Fidelis Network, also known as Network Detection and Response, is an intrusion prevention system (IPS) specializing in patrolling network activity. IPSs are extended intrusion detection systems (IDSs). Anyone informed by an IDS that an intruder in the system would want to do something about it.
There are only so many actions that an administrator needs to do to shut down illicit hacker activity – suspend a user account, block traffic to or from a specific IP address, kill processes, restore files, etc. An IPS automates those remediation actions. This is the “Response” part of the Fidelis product’s functions.
What does Fidelis Network do?
IDSs fall into two types: host-based intrusion detection systems and network-based intrusion detection systems. Fidelis Network is in the second of these categories. This is abbreviated to NIDS. As a NIDS, the Fidelis system scans activity just like any network monitor. It is looking for abnormal behavior, which would indicate malicious activity.
Fidelis Network can search out all of the devices on the network and all of the hosts of contributing modules provided by frameworks and APIs. The system does this by examining the source and destination addresses in all network traffic packet headers.
The scanner is called Deep Session Inspection. This adaptation of the industry term “deep packet inspection” implies that detection methods span packets to provide collated insights throughout entire connection sessions. As a result of this research, Fidelis Network draws up a live map of the network and the systems its devices communicate with outside the periphery of the company system.
While examining traffic, the system can deduce which packets have been produced by automated processes and the results of human activity. Moreover, it can do this even though the data payloads of those packets are encrypted.
To identify out-of-the-ordinary activity, the monitor first has to establish what is normal behavior. This extends to identifying the regular tasks carried out by each user account and endpoint. For example, employees have everyday tasks that they perform. Their job description limits them to doing the same thing every day, such as customer support or bookkeeping. If a Customer Support agent suddenly tries to access the company’s accounts, something odd happens.
The Fidelis system can identify account takeover and insider threats as well as signs of hacker activity. Fidelis mainly focuses on the protocols and ports of the packets traveling around the protected network. That means that the system needs to scan the headers of all passing traffic and not just rely on status reports from switches.
As well as looking at packet headers on a network, the Fidelis system includes sensors that scan emails and cloud platforms. The email agents scan attachments and will use OCR to identify the data contents of document images. This email scanner operates as a data protection filter and will block the transmission of sensitive data.
It watches incoming and outgoing traffic activity. Next, the Fidelis monitor gathers a fingerprint of activity, looking for what are called TTPs. These are “tactics, techniques, and procedures.” Finally, the tool compares activity with the MITRE ATT&CK framework, a central database of known hacker tactics. If a matching sequence is spotted, the Fidelis monitor raises an alert and goes into its response actions.
Related modules
The Fidelis system offers a suite of modules, and they can all work together to provide a complete data loss prevention and intrusion prevention service.
Fidelis also operates a consultancy and services division. This team can plan bespoke security systems and offer Fidelis MDR. This managed service provides a hosted security system package that bundles in the technicians to run the service for you.
The full menu of Fidelis units Is:
- Fidelis Elevate XDR A coordinating service that collates all of the detection data gathered by the other modules, acting as a SIEM and a security orchestration, automation, and response (SOAR) service to detect and neutralize threats.
- Fidelis Network A network-based intrusion detection system and threat remediation service.
- Fidelis Endpoint A host-based intrusion detection system that also includes anti-malware and endpoint firewall services.
- Fidelis Insight A threat intelligence feed that informs the threat hunting capabilities of all detection modules.
- Fidelis Deception A deception technology service that places honeytraps around the network to attract intruders makes them easier to catch and wastes the time they would otherwise spend trying to break into your actual data stores.
- Fidelis CloudPassage Halo A security and compliance service for cloud-based resources.
About Fidelis
Fidelis Cybersecurity, Inc was set up in 2002. The company has now been in business for nearly 20 years, and it is powerful at serving high-security public sector clients in the USA. The US Army, the US Department of Commerce, and IBM are among the company’s list of customers.
The founders of the company sold it to General Dynamics in 2012. Since then, Fidelis has been through a series of owners and is now a property of Skyview Capital, a private equity firm.
Fidelis grew its menu of services through acquisition. For example, its EDR system was originally a product of Resolution1, which Fidelis bought in 2015, and its deception technology service was developed through the purchase of TopSpin in 2018.
Fidelis Network deployment options
All of the Fidelis products are delivered from the cloud as a SaaS package. This means that the maintenance of the software is included in the price, as well as processing power and storage space for log files and historical data stores.
Fidelis products need agents to be installed on the monitored service. This means that one server on the client’s system will need an agent program installed for Fidelis Network to operate. In addition, if the customer is also using Fidelis Endpoint, each device covered by the service will need an agent. Similarly, any cloud platforms covered by the monitor will need an agent.
A typical configuration is to partner the Fidelis Network and Fidelis Endpoint services together with Fidelis Elevate XDR. This gives a complete “belt and braces” service with the Network and Endpoint systems providing fast, live protection and the Elevate XDR adding on SIEM capabilities fed data by the Network and Endpoint agents.
Fidelis Network prices
Fidelis doesn’t publish its price list. Instead, interested parties are expected to first review the system with the assistance of a sales representative through the medium of the Fidelis demo system. The next step on the buyer’s journey would be to test the system by accessing the Fidelis Network 15-day free trial.
Fidelis Network strengths and weaknesses
Fidelis Network offers a bundle of services that stretches beyond the classic NIDS model. For example, the email scanning service built into this package usually is part of a data loss prevention (DLP) service.
We have assessed the Fidelis Network service and derived the following points.
Fidelis Network is a high-end service that wouldn’t be suitable for SMEs. However, the managed security service is another interesting proposal that potential customers should explore.
Pros:
- A comprehensive NIDS that combines on-site data collection with cloud-based threat hunting
- A patented threat detection methodology called Deep Session Inspection
- Reference to the MITRE ATT&CK framework for indicators of compromise
- Automated mitigation actions
- The option to coordinate with an EDR and a cloud-based SIEM
Cons:
- The price for this service is high and aimed at large corporations
Alternatives to Fidelis Network
Whenever you invest in a new IT system of any type, it is always a good idea to profile several candidate suppliers before striking a deal. This is particularly important in the case of system security. For example, you might find that the Fidelis system is a little too pricey for your small business and want to identify other options within your budget.
We derived a good amount of services worth considering to implement network threat detection and response by following these selection criteria.
Our methodology for selecting an alternative to Fidelis Network
We reviewed the market for network-based intrusion prevention systems and NIDS like Fidelis Network and assessed the options based on the following criteria:
- A NIDS with related threat mitigation services
- The option of integrating with a SIEM tool or a complete SIEM system
- A SaaS platform that includes processing power, storage space, and software maintenance
- An option to combine the NIDS with related security tools
- A range of options for all budgets
- A free assessment period or a free version
- A paid service that gives value for money or a free tool
Here is our list of the six best alternatives to Fidelis Network:
- ManageEngine Device Control Plus (FREE TRIAL) This software package monitors all of the endpoints on a network and controls the ports that connect peripheral devices. This tool is particularly good at preventing malware from snaking onto a network through a connected USB memory stick. This function is something that Fidelis doesn’t have, so Device Control Plus would be a good security tool to add to a site that is running Fidelis, This system also operates as a data loss prevention (DLP) system because even when devices are allowed to attach to an endpoint, only certain users can move files on and off them. This means that only permitted files can go onto the device if it is moved by an approved user. Similarly, only known files are allowed off the USB memory stick. The software for Device Control Plus runs on Windows Server and there is a free version that covers a network of up to 25 endpoints. The paid version, called the Professional edition is available for a 30-day free trial.
- Rapid7 InsightIDR This is a good match for Fidelis Network because it provides many extra services that make it a standout tool – most notably, its deception technology. The Rapid7 system is a cloud platform that offers a range of tools under the group name Insight. The InsightIDR package is a SIEM because it includes log file analysis alongside live network security scanning. On-premises agents profile user and entity behavior, producing their assessments to supplement the log and traffic data that they upload to the threat hunting module in the cloud. This pre-screens research and speeds up the threat detection service. This service also includes sensitive data discovery, file integrity monitoring, and vulnerability scanning procedures. In addition, InsightIDR offers automated threat mitigation, and Rapid7 offers the package a 30-day free trial.
- Endpoint Protector Consider an alternative strategy to threat hunting with this host-based intrusion detection system. This will be a good option if you need to protect sensitive data because this is primarily a data loss prevention tool that includes SEIM services. The Endpoint Protector system uses agents installed on Windows, macOS, and Linux to scour data stores and identify and classify sensitive data. It then watches network activity and monitors activities in emails and on peripheral ports, such as USBs. This system will also scan through the buffers of printers and fax machines to watch out for data theft. Endpoint Protector is offered as a SaaS platform, as an add-on service on AWS, Azure, and GCP, and it is also possible to get the software and run it as a virtual appliance. Access a demo system to assess this option.
- Zeek This service was called Bro until 2019. This is an excellent NIDS that can be set up to perform automated responses. Best of all, this is a free intrusion prevention system. A nice feature of Zeek is that you can use it for network traffic analysis and keep your LAN in optimal performance. This tool also has vulnerability scanning features because it watches over device configurations and highlights security weaknesses in settings. The heart of this IPS is its detection rules that operate at the Application Layer, which makes it similar to the Deep Session Inspection approach of Fidelis. Zeek installs on Linux, Unix, and macOS.
- Datadog Real-time Threat Monitoring This is a security add-on to a cloud-based system monitoring platform that watches over networks, applications, endpoints, and services. The add-on activates a threat hunting service that operates on the live network monitoring capabilities of the platform. The detection system offers a package of off-the-shelf rules, but you can also write your own through a guided interface. Then, build on the network threat detection by applying system-wide Security Rules. This gives you a SIEM tool that blends in host-supplied activity data. All Datadog services are paid for on a monthly subscription, and you can try any of the modules, including the Security Monitoring service, on a 14-day free trial.
- Splunk Enterprise Security This is an add-on package for Splunk, a well-known and respected network analysis system. Get the live network monitoring and then activate the security package to operate threat hunting on the live feed. This monitor will also pull in logs from endpoints on your system. The threat detection service is called Asset Investigator and, on spotting and initial indicator of compromise, will focus on specific devices to extend research. In addition, a module called the Adaptive Operations Framework orchestrates with other tools on the network, such as firewalls, to shut down malicious activity. Deployment options include Splunk Enterprise (60-day free trial), which installs on Windows or Linux, or Splunk Cloud (15-day free trial), which is a SaaS service.