network security

Perception Update - Version 2.5.9

Version 2.5.9 adds a number of new features to Perception, including features to increase security, system performance, and usability issues.

Perception update blog header.png

To start, Perception now supports communicating over HTTPS with the UI, and allows the import of certificates.  Although communication over a secure VPN was already fully encrypted, the addition of standard web-security measures increases the security of the system as a whole.

Performance is always a priority for us at Perception, and in this update we continue to improve system performance.  We’ve changed the way our databases are structured, which means queries run faster and less disk space is required, we’ve also squashed a bug where very large databases were causing system performance issues.  Likewise, the cache of SMB data was causing some sensors to use too much memory, and this issue has been resolved with no effect on the detection performance of SMB-based behavioural identification.

Self-managed users will also benefit from the latest improvements to the user interface, including a number of smaller fixes that should improve usability.  You can now delete swimlanes in KnowledgeBase if they are no longer needed, and some ForensicAI alerts have been provided with more detailed microcontrol information, meaning the alert can be triaged better without even opening the alert at all.


A full list of updates are below:

  • Added support for HTTPS connections to the UI including certificate import.

  • Significantly enhanced database format giving improvements in query performance and disk space requirements.

  • Fixes for database performance issues when accessing very large databases.

  • Added ability to delete swimlanes from KnowledgeBase Incident Builder.

  • Improvements to SMB memory use to address issues with overloaded sensors.

  • Various UI fixes and improvements.

  • Enhancements to ForensicAI Alerts to give more detailed Microcontrol information and more accurate scoring.

  • Fix for Exceptions not matching on hostnames correctly.


This update will be pushed to all managed customers at the pre-agreed upgrade time.  Self-monitored customers can update their own systems using the software upgrade processes.  If you have any further questions about this upgrade please contact us at

Perception Update - Version 2.5.7

A number of features have been improved in version 2.5.7, including small changes to the KnowledgeBase feature.  

Perception update blog header.png

You can now annotate each event in KnowledgeBase so it’s clear what each connection means without just relying on the automatically generated metadata. We’ve also listened to your feedback and changed the way the column headers display so they look a little bit clearer.  Two more useful changes in KnowledgeBase include a reordering of events based on sample time, so they should be in a more intuitive order, and indicators for the direction of the connection too, so you can see which host initiated each connection.

There’s also some bug fixes and user enhancements, including refining the behaviours introduced in version 2.5.3, fixing issues with rendering some ForensicAI alerts, and protecting system stability with disk capacity protection.


A full list of updates are below:

  • Added support for text-based annotations to be included against KnowledgeBase events. This enables the user to add free text notes describing each event.

  • Fixed header position in KnowledgeBase swimlane diagram.

  • KnowledgeBase events now show direction of connection in swimlane diagram.

  • Updated KnowledgeBase to use sample time when ordering events in swimlane diagram.

  • Fix issue where behaviours were not loaded under HLC if the number of these exceeded a certain limit.

  • Added disk capacity protection to address issue seen on busier systems.

  • Enhanced metadata included in Host Activity classifier.

  • Added ability apply exceptions to Host Activity classifier.

  • Added an ability to purge all data from CCS and sensor should equipment need to be re-deployed or have all prior data removed


This update will be pushed to all managed customers at the pre-agreed upgrade time.  Self-monitored customers can update their own systems using the software upgrade processes.  If you have any further questions about this upgrade please contact us at

Perception Update - Version 2.5.3

Huge steps forward have been taken in version 2.5.3 of Perception, including the long-awaited open Beta of the KnowledgeBase function, and several new hugely powerful behavioural identification techniques.

Perception update blog header.png

KnowledgeBase sits at the top menu bar alongside ForensicAI and is a function that allows the user to dive deep into a full record of every connection that’s happened on the network. This has been trialled extensively and has quickly become one of the analyst’s favourite features, as it allows them to quickly confirm a suspicion by searching for specific connections made using its great filtering capability.  KnowledgeBase is now open to all users, and will continue to be developed over the coming months.

New behavioural logics have also been developed to identify specific behaviours at play on the network. The Suspected New Host Online behaviour has the capability to detect hosts not seen before on the network. This behaviour can be indicative of a planned system installation or an unauthorised device being connected to the network. This enables security teams to quickly identify the introduction of potentially vulnerable devices to the network.  This information may then be correlated with subsequent suspicious behaviour in the event that the newly introduced device presents a threat to the network.

The New Service Activity Detected Behaviour identifies when a host starts a new service resulting in network activity on a previously closed port.  Under normal operation a given host will run a particular set of services.  In the event that a new service is started, this may typically result in network activity on a previously closed port.  This behaviour can be indicative of a new application being installed on a host or an existing application suddenly going live.  A new service/port coming online can be due to either a planned configuration change, and configuration error, or an unauthorised application or user modification.  This activity may be of interest to a security team who expected a defined set of services to be running on the machine present on the network.  The network activity as a result of the new service may be benign or may be indicative of malicious software now running on the host, unknown to the user.

Finally, the Loss of Service Activity Detected Behaviour detects when a host ceases to run a service. This behaviour can be indicative of a system or hardware failure or a planned outage. This can help security teams to identify potential issues in the network in particular where a failed service related to a security incident.


A full list of updates are below:

  • Introduction of KnowledgeBase (beta). This is a new tool available on Perception to enable users to perform in depth analysis on host statistics collected by the system. Data selection can be achieved through filtering and grouping where filtering options are by time, by sensor and by grammar-based metadata selection. The result of the selections can be plotted on a timeline diagram for reporting and review purposes.

  • Three new behavioural classifiers have been added to the system. These are: Suspected New Host Online, New Service Activity Detected and Loss of Service Activity Detected.

  • Improved loading time of behaviours and Forensic AI views.


This update will be pushed to all managed customers at the pre-agreed upgrade time.  Self-monitored customers can update their own systems using the software upgrade processes.  If you have any further questions about this upgrade please contact us at

Innovate UK Turn to Perception for Their Essential Tips for Cyber Security

Innovate UK, the UK Government’s innovation agency, have curated a list of essential tips for cyber security for small businesses.

Innovate UK Logo.jpg

Innovate UK work with people, companies, and partner organisations to find and drive the science and technology innovations that will grow the UK economy.  Over the last 11 years they have invested £1.5 billion in innovation, working to determine which science and technology developments will drive future economic growth.  Alongside this investment work, they work closely with innovative companies to advise on how to improve their business.  With the growing threat of cyber-crime and intellectual property theft, the organisation decided to create a short list of easy to follow guidance on how to protect themselves from this threat.

To create their shortlist, Innovate UK contacted the cyber industry, thought leaders, and heads of digital risk.  After this process, they developed 4 key points for innovative companies to adhere to in order to improve their security:

  • Identify all possible threats
  • Make cyber security a business priority
  • Leverage existing schemes
  • Assume you’ll be hacked

Along with an in-depth article, which can be read here they created a short form animated video that’s simple to understand without requiring a detailed understanding of the cyber threat.

Perception’s team lead, Dan Driver, was contacted by Innovate UK in the preparation of developing this advice and was quoted in the explanation of the second point, “make cyber security a business priority.”

The point in question recommends that action is taken in advance of any attack, simple steps can be taken to reduce the chance of an attack taking place, or data mistakenly leaving a network.  Furthermore, this proactive approach to network security can reduce the impact in the unlikely event that an incident does occur.

In the article, Driver said, “Don't wait for an incident to occur, act now to protect the network and assets within it.  Failure to do so can have significant impacts financially and impact the reputation of an organisation to a degree which they may not recover from.”

Both the article and the video are well worth a look and the advice, although seemingly basic, can go a long way to protecting a network.  Perception itself helps organisations move to a more secure and proactive network security model by informing the user not only of in progress attacks, but also points of weakness and poor internal user behaviour, to minimise the risks at their source.

Perception Update - Version 2.5.2

Multiple improvements have been made to Perception in version 2.5.2, from increasing system performance to more advanced detection techniques.

Perception update blog header.png

The largest improvement is largely invisible, but makes the system configurable to allow processing limits to be applied to traffic received from the network, this increases stability of the system as a whole as it protects against bursts of network traffic.  There have been more under the hood changes as we have also upgraded the underlying operating system to the latest version.

More user facing changes include updates to some ForensicAI alerts to include scoring and suppression, further increasing confidence of a detection all while reducing any false alerts. This is part of ongoing work to bring all ForensicAI capability up to the same standard. 


A full list of updates are below:

  • Patch release to address issue with Nginx package install.
  • Added configuration options to allow processing limits to be applied to traffic received from the network.
  • Improved log file management.
  • Patch release to address installation issues observed during upgrade from previous operating system.
  • System fully upgraded to run on latest version of operating system.
  • Updates to lateral and egress HLCs to include scores and suppression.
  • Addition to ransomware extension list.


This update will be pushed to all managed customers at the pre-agreed upgrade time.  Self-monitored customers can update their own systems using the software upgrade processes.  If you have any further questions about this upgrade please contact us at

Questions every network security professional should ask themselves when setting up layered network protection.

Any information security strategy must be defined to support the growth and direction of the organisation.  This strategy should look at all the risks that may impact the organisation and implement a strategy to mitigate those risks.  Today, these risks are far more diverse and varied, and as such a mix of technical and non-technical controls to safeguard the business, its data and its ability to operate. It is critical to develop a strategy that mitigates or transfers as much risk as possible while keeping the cost and disruption as reasonable as possible.  As a result, a mix of multiple different security measures need to be taken to mitigate the relevant risks as efficiently as possible.  Every measure will naturally have its blind spots and weaknesses, and each of these must be covered by another system to mitigate those weaknesses.  Understandably then, when setting up a network security system, the risks, threats and impact must be understood with as much detail as possible and controls applied only where it makes financial sense and/or there is a regulatory demand.

So we have a multi-product, layered approach to network protection, but there are still some serious questions that must be asked when deploying these solutions across physical security, technical security, and administrative measures.  This article was written to collate some of those questions that might be forgotten during this process.



Physical controls are a first line of defence and range from access controls such as doors, locks, passwords, signage, and security guards to site facilities such as power, HVAC, and resilient services to ensure that service remains uninterrupted.

Do I know who is accessing my physical network?

It is all too easy in many businesses to be able to walk in to a room and just plug in to a spare RJ45 network connection box on the wall, this could potentially give a vantage point in to your network. It is important to understand what is patched where and also to properly disconnect or limit access to physical connections. In some cases a physical audit may be necessary to ensure that you have ensured what you think is plugged in is actually plugged in.

Do I have a way of controlling access to my physical network?

It seems nearly every IoT device seems to have a connection to the internet these days and many devices have a physical RJ45 network connection. Smart TV's for example we find often beacon back to home with potentially sensitive information. It is important to ensure you have some form of policy on the connection of new devices on your network, which may include a risk assessment of what the device has access to and whether it should actually be allowed.

How would I know if physical security measures have been breached?

This is a difficult question to answer, but the best way to test how prepared you are is to ‘red team’ your site, inviting teams of people in to the business to see how much of the business they can access, what information they can get out of the organisation, and how far an unauthorised person can get within your site before you are alerted to their presence.  Even beyond these tests, it is important to understand how you could tell if someone is on your site who shouldn’t be, whether it’s by detecting them accessing your IT infrastructure, or physically detecting them walking around.



Technical controls, whether active or passive can be implemented to enforce, monitor and understand an environment.  In modern businesses, the biggest risk if often loss of data or service on its IT systems which means businesses will focus on IT related technical controls such as firewalls to protect the perimeter, IPS/IDS to identify attack, proxy servers to monitor and control internet usage and endpoint protection to prevent the user devices, whether it be loss, attack or intentionally deviating away from the policies.  

How many technical controls do I really need?

The quantity of technical controls is vast and the degree of active enforcement is dependant on the risk and the policies of each organisation.  How many are deployed largely rests on balancing risk and investment, the best way to approach this is to deploy more than expected initially, before reviewing the deployment and seeing how much value each system is delivering, and working backwards from there.

Which layers of security require technical controls?

Technical controls can be used at all layers of security the network from active preventative controls which stop a detected threat, containment which may identify a threat and quarantine it, detection and reporting to allow for analysis and reporting and recovery and restoration should it be necessary.   Network monitoring systems can complement these technical controls by offering passive detection and monitoring of network behaviours.  This allows analysts to use this data to better understand the actions of a device or user, using this data to identify risks and proactively mitigate them but also to understand what has happened should an incident occur.



Administrative controls can have a massive effect on the effectiveness of information security strategy, but how effective these controls are varies greatly across organisations based on how they are implemented.

To what extent can administrative controls remove the need for technical controls?

Deploying policies can remove the need for a number of technical controls, however some can be pervasive and enforced using technical measures such as group policy (change password every 30 days) where others are not enforced with technical systems (no system changes during Xmas shutdown)


Do I have a way of understanding when administrative controls aren’t being effective?

Deploying solutions that can understand how many users are not adhering to training, or how many policies are being breached and how regularly can point you towards simple measures such as retraining or policy renewal to improve information security.  Network monitoring systems that can tell the user how many people are breaching policy, for example, can inform a system admin that they may need to deploy systems to stop these policy breaches from happening.  A good example of this particular issue is monitoring the use of cloud storage solutions that breach policy, if this is happening often, perhaps it’s time to deploy a private cloud storage solution?