Propellent provides managed zero-day threat protection with Kemp Flowmon

A call for a next-generation security tool

Before encountering Kemp’s Flowmon solution, Propellent were relying on an intrusion detection system working in tandem with a firewall for triggered IP address blocking. While certainly effective against many types of attacks, this system was time consuming to fine-tune and would not scale very well into the future. It also only gave perimeter coverage of network borne threats.

“But the real issue was not day-to-day management,” says Matt Wanless, Managing Director at Propellent. “The previous solution offered good defense against known threats, but when it came to zero-day attacks or advanced persistent threats, we had to rely on endpoint protection to protect our clients, which we found to be a costly and time-consuming approach, and still had significant limitations.”

Indeed, ever since the increase of work-from-home and the general trend of commerce steadily shifting into the digital space, the incidence of ransomware and other sophisticated attacks has been greater than ever before, and in response to that, Propellent began to look for a next-generation behavior analysis and anomaly detection tool.

Actionable intelligence with real-world data

Not long after the Flowmon product suite was added to Kemp’s portfolio, we approached Propellent, who had thus far been a reseller of the LoadMaster line of load balancers and introduced the Flowmon solution to them.

“We wanted to give it a proper test, and so we implemented it on a small scale under an NFR license first,” continues Wanless. “It was important to do a real-world assessment of Flowmon, so in conjunction with one of our customers, we test-deployed it against some of their live services.”

This was imagicam, one of Propellent’s customers to whom they provide hosting and managed security.

“imagicam is dedicated to protecting data and using industry best standards. We understand the importance of data security and make every effort to ensure that data held on the systems is fully protected,” says Peter Grey of imagicam.

Through Propellent, imagicam utilize a defense in-depth approach using best-of-breed technology and processes.

“The outcome was a nice concise view of all the threats in imagicam’s infrastructure that allowed easily actionable intelligence,” says Wanless. In this way, Propellent gained an unquestionable source of truth on network-borne threats endangering the customer and were able to test and demonstrate the product’s capabilities with real traffic data.

The deployment consists of a virtual Kemp Flowmon Collector with the Anomaly Detection System (ADS) module for network-based behavior analysis and anomaly detection. The system uses an Open vSwitch and flow data from other switches as a source. “This, too, was a win for us,” adds Wanless, “as we could use what we had as sources of flow data instead of being pushed to buy proprietary sensors straight away.”

Data on the dashboard in half a day

“In the end, Kemp Flowmon proved much quicker and easier to roll out than what we were using previously,” says Wanless. “Instead of spending weeks tweaking and tuning, we get actionable insights in less than half a day.”

Propellent also appreciated the ease of management, streamlined event investigation workflow, and the ability to add additional tooling into the event view in ADS to integrate their own bespoke tooling.

“Kemp Flowmon fits our security ecosystem perfectly and we welcome the straightforward tenant configuration for each customer,” concludes Wanless. “And the fact that it has a native MISP connector is of great appeal as well, as it allows us to add Flowmon security events into our threat intelligence platform, greatly simplifying SOC operations.”