Perception Update - Unusual Data Movement Meta Data

Publishing of additional meta-data associated with the Unusual Data Movement classifiers.

This additional meta-data provides the analyst with a detailed picture of the individual transaction that led to the classifier firing.  This enables them to make a more informed decision as to whether this is expected behaviour or something potentially malicious.

Perception’s system is built around generating events for behaviours by analysing the raw packets on the network.  We have added valuable meta-data to help the system differentiate between behaviours of the same type.

The analogy we like to use is imagining that Perception is a security system for a small town, and having a window open is one of the behavioural classifiers.  The classifier would be created whenever a window was open, but that information alone would not be enough to confirm a burglary.  However, if the system gave a little more information, so we knew what time that window was opened, the ambient temperature when it was opened, whether it was opened from inside or outside, and whether it was forced open or a key was used, we’d be far more able to say whether it was a break in, or just someone getting some fresh air on a hot day.

Likewise, the unusual data movement behaviour has been updated to include more information about the data movement.  As we all know, data moving across the network at an unusual time, to an unusual destination, or of an unusual size isn’t likely to be threat like, however, now the system is able to gather more low level information about the transfer, the automated alerting systems and the analysts will be far better at identifying malicious data transfers amongst the legitimate.

This update is CCS and sensor based, and will be pushed to all managed customers at the pre-agreed upgrade time.  Self-monitored customers can update their own sensors and CCS using the software upgrade process.  If you have any further questions about this upgrade please contact us at