Continuum Advantage

Leverage the power of our packet capture solution whenever and wherever you need it

find the right subscription plan with
our FAQs
, quick start guide, or CONTACT US TODAY

Continuum Advantage is a subscription plan that gives you access to NextComputing’s powerful packet capture software on the qualifying system of your choice. Whether you need the tools on a temporary or ongoing basis, on-site or off, Continuum Advantage lets you build the right cyber analytics tool to match your workflow.

Shop Online
Subscription

Price

Description

Monthly

$750/month

Start using Continuum Advantage at $250 for the first month ($500/month thereafter, auto-renewed)

3-Month

$1500/3 months

3 month pre-paid subscription, auto-renewed every three months

Yearly

$3750/12 months

12 month pre-paid subscription, auto-renewed every year

Key Software Subscription Features

Extensive Functionality

Continuum Advantage support various workflows for NOC or SOC use on a subscription use basis on the qualifying hardware platform of your choice.

LOSSLESS CAPTURE and ACTIVE RSYNC TO EXISTING PCAP REPOSITORIES

The subscription supports use for continuous lossless packet capture on (1) or (2) capture interfaces via tap or span port up to 10Gbps aggregate depending on the qualifying hardware platform of your choice

Click here to view hardware requirements

Additionally the Continuum Advantage has an active connection Rsync that can connect to your host server directories where existing PCAP and PCAP-NG file repository exists to copy and ingest and process same as capture packets for analysis, search and review. (1) active Rsync interface and (1) passive packet capture interface can be supported at one time.

VISUALIZATION AND SIMULTANEOUS SEARCH

The investigator allows you to view NetFlow, and enriched meta data logs, and threat signatures in our visualization tool, and pivot to a follow the stream and packet view from an event within the dashboard

SOC and THREAT MONITORING WITH ACTIVE TRIGGERS, SURICATA FORMAT SIGNATURES, SUSPICOUS JA3, SUSPICIOUS DOMAINS and OTHER EVENT MATCHING

Use real-time, dynamic, user-defined SOC workflow related analytics to rapidly review of behavior and anomalies and pivot to concurrent search workflows to follow the stream, event and view packets

NOC and NETWORK PERFORMANCE RELATED ACTIVITY MONITORING

RFC anomaly logging, file download event logging, multi-protocol event / metadata logging including HTTP, files, DNS, email, user agents, NetFlow, TLS/SSL, and VOIP concurrent search workflows to follow the stream, event and view packets

WEB GUI for VISUALIZATION AND REST API FOR AUTOMATION

Continuum Advantage’s interactive dashboard drives your investigation workflow as well as over the REST interface

SUPPORT and SOFTWARE UPDATES

During the term of your subscription, software updates are provided when available and support is available via phone, email, or our online ticket system including assistance with workflows. Specific REST API automation scripts can be implemented as an additional for fee service.

Continuum Advantage Workflows

Network Topology Pivot Workflow

This workflow shows how an analyst can start from the topology view to select a connection, pivot to global investigator to create a search, and view packets.

Network Topology View Augmented by Suspected IP Address View

This workflow shows two topology views. One with all connections for the past one hour, the other that has a suspected IP addresses on at least one end of the connection. The list of suspected IP addresses is controlled by an authorized user via uploading of suspected ip address list from Policy->Augmentation panel of the UI.

DSCP Network Performance Metrics Investigation/Search Workflow

Differentiated services or DiffServ is a computer networking architecture that specifies a simple and scalable mechanism for classifying and managing network traffic and providing quality of service (QoS) on modern IP networks. DiffServ can, for example, be used to provide low-latency to critical network traffic such as voice or streaming media while providing simple best-effort service to non-critical services such as web traffic or file transfers. It is a 6-bit field used to identify the level of service a packet receives in the network. It is part of IP header.

Investigation Workflow

Global investigation of application usage, indicators of compromise and other enhanced metadata

Augmentation Workflow

Cross correlation of zero-day events and recursive search to network intelligence sources to alert within our Global Investigator

Search Workflow

Forensics investigations based on search or pivot from an alert in Cisco Stealthwatch, Firepower, SPLUNK, IBM QRadar, ArcSight, and other tools via REST

Follow the Stream Workflow

For a forensics investigation based on search results with streams

Phishing Attack Investigation Workflow

For a forensics investigation following a phishing email attack and subsequent actions

Network Performance Analysis and Investigation Workflow

TCP Flow State and Flow Aging Analysis

DNS Transaction Analysis

SMB Data Analysis

Policy Update Workflow

Quickly change real-time policies, based on new threat intel or lessons-learned. Federation Manager will PUSH policies to ALL field appliances

TLS-SNI Pivot Workflow

Packet Continuum’s DPI Engine logs Server Name Indicator(SNI) for each TLS session. As majority of web traffic is TLS based (estimated to be over 90%), an aggregation of TLS sessions based on SNI will allow analysts to know which applications are being used by the users in violation of one or more policies.

Suspicious Traffic Workflow

Packet Continuum's DPI Engine and Augmentation pipeline ensures that metadata associated with suspicious traffic are identified and tagged.

This sequence explains the workflow from defining policies to identify suspicious traffic to the display of the metadata events tagged as suspicious traffic.

There are 4 types of augmentation policy data that can be provided to the Augmentation server:

  • Suspicious TLS/SSL Signatures
  • Suspicious IP Addresses
  • Suspicious Domains
  • Malware

The Augmentation tab allows users to upload additional data that can be used to enhance the value of stored data and allow data correlation. This workflow explains adding a watchlist and investigating the suspicious traffic for further analysis.

Continuum Advantage Open Data Access

Packet Capture and Rsync Features

Continuous lossless packet capture up to 10Gbps aggregate depending on your system configuration into a rolling FIFO Capture Store from (1) or (2) span port or taps

Optionally ingest existing PCAP and PCAP-NG files on your host server via our active connection Rsync feature

Simultaneously Searchable netflow, enriched application meta data, threat alerts, and packets thru our Web GUI Investigator and packet viewer (See workflow examples

Real time indexing and suspicious threat and suricata rule based signature alerting — with time stamping as low as 150 nanoseconds –

Dedicated onboard Extraction Store retains all search query results viewable in our UI or downloadable for further analysis in your analytics tool of choice

Options for PCAP (or NetFlow) search results:

  • View in Wireshark on the local display UI
  • Remotely access from an external host via Web GUI or REST/API scripting
  • Run the critical sessions over the Streaming Playback Interface to any 3rd party forensic analysis tool. Simply connect streaming playback output to the capture interface of your tool, just like a span/mirror port.
STANDARDS-BASED POLICIES, WITH OPEN DATA ACCESS

Open Source Rulesets & Data Interfaces for NOC and SOC use case workflows:

  • Integrated Suricata IDS — alert rulesets for signature based threat alerting- Up to 50,000 simultaneous rules-changeable via UI or RESTAPI
  • Web UI investigator with Kibana flexible workflow screens – open data visualization of enriched meta data and intelligence data
  • JA3 – TLS/SSL encrypted traffic signatures and matching to uploaded known suspicious JA3 signatures
  • MD5 – File signatures and File Malware signatures matching to uploaded known malware MD5 hashes with search feature (and with active traffic when running 1Gbps or Rsync in a 5Gbps hardware configurion and 5Gbps in a 10Gbps hardware configuration Above 5Gbs only supported with session search not on all incoming traffic.
  • BPF Active Triggers— Define a single BPF pre-capture filter and up to 10 BPF passive filted for BPF signature events to alert on 
  • Suspicious Domains and DNS Alerts & Augmentation to uploaded known suspicious Domains and DNS
  • Defended Assets/Services — Define your list of known or internal IP addresses and ports (Services) that you want to defend or do network analysis on
  • Topology of IP conection discovery — Auto discover muli level IP conection and indirect connection of network traffic to investigate for NOC and SOC use case purposes

    Open Data Access, with standard file formats:

    • PCAP-NG for packet data off load from search for further analysis
    • NetFlow Version 9 flow records for off load from search for further analysis
    • JSON and Text/CSV/syslog network enrichment data for off lead from search for further analysis

    Open Workflow Automation & Orchestration:

    • Web UI (Chrome and FireFox)
    • Simplified URL-based actions, via a full-featured, mature REST/API to pivot from Splunk, Cisco watch, Corelight, Zeek, IBM Security QRadar and range of other tools
    • Unix Command Line Interface (CLI)
    • Custom Workflow Scripting
    • 3rd Party Event/Data/PCAP Correlation including Zeek/Corelight Community ID
    • Role-Based Access Control

    Continuum Advantage Capture Process

    • Continuous lossless packet capture up to 10Gbps into a rolling FIFO capture store. A separate extraction store retains PCAP file query results.
    • 4-tuple indexing in real time — IP address source/destination, port source/destination — with time stamping as low as 150 nanoseconds
    • PCAP compression in real time — Overall storage amplification up to 20x (depending on % of captured traffic that is SSL or video)
    • Search PCAP data from a convenient web GUI, using easy BPF+ descriptors, immediately streaming the results from capture store to persistent extraction store.
    RSYNC to existing PCAPs

    In addition to lossless capture via tap or span port, the Continuum Advantage also has the ability to have an active connection to any systems that have existing PCAP or PCAP-NG files

    • Ingesting PCAP and PCAP-NG files from remote systems via Rsync command retaining the original timestamps.

    • This is in addition to capturing data off a separate live network interface.

    • Our Rsync feature recursively copies from your source system directory(s) into the Continuum Advantage system

    • Rsync User – username used for access to the source system. Must be a valid Linux user and organizes, indexes, generated enriched metadata, as well processing against signature or other threat alerts for analysis and search same as the lossless packet capture

    • Configurations support (1) Rsync interface on the source system and/or (1) lossless packet capture interface from a span port or (2) lossless packet capture interface from span or tap ports.

    • An Rsync as an active network interface connection to your source computer or server where the existing PCAPs reside.

    Hardware Configurations and Performance

    All Configurations
    • Bare Metal installation of CentOS 7.7/7.8 or RedHat 7.7
    • AMD processors are most optimal if you have a choice (AMD EPYC 16 , 32 or 64 cores)
    lossless capture rates from span or tap ports
    based on system configurations

    Up to 1Gbps
    (or Rsync for existing PCAP files)

    Up to 5Gbps

    Up to 10Gbps

    CPU

    10-core processor+ (with BIOS set to hyperthreading) Processors can be AMD EPYC, Ryzen, Threadripper or Intel Core i7, Core i9, or single Socket Xeon or Xeon Scalable Processor

    22-cores+ processor(s) (with BIOS set to hyperthreading) Processors can be AMD EPYC 24, 32 or 64 Core, Threadripper or  single or dual socket Xeon or Xeon Scalable Processor(s)

    44-cores total processor(s) (with BIOS set to hyperthreading) Processors can be AMD EPYC 64 Core, Threadripper or  single or dual socket Xeon or Xeon Scalable Processor(s)

    RAM

    128 GB+

    196 GB+

    256 GB+

    OS Drive

    Minimum 500GB+ (JBOD or RAID 1)

    Network Interface
    • 1 or 2 Network Interfaces for lossless capture (Intel 1G or 10G network cards or motherboard interfaces that are Intel based: 82540, 82545, 82546, 82571, 82572, 82573, 82574, 82583, ICH8, ICH9, ICH10, PCH, PCH2, I217, I218, I219, 82573, 82576, 82580, I210, I211, I350, I354, DH89xx, I225, ixgbe (82598, 82599, X520, X540, X550, X710, XL710, X722, XXV710
    • 1 additional network interface of any type (Eth0 or Eth 1) for UI and REST API
    Capture store for PCAP, enriched metadata and search extraction store
    • RAID 0 or RAID 5 of 7200RPM rotating disks of 4 or more drives in RAID 0 or 5 or more drives in RAID 5 (Limit to 50TB total)
      Or
    • Single SSD drive (U.2 NVMe, SAS or SATA) or RAID or RAID 5 of SSD drives (Limit to 50TB) (Note: SSDs depending on usage should be higher endurance 3DWPD or 5 DWPD or if 1 DWPD longevity of SSD depends on how may writes per day over a specific period of time.
    • RAID 0 or RAID 5 of 7200RPM rotating disks of 8 or more drives in RAID 0 or 9 or more drives in RAID 5 (Limit to 50TB total)
      Or
    • Single SSD drive (NVMe) in JBOD or 2 in RAID 5 of NVMe SSD drives (Limit to 50TB) (Note: SSDs depending on usage should be higher endurance 3DWPD or 5 DWPD or if 1 DWPD longevity of SSD depends on how may writes per day over a specific period of time.
      Or
    • (2) + SSD drives (6G SATA or 12G SAS ) in RAID 0 or (3+) RAID 5 of NVMe SSD drives (Limit to 50TB) (Note: SSDs depending on usage should be higher endurance 3DWPD or 5 DWPD or if 1 DWPD longevity of SSD depends on how may writes per day over a specific period of time
    • RAID 0 or RAID 5 of 7200RPM rotating disks of 11 or more drives in RAID 0 or 12 or more drives in RAID 5 (Limit to 50TB total)
      Or
    • Single SSD drive (NVMe) in JBOD or 2+ in RAID 0 or RAID 5 of NVMe SSD drives (Limit to 50TB) (Note: SSDs depending on usage should be higher endurance 3DWPD or 5 DWPD or if 1 DWPD longevity of SSD depends on how may writes per day over a specific period of time.
      Or
    • (4) + SSD drives (6G SATA or 12G SAS ) in RAID 0 or (4+) RAID 5 of NVMe SSD drives (Limit to 50TB) (Note: SSDs depending on usage should be higher endurance 3DWPD or 5 DWPD or if 1 DWPD longevity of SSD depends on how may writes per day over a specific period of time

    Need More?

    NextComputing also offers complete hardware and software solutions that provide maximum capture rates, storage, and expandability to match your high-demand workflow. If you need enterprise-class performance or custom workflows, consider what our Packet Continuum solutions have to offer:

    • More connections: Up to 4 capture interfaces
    • Beyond 10G: Packet Continuum supports 1G, 10G, 25G, 40G, 100G capture NIC interfaces
    • Expand your enterprise: Packet Continuum supports up to 100 federations with up to 100 capture nodes in a federation group
    • Expand performance: Packet Continuum supports up to 8 cluster processing/storage nodes per capture node
    • Maximum storage: Packet Continuum is to 10 PB or more with federation and clustering

    Click here to learn more about Packet Continuum solutions

    Contact a NextComputing Sales Engineer at
    1-603-886-3874 or contact us online

    FAQs