NetGuard Endpoint Security
Network based malware detection
Nokia’s NetGuard Endpoint Security (NES) is an end-to-end, network-centric malware detection and response, for mobile, fixed infrastructure, and smartphone and IoT devices. Leveraging Nokia’s Threat Intelligence Center and network-based malware sensors allows both to protect network infrastructure from attack and offers revenue-generating malware protection services to customers.
It monitors consumer, enterprise, and critical infrastructure network traffic for malware and attack activity. NES identifies infected end-point devices and takes immediate action to notify or block malware and prevent security breaches. The system augments the service provider’s security operations teams with real-time, actionable threat intelligence to protect both the critical telecommunications infrastructure and consumer endpoints from malware activity. Being an agentless Endpoint Security solution, NES protects the whole network and is a powerful asset for the Service Provider’s security professionals independent of their role and experience level.
System Components of network-based malware detection
The below figure illustrates a system architecture for network-based malware detection. Sensors in the carrier network monitor the network traffic between user endpoints and the Internet, looking for evidence of malware infection. This includes malware command-and-control (C&C) traffic, exploit attempts, hacking activity, suspicious behavior, and DDoS activity. Alerts are sent to a central alert reporting cluster, where they are analyzed and stored. Interfaces provide real-time information feeds to SOAR (Security Orchestration, Analytics, and Response), SIEM (security information and event management), firewalls, and policy enforcement systems. The system also includes a fully automated end-user notification system and a self-serve remediation portal.
Network Based Malware Sensors
Network sensors are deployed at key locations in the carrier network to monitor the network traffic for malware activity. These are deployed on network taps and have no impact on network performance. They use a combination of behavioral and signature-based technology to identify malware activity with a high degree of accuracy. These also host Nokia’s IoT device profiling and anomaly detection algorithms.
Alert Reporting Cluster
The Alert Reporting Cluster (ARC) is a cluster of virtual machines that run in the carrier’s data center to aggregate malware events from the sensors. This also hosts the system’s database, interfaces with third-party security operation systems (SIEM, Firewalls, PCRF, SOAR etc) and provides a platform for analytics and reporting.
The Analytics Portal provides the main user interface for the security operations team. It provides a dashboard summary of malware activity and the ability to drill down to individual malware events. It provides detailed reports on which devices are infected by which malware and allows the operator to view the individual malware activity history for each device on the network.
The subscriber portal provides a self-serve remediation portal that consumer or enterprise customers use to eliminate malware problems on their devices. It is an integral part of the malware notification and remediation service and provides online scan & clean services and up to date anti-malware software for smartphones, tablets, PCs and laptops.
Benefits and features
NetGuard Endpoint Security network-based malware detection benefits:
Gathering threat intelligence for security operations
The system allows the service provider’s security operations team to collect live threat intelligence from their network. This tells them which devices are infected with malware and which malware is operational in their network. This information is used to protect the critical telecommunications network infrastructure end-point devices.
Consumer malware notification and remediation
The system is a turnkey malware notification and remediation service that provides network-wide protection to the service provider’s customers and enables the service provider to monetize it as an optional service for the consumer and enterprise markets. A notification is triggered when malware activity is detected and gives the subscriber the option to automatically initiate remediation measures, through the NES Subscriber Portal or other customer-facing channels.
Enterprise Malware Notification and Remediation
NES is multi-tenant capable thus enabling the service provider to address its enterprise customers with a network-based malware detection solution, customized for each enterprise. The NES Analytics Portal gives each service provider’s enterprise customer their own view of the system.