August 19, 2013

The Business Value of NetFlow

The increased awareness surrounding Advanced Persistent Threats and other types of malware have most security professionals searching out the best way to minimize this type of infection.  They realize that these types of attacks cruise right past even the most advanced firewalls. What can be done? How can NetFlow and the new standard ‘IPFIX’ help?

You Can’t Stop the Internet Threats

You can bet on it and it probably happens routinely at every company.  Someone clicks on something in an email or in a web page and voila, success for the latest spear phishing attack posted on Linkedin, Facebook or other social networking site. Immediately the infection makes an outbound connection to the Internet which passes right by the latest anti-virus update, the firewall and the IDS.  If your company has some type of proxy or Internet access authentication in place, no problem.  It will pass right by that as well.  That’s right, you can’t even stop it! So, how do you detect it?

Get Educated

Get involved with the security communities, read what they post and ask questions.  Find out who the latest security experts are and follow them on twitter and linkedin.  Setup Google alerts for key words like “DNS Attack, Malware, Advanced Persistent Threat, computer virus and the like.  Read blogs and learn all that you can make time for.  After diving head first into the industry of latest computer threats, it’s time to consider which types of malware you need to be on guard for and the behavior they exhibit.

How can we detect it?

After you understand who some of the enemies are and how they behave, what do you have at your disposal that will empower your security team to identify an insurgency? In most cases, NetFlow or IPFIX are listed within the top 3 resources.  Flow data allows security professionals to monitor for the tell-tale signs of an initiated threat.  Unlike firewalls, an IDS or anti-virus, NetFlow can’t be used for most types of signature matching and it’s ideal for monitoring communication behaviors over time.  By monitoring things like flow ratios, byte and packet counts, TCP flags or even performing host reputation look ups, we can use flow technologies to watch for a series of suspicious behaviors over time.  In our solution, we utilize a Threat Index™ which increases for a host the more it engages in odd behaviors. If the Threat Index gets too high, an event is triggered.

Don’t Panic!

If you determine that a host is infected, hold on, there’s no need to panic.  Shoplifters enter department stores every day and they don’t always leave with stolen goods or even when they do, it doesn’t mean we are going to go into a financial tail spin due to the losses.  Lets keep the threat in perspective.  Who is responsible for the machine that is infected?  What resources does the employee have access to?  Knowing these things can help reduce the immediate concern however, we still need to be aware that the threat could try to move laterally within the organization and infect others.  Whatever you do, don’t reinstall the machine and don’t turn it off. Give the user another computer to work with and monitor the infected machine to profile the malware’s behavior.  We can then use the profile to find other potentially infected machines.  This is where NetFlow and IPFIX really start to shine.

Routers and Switches are your Security Cameras

Everywhere you have a router, switch, server or probe that supports NetFlow or IPFIX, you have in a sense, a video camera.  The video camera monitors all traffic and sends the feed ‘flows’ back to the collector for future forensic investigations.  Don’t however rely on sFlow as it will likely miss the data you want to investigate.  For this reason, many hardware vendors are switching to the IETF standard for NetFlow and sFlow which is IPFIX. IPFIX is in a sense – NetFlow v10 and sFlow v6 rolled into 1.

NetFlow v10
Image paid for by plixer.

Even if the threat was detected by the IDS or firewall, NetFlow and IPFIX are almost always the go to solution for investigating the behavior and where it originated. Make sure you are collecting it because the business value of NetFlow   extends beyond its security uses.

The Business Value of NetFlow

NetFlow and IPFIX can provide additional value beyond its security uses. Flow data can tell us what DSCP value traffic is carrying which helps administrators ensure that the critical applications are being prioritized appropriately.  Combined with a leading NetFlow solution, it can also tell us the top hosts, applications and a range of other metrics that can assist IT professionals to better tune the forwarding logic of the network.

I’m sure that I haven’t listed all the great benefits of this technology.  What do you use it for?

About The Contributor:
Mike PattersonCEO, Plixer

As one of the founders of the company, Michael has been involved in the development of Scrutinizer NetFlow and sFlow Analyzer as well as Flow Analytics at Plixer. He enjoys writing and blogging about all things NetFlow, IPFIX and sFlow related.

See My Other Posts