How CNAM works

CNAM is a complex engine that simplifies threat management. It builds threat models from around the globe and delivers quality decision making to customers.


intrusion detection system

CNAM uses five primary function modules at the core of the threat detection engine, these modules are tuned by experts for each deployment scenario. Here is a breakdown and brief function of each module.

  1. Traffic anomaly engine - detects DDoS, BotComs, proxies and p2p violations
  2. Managed intrusion detection - detects custom attacks on systems and applications
  3. Malware detection engine - detects worms, malware and APT
  4. Threat intelligence - shortens the detection time using external threat awareness
  5. Event correlation - qualifies attackers across locations and provides measurability
CNAM helps you improve the visibility of your network and detect threats accurately in the smallest time window. The primary function modules have direct integration with application libraries.

Find out more: Architecture    Features    Why others fail    Deployment    Plans

How does CNAM integrate?

A good threat management system is required to be flexible, it should be able to integrate and operate seamlessly with existing infrastructure. CNAM offers simplicity in design to its customers.

vulnerability detection system

CNAM adopts a non-intrusive approach to security, it requires no downtime and nor does it contribute to the latency of the network. CNAM can integrate with everything from network devices to applications. It can scale seamlessly across global locations of a customer and still provide real-time visibility through a single window.

CNAM sends out instant notifications for threats. It escalates events that need further investigation. CNAM provides training (inclusive in the service) to customers for setting up of a threat response center. The primary roles of this center would be

  • Monitor threats on the CNAM Attack Resolution Desk (CARD Console)
  • Analyse threats escalated by CNAM
  • Respond and contain the threat

As a customer, you can alternately choose to work with an MSSP partner who has teams trained to investigate and respond to threats using the the CNAM platform.

CNAM - the system and its components

CNAM uses cutting-edge algorithms and the power of the cloud to actively detect and respond to attacks on your critical IT infrastructure. It implements advanced correlation rules and detection mechanism coupled with a global intelligence network to deliver top notch security presented in an intuitive dashboard. We bring with us everything you need to detect attacks, all this is installed, configured and monitored by us round-the-clock.

Below are the primary components used by CNAM with a short description.


The Umbrella Network (UNET)

The Umbrella Network (UNET)

The UNET is a global facility used by CNAM to deliver real-time threat intelligence to its customers. The UNET aggregates intelligence from two networks viz. the CNAM customer network and the partner network. UNET is a network of global presence points called as Point-of-Presence (POP).

  • Each POP has a correlation management and intelligence processing facility
  • All POPs are directly controlled by the CNAM team at NETMONASTERY
  • Customisation on each customer is performed centrally from the CNAM Threat Center


Intrusion Detection Device (IDD)

Intrusion Detection Device (IDD)

The IDD is the primary whistle blower for the CNAM service, it uses multiple technologies for detecting attacks in real-time. Each IDD is customised to the needs of the network and is monitored using unique correlation rules deployed by the CNAM Threat Center. Detection modules in the IDD are updated continuously to keep up with the changing threat landscape.

  • The IDD contains industry standard and proprietary technology that detect attacks
  • It houses a traffic anomaly engine for floods
  • It also includes a collaborative worm detection engine to detect outbreaks


Network Aggregator (NAG)

Network Aggregator (NAG)

NAG is a local event collection and analysis engine, that is responsible for executing the correlation logic on the accumulated data. The NAG ensures that all the data collected by CNAM remains within the network perimeter. The NAG is in constant connectivity with the UNET which supplies real-time threat intelligence for accurate decision making.

  • The NAG collects event logs from various sources and locally processes them
  • This device pulls up correlation strategies from the UNET
  • The NAG applies the correlation strategies on the current event thread to develop local intelligence and a trend

Deployment options: Architecture    Deployment Process    Plans

© 2015-2016 All Rights Reserved. NETMONASTERY™ and CNAM™ is a registered trademark of NETMONASTERY NSPL.