machine-Learning Malware Detection

We include malware detection at the network level with machine learning so you can enhance your host-based anti-malware.

Sensor Tuning

Tuning at the SIEM level leaves a gap. We add tuning at the sensor level for greater anomaly detection with fewer false positives.

Ready for Correlation

Our own 15-year banking signature database coupled with multiple proprietary feeds and rules customized for you provide in-depth data for our analysts to work with.

  • More Features
  • Network Intrusion Detection System
  • High Availability Cluster
  • Multiple 40Gb Ports
  • Direct-driver Memory Access
  • Network Tap or Aggregator
  • Virtual Switch Integration
  • Ingress/Egress/Lateral Detection
  • Multiple Day Lookback
  • Current Ruleset
  • Rule Management
  • CVE Scan Ingestion
  • CVE Scan Correlation
  • Threat Intelligence Feeds
  • Threat Intelligence Correlation
  • Advanced Log Collection
  • Pre-SIEM Correlation
  • Log Redirection
  • Reconstitute Syslog Messages From Packets
  • Full Packet Capture
  • Indexing of Full Packet Data
  • Indexed PCAP Buffers
  • Integration with HIDS Agents
  • NetFlow/sFlow
  • SNMP Trap/Queries
  • Reconstitute SNMP Trap/Queries From Packets
  • Firewall Violation Alerting
  • Microsegmentation Violation Alerting
  • Behavioral Anomaly Detection
  • Machine-learning Powered Behavior-based Malware Detection
  • Exfiltration Detection via Producer/Consumer Ratio Analysis
  • Passive Asset Detection and Fingerprinting
  • File Extraction and Analysis From Various Protocols
  • Windows Networking/Authentication/Domain Analysis
  • Advanced URL Analysis and Monitoring on SMTP/HTTP Bodies and Referrers
  • Tor Detection
  • Alert On Expiring / Expired SSL/TLS Certificates
  • Multistep Detection Policies
  • ERSPAN Support for Remote Capture
  • Lateral Movement Detection Mapped to MITRE ATT&CK
  • YARA Support in Sensor
  • SIGMA Rule Support in SIEM
  • Benefits
  • IDS is just the start. Our sensors ingest and correlate any security data against network packets and meta-data. We install on-premise and in cloud-hosted environments.
  • High availability clusters allow for zero downtime during updates and also provide additional PCAP lookback.
  • Single sensor clusters can detect on multiple network segments concurrently.
  • Detection processing occurs in memory before commitment to disc.
  • Integration with commercially available network taps and aggregators provides visibility into even the most complex networks.
  • Integration with virtual switches provides visibility into virtual networks on most hypervisors and cloud hosting environments (AWS, Azure).
  • Primary network segments are ingested by default. Most IDS systems ignore important segments.
  • Sensors are sized to provide lookback buffers up to multiple days.
  • Detection rulesets are kept current.
  • Detection rules are managed both globally and per client customization.
  • Most CVE scan outputs can be ingested.
  • Correlating CVE scans at the sensor allows for more contextual event categorization.
  • More than 20 threat intelligence feeds with over 215,000 indicators are currently utilized.
  • Correlation with threat intelligence greatly increases detection accuracy.
  • Logs can be accepted from almost any source, even if not in syslog format or attainable only by API. This prevents vendor lock-in and incompatible systems.
  • Unlike our competition, we perform much of the correlation at the sensor so that PCAPs and network sensing can be processed in context and produce richer alerts to the SIEM.
  • Securely transporting collected logs to any number of SIEMs and processors allows multiple systems and reporting engines to function in parallel, particularly valuable in a co-managed environment.
  • Even closed security system logs can be ingested via the network stream.
  • All network packets are captured where sensors are in place, including encrypted packets where key can be shared. PCAPs are hugely valuable for detection but also for troubleshooting and forensics. Tagged PCAPs are sent to the Panoptic SIEM for 12 month retention.
  • Processing PCAPs at the sensor provides additional meta-data to aid threat hunting.
  • Zero-in and extract flows in seconds instead of minutes/hours.
  • Sysmon and WAZUH are provided.
  • Rich rules for network meta-data provide powerful anomaly detection.
  • We ingest network switch data such as port changes and device performance that most detection systems ignore.
  • Where closed systems don't allow reflection of SNMP traps, we reconstitute from PCAPs.
  • We analyze violations that most detection systems consider noise.
  • In concert with DNS rewrites on edge firewalls.
  • Microsegmentation violations are valuable events for detection. Additional software is needed on hosts.
  • Profiles and thresholds of various behaviors are constantly tuned for anomaly detection.
  • Detection employing machine-learning add a layer of anti-malware detection without installing yet another agent on hosts.
  • Ratios are regularly tuned with white-listing supported.
  • Profiling improves anomaly and rogue host detection.
  • Files are extracted for threat and compliance analysis with white-listing support.
  • Detects exfiltration and various forms of hijacking.
  • Alerts for both threat and policy violations.
  • Detects threat indicators and assists with host security.
  • Condition.b within X(time) of condition.a by application.p used to find exploit kit download/redirect chains.
  • We can ingest packets from switches on remote network segments without re-architecture.
  • We utilize selected protocol analyzers (SMB and DCE-RPC) and the File Analysis Framework to uncover a range of Execution, Persistence, Lateral Movement, Defensive Evasion, Credential Access—and in particular Discovery—techniques.
  • YARA allows for transportable file detection rules and is the industry standard.
  • SIGMA allows for transportable log detection rules and is the industry standard.