Using Perception

Perception has always been designed to bring military grade cyber protection to any organisation. That’s why deploying and using the system has been made as simple and as flexible as possible.

Whether your network is based in a single location, or spread across different geographic sites, you can benefit from the protection of Perception.

Perception is also just as beneficial to modern cloud-based networks and networks with a large number of transient devices, with virtual and cloud devices that operate exactly the same as physical Perception hardware.

Whatever your network type, Perception can help you move to a more secure, “before, during, and after” approach to network security.

 
Installation.jpeg

Deploying Perception

Since Perception is a completely passive device, it is very simple to deploy. The system comes in two parts, a sensor that

takes in SPAN feeds or network taps from the network, and a Central Correlation Server (CCS) which collects metadata from all sensors and hosts the user interface. Both devices can be deployed as physical hardware using 1U rack mounted servers, as virtual instances running on existing hardware, or as cloud instances running on popular cloud platforms such as Microsoft Azure or Amazon Web Services. The sensor can terminate multiple input feeds, meaning complete network visibility can be achieved from a single sensor.

The key to Perception performing well is its positioning within the network, a well-positioned Perception sensor should have full visibility across the whole of it’s network or subnet, enabling visibility of traffic inbound, outbound and laterally between hosts.

The CCS can connect to one or more sensors, allowing the user to correlate network activity across multiple sites, countries, and continents if necessary – this makes Perception deployable in any network whether it’s a small office or a multinational enterprise.

Each deployment contains one or more sensors and a single CCS. The sensor takes a SPAN feed or network tap from the network, and contains the data collection and analysis systems (based on national security technology), as well as the military-derived behavioural analysis systems and a packet capture database. The CCS contains ForensicAI and hosts the user interface.

The whole system is completely passive, meaning it’s easy to deploy, as well as having no performance impact on the network. Passive deployments also have the benefit of being impossible to detect and attacked by advanced malicious actors.

Sensor.png

Sensors

A standard physical sensor typically handles small business networks of 400-500 users, larger offices can use two sensors to split the traffic load, virtual sensors can be deployed to smaller offices, and cloud sensors can be deployed to monitor cloud environments.

Central Correlation Server (CCS)

The CCS can take feeds from multiple sensors over a secure VPN tunnel (preconfigured on the device) which can be local within the same network or distributed across sites over the internet.

The model of single CCS to multiple sensors of varying sizes allows Perception to be used by any organisation, from smaller sites who want to improve their level of protection, right up to multi- national businesses who have a massive enterprise to protect.


Deployment Examples

Perception can be deployed on any organisation’s network, regardless of scale or architecture. The following examples can be used to give an outline of which Perception devices are required in different deployment circumstances.

 

MEDIUM SIZED OFFICE, SINGLE SITE

Single Site.png

In this example the deployment contains three separate sites. The head office hosts the organisation’s key network assets such as mail servers and file servers, as well as a large user group of around 400 people. The second office, although smaller, still hosts 200 staff. A third site only hosts 50 people, however still needs to be monitored. A Perception Sensor is used to monitor both main sites, however it would be excessive to deploy a physical sensor on the third site. Instead, a Perception Virtual Sensor Lite is deployed to allow visibility. All three sensors in this deployment communicate back to a Perception CCS hosted at the head office either locally or via a secure VPN tunnel over the internet.

 

MULTIPLE SITES OF VARIOUS SIZES

Multiple Sites.png

In this example the deployment contains three separate sites. The head office hosts the organisation’s key network assets such as mail servers and file servers, as well as a large user group of around 400 people. The second office, although smaller, still hosts 200 staff. A third site only hosts 50 people, however still needs to be monitored. A Perception Sensor is used to monitor both main sites, however it would be excessive to deploy a physical sensor on the third site. Instead, a Perception Virtual Sensor Lite is deployed to allow visibility. All three sensors in this deployment communicate back to a Perception CCS hosted at the head office either locally or via a secure VPN tunnel over the internet.

 

MULTIPLE SITES, UTILISING CLOUD SERVICES, MONITORED BY A THIRD PARTY

This organisation has three sites, one large head office with approximately 400 users, and two smaller remote sites with 100 users each. This organisation doesn’t host its own key assets, instead deploying them on a cloud provider such as Microsoft Azure or Amazon Web Services. The organisation doesn’t have its own network security team and has outsourced this work to a 3rd Party Managed Security Services Provider (MSSP). A Perception Sensor is deployed at the head office, with a Perception Virtual Sensor Standard at each remote site. The cloud infrastructure is monitored using a Perception Cloud Sensor. The MSSP monitors multiple customers so it is impractical to have a physical CCS for each separate customer, instead they host a Perception Virtual CCS Enterprise. All four Perception Sensors connect into this CCS via a secure VPN tunnel over the internet.


Service & Operation

Perception is available as a managed service, which means all alerts head back to Perception’s Security Operations Centre (SOC) at a List X site in Hampshire, where industry-leading analysts and researchers can provide all the monitoring capability you'll need. Alternatively, you can self- monitor the Perception system from your own site or that of your preferred MSSP.

SERVICED

Three levels of service allows you to tune the Perception service to exactly what’s required. At every service level analysts will look at the Perception output and feed back easy to understand information about malicious or dangerous activity (whether intentional or not), as well as network vulnerabilities to your IT team. All of this feedback is backed up with a wealth of information that the analysts used to triage the threat, so you can carry out your own investigation.

The SOC is located at Roke Manor, where some of the highest level cyber research in the world is conducted. Perception benefits from this partnership by utilising the same talent that conducts work for government-level security departments worldwide to feed into product development and analysis. No other business is as close to the cyber security threat landscape as Perception.

CORE SERVICE LEVEL

This level of support is aimed at customers that want to have general monitoring of the network available for incident support but don’t need constant proactive analysis. The Perception team can be called upon to provide information to support the investigation and help determine the cause and the impact of the incident, or for ad-hoc vulnerability hunting. The focus of the service team for core service customers is to keep the system up and running to a satisfactory level.

ANALYSIS SERVICE LEVEL

This is the standard level of Perception service, offering customers proactive monitoring of behaviours of interest which may indicate active threats, network weakness, users misusing corporate resources and configuration issues. The Perception team will actively monitor your network, providing regular feedback on steps to make the network safer, and advise on measures being taken to identify the early stages of malicious activity.

The analysis service level is very much a two-way relationship, customers have the opportunity to request areas of focus, network security targets that need to be met, or specific risks that need to be monitored.

DEEP-DIVE SERVICE LEVEL

The Perception Deep-Dive service takes the analysis to the next level, performing enhanced analysis of the data and actively looking for evidence of attack or security vulnerability, working closely with customers to ensure that their network is well understood and threats are quickly identified and resolved.

The Deep-Dive level of service goes beyond general analysis by including active threat hunting on even the most seemingly benign behaviours. This level of service results in an active layer of threat hunting, able to pick up on the most advanced of network threats.

SELF-MONITORED

As a self-monitored system, you retain all of the data Perception produces on your own network. Your selected IT professional is then able to rapidly identify all network traffic that could potentially be malicious. Using Perception's behavioural identification techniques, the analyst is able to see how unusual and threat-like all network traffic is. This process can increase the efficiency of a standard SOC team by an order of magnitude, as they can quickly focus on what's important and worth investigating, rather than being flooded by a series of false-positives. They can also start their own proactive approach to cyber security, with Perception alerting them to vulnerabilities and misconfigurations that might put them at risk, they’ll be able to close security holes before they are breached. Analysts using the system can develop their skills rapidly as they have access to absolutely all data moving across their network.

All of our self-monitored customers have access to the Perception research team at Roke Manor. Due to the flexibility within the system, our engineers can create specific algorithms to provide a greater level of detail on the behaviour you're most interested in and immediately alert you if specific activities occur within your network.

Using this information, not only do you know where the danger is and how to solve it, you will understand where the risks in the network are, and what actions to take to protect the network for the future


Product variants

Perception consists of two parts, Sensors and Central Correlation Servers (CCS). Sensors carry out the monitoring and analysis of data; and are deployed where a mirrored copy of traffic is available. The CCS correlates feeds from all sensors and hosts the UI; and is typically deployed where the data is analysed. Generally, it is advised that enough sensors are installed to provide full visibility of traffic throughout a network, and only a single CCS is used for all but the largest of multinational deployments. Details of the different Sensor and CCS types are in the table below.