NTA detects suspicious traffic that other security tools are missing

Better Data, Better Analysis

  • Build context for metadata through enrichment of any data source
  • Actionable, searchable and exportable Interflow™ record tracks ingestion, reduction, enrichment and correlation of each event
  • Pervasive visibility across physical, virtual, container, public cloud and service providers
  • Comprehensive user interface that follows the kill chain

Protect & Resolve

  • Real-time analysis through leveraging both supervised and unsupervised machine learning (ML) for advanced detection without signatures
  • Combined functionality includes advanced analysis (ML) with signature-based IDS, advanced persistent threat (APT) and malware detection
  • Tight integration with end-point detection and response (EDR) systems
  • Trigger automatic responses directly or through SOAR integration

Network traffic analysis (NTA) is gaining popularity because it is the first line of defense for threat detection and response. It addresses the labor/false alert data challenge by enabling security staff to weed out low- or no-value data in network packets, to better qualify and funnel alarms with threat intelligence and/or advanced analytics, and to reduce data storage.

Starlight’s NTA application helps get the data right. It collects, analyzes and stores metadata from network traffic at scale by dramatically reducing the data volume while providing ample evidence for advanced detection and forensics analysis. The integrated and advanced deep-packet inspection (DPI) engine can identify 4,000+ network applications, extract metadata from these applications, and reassemble files. The right amount of metadata, including DNS domain names, URLs, SQL queries, etc. are extracted. Stellar Cyber’s Interflow™ enriches the metadata with information from a variety of sources including DHCP/DNS traffic, logs for host names and domain names, identity provider (IDP) such as Active Directory or Okta for usernames, Threat Intelligence, Geolocations, and vulnerability scan results.

Pervasive visibility of lateral malware movement throughout the network is critical. In addition to monitoring north/south traffic that crosses the enterprise perimeter, Starlight monitors east/west communications and/or cloud-based applications through strategically placed physical or virtual network sensors or agents/containers on servers.

Starlight is a distributed detection system with multiple processing stages to improve system performance and scalability. Starlight begins performing necessary detections such port scan, DNS tunneling, and Flooding at the data collection stage. The integrated intrusion detection system (IDS) pre-processes network traffic before machine learning to predictably produce high-fidelity alerts.

Starlight’s NTA application delivers real-time detection and threat hunting/investigation through a data lake with searchable indexed big data. Starlight’s architecture performs real-time and historic analysis by leveraging both supervised and unsupervised machine learning for advanced detection without signatures. Each integrated Starlight detection is purpose built with the right supervised or unsupervised machine learning model for its use case, rather than one model such as unsupervised machine learning algorithms for all detections. Stellar Cyber’s security researchers and data scientists constantly tune the machine learning model for more detections and improvement of existing detections.

Starlight’s user interface allows the end user to help tune the machine learning model as well, by labeling the event via thumbing up or thumbing down a specific ML-driven detection result. And all integrated Starlight applications, including both NTA and EDR, are aligned to the cyber kill chain, driving up productivity and reducing training time.

Starlight’s NTA application supports both automatic and manual responses and can directly block attacks by disabling attacking IP addresses or disabling affected users. Starlight’s NTA app supports integration with SOARs like Photon and Demisto.

Starlight has built-in case management so security analysts can collaborate to resolve security incidents as well as a very powerful reporting and alerting engine with both pre-canned reports for compliance and customizable reports tailored to individual requirements.

Thinking proactively, Starlight has a powerful automated threat hunting application built-in. For example, when a login such as SSH/RDP/FTP from an unexpected country and/or unexpected time window is detected, an alert or a block action can be automatically triggered.

Starlight's NTA Application

Asset View

In Starlight’s Asset View you can easily find all assets discovered on your network and gain valuable insight into what each one is doing. Asset View detects the operating system running on a device, the hardware type, applications used by the device, history of the asset’s IP addresses, the network throughput, and even application performance over time.

Admins can approve or disapprove discovered assets to keep track of inventory and also to enforce the detection rules based on asset status.


With Starlight’s Service Visibility view, admins can easily see what applications are running within their environments, which IP addresses are communicating and how much data is being transmitted.

The view is categorized for private and public communications to let admins quickly grasp the picture on each segment and direction.

The easy to use user interface lets the user drill down, sort and filter on a variety of different things.

Network Traffic Analysis View

Starlight is also a great tool for network traffic analysis, such as commonly done with NetFlow collector tools. Because Starlight uses Interflow™ to capture L2-L7 flow telemetry we are able to visualize the performance of networks, servers, and applications. Admins are able to quickly identify performance bottlenecks, understand which applications are being used the most, and see if the server is causing any problems or if the network itself is at fault.