Positive Technologies has released version 12.2 of its traffic behavior analysis system—PT Network Attack Discovery (PT NAD). The new version introduces centralized management and significant enhancements to the PT NAD signature engine.

The updated signature rule engine in PT NAD 12.2 can now analyze traffic three times faster than before. This upgrade allows the system to handle higher traffic volumes without the need for extra hardware. The enhanced performance of the signature engine marks another step forward in the ongoing optimization of the product's components.

This release marks the beginning of PT NAD's shift toward centralized management, streamlining its use in large, geographically distributed infrastructures. Previously, SOC operators in organizations with distributed infrastructures had to manage multiple standalone installations. Now, a central console aggregates data from all subordinate sites, enabling operators to work from a single interface. This significantly reduces the time SOC experts spend on monitoring, incident investigation, and proactive threat hunting.

In PT NAD 12.2, centralized management includes key features such as unified access to the activity feed, hosts, sessions, and dashboards. The product team's next goal is to add centralized export of PCAP¹ files, exception handling, and unified knowledge base management.

Viktor Yeremenko, PT NAD Product Practice Lead at Positive Technologies, said: "With PT NAD 12.2, we have achieved a new level of system maturity, focusing not only on improving performance but also on optimizing the user workflow. Starting with this version, cybersecurity management for large organizations with distributed infrastructures can now be centralized, providing analytics from all consoles in a single interface. This significantly saves time—the most valuable resource for security specialists—and enables businesses to scale the product's deployment across all their offices."

The new version of PT NAD also introduces an expertise module that profiles connections using the WinRM² protocol. This protocol is often exploited by attackers for lateral movement within infrastructures, and the new module enables the detection of an entire class of attacks using WinRM, such as Evil-WinRM.

PT NAD now also detects and parses HTTP/2 protocol messages, making it possible to identify attacks that exploit this protocol. This feature is part of PT NAD's integration with devices that enable network traffic interception (MITM), such as NGFWs or software-based SSL splitters like ArtX TLSproxy.

PT NAD 12.2 also includes updates to the reputation list mechanism. Operators now have the ability to specify the direction of traffic for which certain lists will be triggered. This allows PT NAD operators to fine-tune the mechanism's operation and ignore low-priority indicator triggers. Reputation lists from the Positive Technologies Expert Security Center (PT Expert Security Center) already come preconfigured with this parameter. Combined with overall improvements to the quality of reputation lists, this has reduced false positives by up to five times in certain cases.

Moreover, starting with version 12.2, operators can now view the entire chain of application protocols in a network session, increasing network transparency.

PT NAD 12.2 is already available to users. Existing users can get an update by reaching out to our technical support or a Positive Technologies partner.