Observable can support customers as small as 10s of endpoints and as large as 100,000s of endpoints. Observable easily processes Gigaflows of data each month.
In fact, endpoint modeling is a very specific form of endpoint monitoring. Endpoint modeling uses the IP metadata to build a model, or simulation, of each device with the purpose of understanding the device's normal activities and recognizing important changes.
All analytics for Observable's Endpoint Modeling are hosted in the cloud. Sensors (if used) are local to your network.
Endpoint modeling is helpful to small companies with sensitive data in two ways: the first is that endpoint modeling helps to find many types of threats without the need for signatures. So, even though the sensitive data is likely encrypted, endpoint modeling still performs normally. Secondly, because we offer endpoint modeling as a subscription, it is much more affordable and commercially flexible than traditional security solutions.
Endpoint modeling can either incorporate log file information or simply use the network flows or both. This ability to model endpoints that do not emit log information is a key benefit of the process and makes it ideal in IOT and healthcare type environments. We recognized that many new IOT devices will likely not emit logs.
Endpoint Modeling plugs the gaps created by IDS/IPS technology deficiencies and SIEM complexities
We have two options for pricing the service. For traditional network deployments, we charge a small monthly endpoint fee for each endpoint device observed and monitored. Our per-endpoint charge falls decreases with the number of endpoints you monitor. The more endpoints you add, the lower the average cost per endpoint. To learn more, please visit our pricing page.
For cloud-based deployments, we charge by the flow volume, which makes our service usage based. We automatically count the flows received and bill customers accordingly on a monthly basis. To learn more, please visit our AWS pricing page.
Observable provides network endpoint behavior monitoring as a software as a service (SaaS) subscription service. This service connects your IP data network, captures network communication record data, and performs analysis on this record data to determine if there are network activities occurring that may be a threat to the your business, such as data exfiltration, loss of corporate intellectual property, or loss of financial data.
The system takes 36 days to fully “learn” the local environment. Features activate on a schedule, beginning Day 1 & ending Day 36
Observable learns the role of each device and applies a catalog of normal behavior to each device. In addition, certain behaviors, like control service accesses, are automatically reported for confirmation by the customer.
When using Observable's network appliance software (which is free of charge) to collect network data, the payload is dropped by the sensor. It does not get stored or transmitted.
We resolve host names, and use authoritative sources when available, to map IP addresses to devices.
IP metadata, VPC flow logs, and/or netflow logs are collected from your network according to the configuration that you enable. These logs are sent to our analytics cloud, which is hosted in Amazon AWS for processing and long-term storage. Data in transit and at rest is encrypted.
This is usually a very small (<.1%) increase in normal internet traffic generated by the site.
We publish a full list of the alerts that is available to you within the portal. During the trial you will be able to review the full product and from time to time new alerts are being activated and incorporated into the platform.
Observations are facts about your network automatically recognized by Observable's endpoint modeling. Alerts are the result of one or more (potentially 1000s of) observations that together constitute a condition of which you should be aware. Roles are a dynamically learned classifications of behavior to which Observable attaches a set of known behaviors. Profiles are the individual behaviors that contribute to role definition.
Actually just the opposite, endpoint modeling is able to drive much greater fidelity to the alert signals. Across all customers, we averaged 1 alert per day per 10,000 devices for the 30-day period ending Mar 20.
When using a physical or virtual sensor, installation time depends on your access to the appropriate hardware or VM capacity and network switches. Most customers complete the process in a few hours. When using VPC flow logs, configuration takes about 10 minutes.
If you choose the annual subscription model, you would subscribe to our service on an annual basis and agree to pay a lump sum fee equal to 12 times the monthly fee according to the endpoint quantity selected less a 15% discount, payable upon receipt of the invoice. To learn more, please visit our pricing page.
You would subscribe to our services on a month-to-month basis and agree to pay a monthly fee according to the total number of endpoints provided during the initiation process. For cloud deployments, we would report your actual flow volume on the second day of each month and bill accordingly.
Observable's services will commence within three business days of the order-completion process, but this set-up also requires Observable's sensor to be installed at the firewall egress points in your network.
Use of services requires the installation and configuration of at least one network sensor within your IP data network, preferably at a point where significant network traffic can be seen. You must provide server hardware that meets our minimum specifications to act as this sensor. We will help install and configure the sensor at your headquarters or other designated, mutually agreed to location(s).
TCP/IP packet headers, plus optional passive DNS
Observable collects network flow data from a tap, mirror port, or NetFlow generator in on-premises environments. The sensor will need at least one management interface and one data interface. In AWS Observable collects flow log data from the VPC.
For on-premises environments install a machine to act as the sensor, connectected such that it can generate flow logs from the tap (or mirror port) or receive flow logs (from the NetFlow generator).
You may deploy multiple network sensors on your corporate IP data network. However, it is your responsibility to provide appropriate equipment at all selected locations. You must also provide local personnel capable of assisting with installation, including the configuration of sensor servers, connecting sensors to router span/tap/mirror ports, and other installation tasks requiring local presence.
You will be responsible for providing local personnel capable of assisting the initiation of services (e.g., configuring the sensor server, connecting the server to router/span/tap/mirror port(s), and other installation tasks requiring local presence) as well as configuring your systems to enable the services (as needed).
If requested, we can provide a virtual machine configuration of the sensor technology for you to install and configure to use in place of, or in addition to, a physical sensor.
For on-premises environments,dedicate a machine with at least two network interfaces to collecting data. Requirements vary with network traffic, but as a baseline consider a server with 2 GB RAM, 20 GB disk, and 2 CPU cores.
Agents are not used in AWS because of the availability of VPC flow logs. Agents are used in other environments where conventional netflow logs and network taps are not available.
Yes, the sensor can comfortably be run on a VM as long as the system administrator takes into account the potential impact on available cluster resources.
Observable and Amazon have worked together to ensure that endpoint modeling and AWS Inspector are complementary. From within the Observable user interface, you can activate and schedule Inspector scans. Additionally, Inspector output is integrated into Endpoint Modeling to provide a more complete picture of how behavior changes may be correlated to detected vulnerabilities.
Yes, endpoint modeling works with Microsoft Azure on Linux hosts, but customers are required to deploy Observable's agent software to all of the Linux servers for which endpoint modeling is desired.
Our usage-based billable metric is called Effective Mega Flows (EMFs), which equates to roughly one million lines of log data before an optimization process. This optimization reduces the amount of information we process and subsequently, your costs. Our service fee is priced per EMF each month after the optimization process using the tier your total use falls in. AWS VPC Pricing page.
Organizational policies, or industry or government regulations, might require the use of encryption at rest to protect your organization's data. Observable Networks encrypts all inactive data that is stored physically in any digital form. Data at rest encryption prevents data visibility in the event of an unauthorized access or theft.
In some cases, consolidation of assets within your organization may reduce the total number of endpoints observed and analyzed. If you are on a monthly plan, you may opt to reduce your monthly subscription by emailing us at firstname.lastname@example.org.
Annual customers may also encounter such changes that are unforeseen, and we will work with you as much as possible to resolve those challenges. Any changes will be prorated to the data the notice was received by Observable.
Data transmitted between the Observable sensor and the Observable cloud for analysis is always encrypted. Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. Encryption does not prevent interception, but denies the message content to the interceptor.
Yes. You may add endpoints to your subscription at any time. To add more endpoints, simply send us an email at email@example.com.
If you exceed a contractual usage limit, we may work with you to reduce your usage so it conforms to that limit by ensuring that you are only covering the networks that you desire. The contractual limit is a soft limit so you can be assured that your network is always covered regardless.
If you elect to terminate your service, we will remove our sensor from your equipment and destroy customer-specific logs and data.
If access to the equipment is terminated by the customer prior to our deletion of the sensor application, you agree to delete all instances of the sensor on all physical or virtual machines and remove all sensors within one week of the conclusion of services, or another mutually agreed-to timeframe.
Notices of cancellation may be emailed to firstname.lastname@example.org. We will reply with acknowledgement of cancellation within 72 hours of receipt.
We will provide free installation and operational support during normal business hours. All support will be provided by email, chat, or phone, unless previously agreed to by Observable support.
Updates to Observable's software will be released and installed periodically. Major updates will require pre-notification to the customer, where minor updates will be installed as they become available.