OORIGIN Audit is a passive network monitoring software powered by powerful DPI technology. It inspects your IPv4 traffic and classifies it into flows, describing the protocols, application events, and associated metadata.
OORIGIN Audit offers the clarity of event logs with the details of full packet capture to empower your IT security Audits.
- Full passive probe
- Integrates with your SIEM
- Detect encrypted protocols
- Run on low end X86 hardware
- Reduce size of forensic data
- Output Json, CEF
|Device inventory:||Analyze devices communicating on your network and discover shadow|
|Device profiling:||Server, NAS, computer, printer, router, IoT, industrial, network activity profiling|
|IT Policy enforcement:||To verify end-user’s adherence to IT policies (ex: gaming, mine bitcoins)|
|Cyber investigation:||Investigate cyber incident with the level of details of a full capture log|
|Data Retention:||Store the network activity logs for future investigations|
|Regulatory Compliance:||GDPR, ISO27001 and PCI security audits|
|IT RISK:||Protocol or application used is an IT Risk|
|IT BREACH:||Protocol or application used is an IT Policy breach|
|NEW DEVICE:||A new device was is communicating on your network|
|IP ANONYMS:||IPs from anonymizing services (TOR, proxies)|
|IP THREATS:||IPs reported from cyber-attacks, spyware, and viruses|
|IP CRIME:||IPs reported from malware, botnets and C2C servers|
Network activity categories
Why monitoring a network is important?
The network is the life line of the IT infrastructure. When networks fail, the business operations stop; Networks are dynamic environments. Network IT Administrators are continually asked to add new users, technologies and applications to their networks and now let even users connect their own devices. These changes can impact their ability to deliver consistent, predictable network performance and security.
What is DPI?
Deep packet inspection (DPI) is a technique for inspecting data in order to identify and filter out malware and other unwanted traffic. Each data packet includes both its own content and a set of headers that control how it is handled by routers and other devices as it is transmitted across the internet. DPI is a method that inspects not only the packet’s multiple headers, but also the actual data content of the packet. Network activity logs with DPI technology is a precious time machine, you can search for protocol compliance, viruses, spam, intrusions, etc.
Why DPI is important?
Deep Packet Inspection enables advanced network management and enforce the IT infrastructure security. DPI is used in a wide range of enterprise-level applications, by telecommunications service providers, and by governments. In the age of evolving advanced threats and 0-day attacks, Network activity logs with DPI engine is a critical and fundamental aspect of an effective network security strategy. This makes OORIGIN a critical tool for advanced IT security.
Data acquisition methods
OORIGIN Audit software capture IP Network traffic 10/100/1G, multiple options are possible, select the one that fit your need. Network test access points (TAP) and port mirroring (SPAN) are the two most common access methods of LIVE packet capture for the use of analysis in data monitoring. There are significant differences which affect the integrity of the traffic that is being analyzed, as well as the performance of the network traffic. Consider SPAN limitation, packets are randomly dropped when the SPAN ports become oversubscribed.
Passive network TAP
A TAP (Test Access Points ) is a hardware device that allows network traffic to flow from ports A to B, and B to A without interruption, and creates an exact copy of both sides of the traffic flow, continuously, 24/7 without compromising network integrity. The duplicate copy can be used for monitoring, security or analysis. Set the TAP in Aggregation Mode. Network TAPs have no IP address, no MAC address and cannot be hacked.
Switch port mirroring
Port Mirroring also known as SPAN (Switched Port Analyzer), sends a copy of all network packets seen on one port (or an entire VLAN) to another port, where the packets can be analyzed. SPAN sessions do not interfere with the normal operation of the switch; Remotely configurable from any system connected to the switch; Disallows bidirectional traffic on that port to protect against backflow of traffic into the network.