Benefits of Endpoint Modeling

Can Observable handle large enterprise environments with 100,000's of endpoints?

Observable can support customers as small as 10s of endpoints and as large as 100,000s of endpoints. Observable easily processes Gigaflows of data each month.

How is endpoint modeling different from endpoint monitoring?

In fact, endpoint modeling is a very specific form of endpoint monitoring. Endpoint modeling uses the IP metadata to build a model, or simulation, of each device with the purpose of understanding the device's normal activities and recognizing important changes.

What does an endpoint modeling deployment look like? Is it 100% in the cloud?

All analytics for Observable's Endpoint Modeling are hosted in the cloud. Sensors (if used) are local to your network.

We're a small company with less than 20 employees, but handle sensitive data. How can endpoint modeling help us?

Endpoint modeling is helpful to small companies with sensitive data in two ways: the first is that endpoint modeling helps to find many types of threats without the need for signatures. So, even though the sensitive data is likely encrypted, endpoint modeling still performs normally. Secondly, because we offer endpoint modeling as a subscription, it is much more affordable and commercially flexible than traditional security solutions.

What about devices that don't emit log information?

Endpoint modeling can either incorporate log file information or simply use the network flows or both. This ability to model endpoints that do not emit log information is a key benefit of the process and makes it ideal in IOT and healthcare type environments. We recognized that many new IOT devices will likely not emit logs.

Where does this solution fit in my current security architecture?

Endpoint Modeling plugs the gaps created by IDS/IPS technology deficiencies and SIEM complexities

What is Observable's pricing methodology?

We have two options for pricing the service. For traditional network deployments, we charge a small monthly endpoint fee for each endpoint device observed and monitored. Our per-endpoint charge falls decreases with the number of endpoints you monitor. The more endpoints you add, the lower the average cost per endpoint. To learn more, please visit our pricing page.

For cloud-based deployments, we charge by the flow volume, which makes our service usage based. We automatically count the flows received and bill customers accordingly on a monthly basis. To learn more, please visit our AWS pricing page.

What do I receive as part of my engagement?
We will provide you with ongoing use of our sensor technology for the purpose of monitoring your corporate IP data network. This will continue as long as you maintain services with Observable Networks. We will also provide you with a dedicated user portal for the purposes of reviewing the data collected from your network and assessing the alerts generated as part of endpoint modeling. Finally, you will receive monthly reports on the health of your network during your engagement.
Does Observable offer its solution as a service? How does it work?

Observable provides network endpoint behavior monitoring as a software as a service (SaaS) subscription service. This service connects your IP data network, captures network communication record data, and performs analysis on this record data to determine if there are network activities occurring that may be a threat to the your business, such as data exfiltration, loss of corporate intellectual property, or loss of financial data.

Endpoint Modeling's Uniqueness

How long does establishing a baseline take?

The system takes 36 days to fully “learn” the local environment. Features activate on a schedule, beginning Day 1 & ending Day 36

What prevents an anomaly from being incorporated into a baseline?

Observable learns the role of each device and applies a catalog of normal behavior to each device. In addition, certain behaviors, like control service accesses, are automatically reported for confirmation by the customer.

What happens to the network payloads?

When using Observable's network appliance software (which is free of charge) to collect network data, the payload is dropped by the sensor. It does not get stored or transmitted.

What about a device that changes IPs throughout the day like mobile devices and DHCP?

We resolve host names, and use authoritative sources when available, to map IP addresses to devices.

What data is collected, and where does it go?

IP metadata, VPC flow logs, and/or netflow logs are collected from your network according to the configuration that you enable. These logs are sent to our analytics cloud, which is hosted in Amazon AWS for processing and long-term storage. Data in transit and at rest is encrypted.

How much data is sent between the sensor and the cloud and from the cloud back to the Observable interface?

This is usually a very small (<.1%) increase in normal internet traffic generated by the site.

What kind of alerts can Observable Endpoint Modeling bring to my attention?

We publish a full list of the alerts that is available to you within the portal. During the trial you will be able to review the full product and from time to time new alerts are being activated and incorporated into the platform.

What is the relationship between Observations, Alerts, Profiles, Roles?

Observations are facts about your network automatically recognized by Observable's endpoint modeling. Alerts are the result of one or more (potentially 1000s of) observations that together constitute a condition of which you should be aware. Roles are a dynamically learned classifications of behavior to which Observable attaches a set of known behaviors. Profiles are the individual behaviors that contribute to role definition.

Wouldn't this be too noisy?

Actually just the opposite, endpoint modeling is able to drive much greater fidelity to the alert signals. Across all customers, we averaged 1 alert per day per 10,000 devices for the 30-day period ending Mar 20.

Getting Started

How long does it take to install and start modeling my endpoints' activity?

When using a physical or virtual sensor, installation time depends on your access to the appropriate hardware or VM capacity and network switches. Most customers complete the process in a few hours. When using VPC flow logs, configuration takes about 10 minutes.

What is Observable's privacy policy?

Our privacy policy covers such topics as what information we collect, and why we collect it, how we use that information, the choices we offer, including how to access and update information.

Please review our privacy policy.

What are Observable's Terms of Services?
By using our services, you are agreeing to Observable's terms of services. Please read them carefully. We may modify these terms or any additional terms that apply to a service to, for example, reflect changes to the law or changes to our services. Please review our terms regularly as they may change.

We will post notice of modifications to these terms on our terms of service page.

Our Terms of Service

How does the annual subscription model work?

If you choose the annual subscription model, you would subscribe to our service on an annual basis and agree to pay a lump sum fee equal to 12 times the monthly fee according to the endpoint quantity selected less a 15% discount, payable upon receipt of the invoice. To learn more, please visit our pricing page.

How long is my free trial? How do I convert to a longer arrangement?
You may subscribe to our service on a proof-of-concept, evaluation, or trial basis. We will provide network endpoint behavior monitoring as a subscription service; however, we will provide services to you at no charge for a 60-day trial period. This commences on sign up, and may be terminated by either party during this period. Additionally, if a customer opts to select a monthly or annual plan at sign up, then the trial period, proof-of-concept, or evaluation trial option will automatically convert to either a month-to-month or annual plan (as selected during the order process). At any time, you may also convert your monthly plan to an annual subscription. Please contact Observable to assist with this at billing@observable.net
How does the monthly subscription model work?

You would subscribe to our services on a month-to-month basis and agree to pay a monthly fee according to the total number of endpoints provided during the initiation process. For cloud deployments, we would report your actual flow volume on the second day of each month and bill accordingly.

What are the agreements?

The terms of service, privacy policy, and FAQs make up the entire agreement between Observable and your organization.

Our Terms of Service

Our Privacy Policy

When does the service start?

Observable's services will commence within three business days of the order-completion process, but this set-up also requires Observable's sensor to be installed at the firewall egress points in your network.

Use of services requires the installation and configuration of at least one network sensor within your IP data network, preferably at a point where significant network traffic can be seen. You must provide server hardware that meets our minimum specifications to act as this sensor. We will help install and configure the sensor at your headquarters or other designated, mutually agreed to location(s).


What does the sensor collect?

TCP/IP packet headers, plus optional passive DNS

What are the network details?

Observable collects network flow data from a tap, mirror port, or NetFlow generator in on-premises environments. The sensor will need at least one management interface and one data interface. In AWS Observable collects flow log data from the VPC.

What do I need to install?

For on-premises environments install a machine to act as the sensor, connectected such that it can generate flow logs from the tap (or mirror port) or receive flow logs (from the NetFlow generator).

Can I deploy multiple sensors?

You may deploy multiple network sensors on your corporate IP data network. However, it is your responsibility to provide appropriate equipment at all selected locations. You must also provide local personnel capable of assisting with installation, including the configuration of sensor servers, connecting sensors to router span/tap/mirror ports, and other installation tasks requiring local presence.

What are my responsibilities?

You will be responsible for providing local personnel capable of assisting the initiation of services (e.g., configuring the sensor server, connecting the server to router/span/tap/mirror port(s), and other installation tasks requiring local presence) as well as configuring your systems to enable the services (as needed).

If requested, we can provide a virtual machine configuration of the sensor technology for you to install and configure to use in place of, or in addition to, a physical sensor.

What are the server details?

For on-premises environments,dedicate a machine with at least two network interfaces to collecting data. Requirements vary with network traffic, but as a baseline consider a server with 2 GB RAM, 20 GB disk, and 2 CPU cores.

Deploying in a Public Cloud

Are agents required in my AWS VPC?

Agents are not used in AWS because of the availability of VPC flow logs. Agents are used in other environments where conventional netflow logs and network taps are not available.

Can the sensor be virtualized?

Yes, the sensor can comfortably be run on a VM as long as the system administrator takes into account the potential impact on available cluster resources.

How does Endpoint Modeling work with Amazon Inspector?

Observable and Amazon have worked together to ensure that endpoint modeling and AWS Inspector are complementary. From within the Observable user interface, you can activate and schedule Inspector scans. Additionally, Inspector output is integrated into Endpoint Modeling to provide a more complete picture of how behavior changes may be correlated to detected vulnerabilities.

Does Endpoint Modeling work with Azure?

Yes, endpoint modeling works with Microsoft Azure on Linux hosts, but customers are required to deploy Observable's agent software to all of the Linux servers for which endpoint modeling is desired.

How does the pricing model work for dynamic AWS environments?

Our usage-based billable metric is called Effective Mega Flows (EMFs), which equates to roughly one million lines of log data before an optimization process. This optimization reduces the amount of information we process and subsequently, your costs. Our service fee is priced per EMF each month after the optimization process using the tier your total use falls in. AWS VPC Pricing page.

Operations and Support

What about data at rest? Is it encrypted?

Organizational policies, or industry or government regulations, might require the use of encryption at rest to protect your organization's data. Observable Networks encrypts all inactive data that is stored physically in any digital form. Data at rest encryption prevents data visibility in the event of an unauthorized access or theft.

Can I reduce my number of endpoints?

In some cases, consolidation of assets within your organization may reduce the total number of endpoints observed and analyzed. If you are on a monthly plan, you may opt to reduce your monthly subscription by emailing us at billing@observable.net.

Annual customers may also encounter such changes that are unforeseen, and we will work with you as much as possible to resolve those challenges. Any changes will be prorated to the data the notice was received by Observable.

How is data transmitted? Is it encrypted?

Data transmitted between the Observable sensor and the Observable cloud for analysis is always encrypted. Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. Encryption does not prevent interception, but denies the message content to the interceptor.

Can I add more endpoints?

Yes. You may add endpoints to your subscription at any time. To add more endpoints, simply send us an email at billing@observable.net.

What if I exceed my endpoints?

If you exceed a contractual usage limit, we may work with you to reduce your usage so it conforms to that limit by ensuring that you are only covering the networks that you desire. The contractual limit is a soft limit so you can be assured that your network is always covered regardless.

What happens if I cancel my service?

If you elect to terminate your service, we will remove our sensor from your equipment and destroy customer-specific logs and data.

If access to the equipment is terminated by the customer prior to our deletion of the sensor application, you agree to delete all instances of the sensor on all physical or virtual machines and remove all sensors within one week of the conclusion of services, or another mutually agreed-to timeframe.

Notices of cancellation may be emailed to billing@observable.net. We will reply with acknowledgement of cancellation within 72 hours of receipt.

How will I receive support?

We will provide free installation and operational support during normal business hours. All support will be provided by email, chat, or phone, unless previously agreed to by Observable support.

How will I receive updates?

Updates to Observable's software will be released and installed periodically. Major updates will require pre-notification to the customer, where minor updates will be installed as they become available.