First and foremost, it’s vital to understand that unlike other sections of the Lumu Portal designed for operation, the purpose of this view is to provide information and insights on your network’s usual behavior and navigation patterns.  

Let’s take a look at the functionalities of this subsection. 

This feature provides data regarding how the Internet traffic of your network is distributed using different criteria such as geography, type of data, time, and labels. This data is expressed as graphics that allow for easy readability and interpretation. The information in this view can be filtered by month and label. 

The first graphic is a map that shows how your network’s contacts are distributed based on geography. Countries in a darker hue will be where the most contacts are concentrated in, while countries in a lighter hue will have received less. 

By hovering the mouse cursor over the map, you will be able to see how many contacts have been made with each country. While these contacts don’t qualify as incidents, this preliminary data can help you better understand your company’s browsing habits and detect unusual activity. 

For instance, the organization, as per the map, typically has no regular contacts with Eastern European or African countries. Therefore, detecting connections with regions known for internet fraud in those areas could raise concerns. In a conventional approach to SecOps, manual investigation and threat hunting would be required. With Lumu, you can rely on the Illumination Process® to identify them as incidents and on Lumu’s automated response capabilities provided by Lumu Defender to handle them, allowing you to rest assured while ongoing 24/7 network monitoring is in progress.   

This view presents graphics illustrating the habitual distribution of traffic within your company across metadata types and configured labels. It provides insights into the areas generating the most traffic in your organization and identifies the predominant types of metadata produced by your company. 

This information will later become a vital asset to Lumu, as it will provide a better understanding of your company’s traffic and will facilitate the detection of unusual conduct once deep correlation comes into play. For now, however, it will serve as valuable insights for the organization’s cybersecurity team to have an estimation of the network’s expected behavior. 

This graphic provides you with detailed information on the days and hours when your company’s traffic concentrates. 

In other words, it provides you with a baseline for your network’s traffic based on time and frequency, which your cybersecurity team can use as a reference when evaluating potential instances of risk. Having a baseline for your network’s peak activity times can be extremely useful for optimizing your resource allocation and managing your network bandwidth effectively, for instance, but most all, it gives you certainty that Lumu is continuously monitoring your cybersecurity state and that it will jumpstart your company’s threat hunting when an actual incident is detected. 

This feature provides you with the standard distribution of your company’s traffic based on destination domains according to the metadata analyzed by Lumu. The data is displayed using the popularity of the domains contacted by the network’s assets as the main criteria. 

It is common knowledge that some domains are way more popular and generally trustworthy than others, for example, a URL ending on google.com would be seen as more trustworthy by most people than a URL ending in freemoney.com.cz, as blunt as that example may sound. The information provided by this section can help you understand how much of your organization’s traffic is focused on the top percentage of the web’s domains, those being more well-known and reliable, and how much of it goes towards less popular domains. Imagine a scenario where a substantial part of the network's traffic is directed towards less known and niche domains. While this doesn't automatically imply compromise, the traditional approach would require manual verification by your company's cybersecurity team. With Lumu, you can depend on the Illumination Process® to distinguish actual incidents, providing prompt information to your team and initiating an automated response to eliminate the threat.

This graphic shows you how all of the domains contacted by your network are distributed based on popularity. It can be used to see which percentage of your network’s navigation is focused on popular and generally reliable sites. By hovering over each node, you will get additional information and context. In this case, the vast majority of this organization's traffic went towards sites outside the top 1000 of the world’s most popular domains, as you can see. 

It also displays your organization’s top domain destinations based on categories, which can provide additional details on how your team uses the Internet. 

Having a baseline for the behavior of your network gives you a frame of reference for the day-to-day operation of the company and what could be classified as anomalous behavior. You can also use it to compare preconceived ideas you and your team had about your network with the reality of it as presented by Lumu, and adjust your organization’s policies to match. 

It is also worth reminding that the Network Behavior tab is not meant to be a view used for operation, but for reference when evaluating potential compromise scenarios and to give you certainty that Lumu is working in the background on a 24/7/365 basis to detect adversaries. 

Ultimately, to actually understand what constitutes anomalous behavior, this view must be used in tandem with the Anomalies tab to get a detailed look at which events the Illumination Process has found to be suspicious enough to classify them as such.