Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/19/2013
08:27 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Using NetFlow Data For More Robust Network Security

NetFlow can prove a powerful tool for spotting dangerous traffic patterns

While NetFlow data may traditionally be seen as a network infrastructure tool, smart security teams can get tons of benefits out of the collection of IP traffic statistics, too.

"Security professionals should consider every NetFlow and IPFIX router a security camera that allows them to go back in time and investigate suspect traffic reported by any number of security appliances," says Michael Patterson, CEO of Plixer.

According to Dr. Vincent Berk, CEO of FlowTraq, security pros may have to battle to get their hands on the data if other infrastructure people—the ones 'responsible for moving packets but not securing them—are at all territorial. But it is worth the effort.

"This has created a climate where security professionals have increasingly had trouble getting their hands on streams of NetFlow throughout their organizations," Berk says. "However, the advanced values that a security professional can get from NetFlow is enormous. Patterns of traffic, such as scans, worm-propagation behavior and brute-force password attacks show up very clearly in NetFlow. So do DDoS attacks."

[Are you using your human sensors? See Using The Human Perimeter To Detect Outside Attacks.]

According to experts, just as log data analysis and SIEM help contextualize security events, so too can NetFlow data offer a safety net for catching unwanted behavior.

"Understanding who is talking to whom; how they are talking; and for how long; can all add a much needed dimension to network situational awareness," says Matt Webster, CTO for Lumeta.

NetFlow analytic data is particularly great at detecting anomalous "hot-spots" of activity that could indicate existing issues or an active breach, says Jody Brazil, president and CTO of FireMon

"For example, NetFlow data can be leveraged to isolate compromised hosts by identifying those communicating with botnet command and control machines, or to highlight those hosts utilizing unusual ports," Brazil says.

Similarly, NetFlow data can also help spot malicious server behavior indicating compromise there, says Nicole Pauls, director of product management at SolarWinds.

"It can help monitor for unexpected or unwanted server activity-since servers are going to have more well-known behavior patterns-looking for volume, ports and destinations unknown," Pauls says.

Brazil also says that NetFlow data can offer enough visibility into traffic to see how cloud-based applications are being used by showing which applications are being accessed over the network at any given time. This can be a huge benefit for security teams seeking to sniff out rogue IT functions that may not be handling data in a secure or compliant manner. And speaking of compliance, NetFlow data can also offer solid documentation to prove compliance with network-related security policies.

"Since flow data can be archived indefinitely, in many cases it allows companies to provide demonstrable evidence of IT compliance with internal governance policies, external regulations, and industry best practices," he says.

As organizations seek to up their security game through NetFlow data, Berk offers some friendly advice—don't just look at traffic at the network edge.

"People that only look at their border traffic will miss large ranges of visibility on what is happening inside the network," he says. "Data exfiltrations, theft and other intelligence gathering may be going on inside the network, and you will never see it if you only grab the NetFlow from your border devices. Deploy far and wide."

Of course, as with any security data stream, NetFlow data could pose the potential of overwhelming a security analyst. But there are ways to winnow down the stream and sift through that information to make it useful.

"One of the big challenges with NetFlow is that it can be like trying to watch every CCTV camera in a large city - it's overwhelming to consume, and most of the data is pretty boring," says Dwayne Melancon, CTO of Tripwire. "Smart enterprises watching suspicious changes in system state as a filter for NetFlow data - they monitor configuration changes, new executable 'payloads' showing up on a system, new listening ports being opened and then use that to focus on NetFlow."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16649
PUBLISHED: 2019-09-21
On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the...
CVE-2019-16650
PUBLISHED: 2019-09-21
On Supermicro X10 and X11 products, a client's access privileges may be transferred to a different client that later has the same socket file descriptor number. In opportunistic circumstances, an attacker can simply connect to the virtual media service, and then connect virtual USB devices to the se...
CVE-2019-15138
PUBLISHED: 2019-09-20
The html-pdf package 2.2.0 for Node.js has an arbitrary file read vulnerability via an HTML file that uses XMLHttpRequest to access a file:/// URL.
CVE-2019-6145
PUBLISHED: 2019-09-20
Forcepoint VPN Client for Windows versions lower than 6.6.1 have an unquoted search path vulnerability. This enables local privilege escalation to SYSTEM user. By default, only local administrators can write executables to the vulnerable directories. Forcepoint thanks Peleg Hadar of SafeBreach Labs ...
CVE-2019-6649
PUBLISHED: 2019-09-20
F5 BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 and Enterprise Manager 3.1.1 may expose sensitive information and allow the system configuration to be modified when using non-default ConfigSync settings.