We are very busy this week getting ready for CiscoLive! 2013 in Orlando next week.  Since we have a first rate team getting us ready for the show, I had a block of time to put together three primary thoughts I’ve collected regarding mistakes some people make in their cyber threat detection routines.
Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

High volume NetFlow Collection usually can’t be attained by simply placing the NetFlow collector on beefier hardware. It requires understanding of the protocol, the preprocessing necessary to meet the demands of the front end, tweaking memory, optimizing database settings and of course powerful hardware.
Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

One of the most fun yet scariest parts of being an entrepreneur is making predictions.  If your forecast is correct, hopefully it will be good for your company.  If you are wrong, you hope no one notices.  In 2009 I posted a blog titled OMG, the Internet is overloaded! where I discussed application recognition and its importance in the role of prioritizing traffic.  In the post I stated “Due to the fact that many applications use the same ports, application recognition is no simple process (e.g. Skype ‘VoIP’ looks like BitTorrent ‘data’).  My guess is that accurate application awareness is a highly dynamic problem necessitating frequent updates.”  Today, several vendors now perform Deep Packet Inspection (DPI) to monitor a series of packets to identify layer 7 applications. Cisco Application Visibility and Control uses NBAR to serve just this purpose. Below I’ve listed a few companies that utilize DPI to identify layer 3 applications:

Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

More and more flow exporting vendors are making the move to IPFIX and at Plixer, we feel that implementing RFC 5610 should be part of the decision.  The reason for this is because IPFIX is capable of exporting everything in NetFlow v5 as well as additional fields such as top multicast addresses, IPv6 addresses, packet lengths, MPLS labels, VLANs, MAC addresses and several other details and performance metrics that the vendor can decide on and even make up. Without RFC 5610, the IPFIX collector doesn’t know how to decipher these sometimes proprietary elements.

Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

In many cases, previously unidentified malware and back doors were identified through the use of these indicators in both network traffic and host-based information. The combination of both host- and network-based indicators continues to be the most reliable way to identify APT-related malware on a network.

Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

The Magnitude of the Cyber Threat Problem

Earlier this year, CNN stated that 39 Billion was stolen on-line in 2011.  This Fall, Symantec calculated that the total cost of cyber crime in 2012 will reach 110 Billion.  As Dmitri pointed out, every company has been compromised in some way.  Advanced Persistent Threats are expected to continue increasing as shown below.

Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

Building organization confidence surrounding a company’s Internet threat defense effort means we can never let our guard down.  A potential internet security threat could come from anywhere at any-time and it doesn’t have to start from cyberspace.  Many threats are initiated internally by infected handhelds and laptop devices which walk right past the firewall.

Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

A month ago I was on a call with a hardware vendor that exports flows and he asked “What else should we be exporting with NetFlow v9?”.   This is a great question and fortunately almost any information observed by the flow exporter or passing through it can be exported in NetFlow v9 or IPFIX.

Generally we recommend IPFIX to send the information over older technologies such as SNMP traps or syslog.  A big differentiator is that with IPFIX, we can stuff multiple messages into the same datagram while keeping the data structured which leads to faster event correlation and improved network threat detection.  I told him that the items we hear the most demand for from NetFlow are:

Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

Is your engineering team trying to decide if you should be exporting NetFlow or IPFIX? This is the area of the technology where many first time vendors make mistakes. Implementing NetFlow or IPFIX is not difficult. But when programmers rely solely on RFCs as an implementation resource, the result is usually an export that many flow reporting vendors won’t support.  For this reason, this blog is largely dedicated to engineers who either want to export these technologies correctly or who need to troubleshoot what is wrong with an export they have been asked to look at.

Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

Have you upgraded your Cisco ASA to version 8.4(5) for the latest and greatest security features and NetFlow (NSEL) enhancements from Cisco Systems? Well, if you have, you may have noticed that the NetFlow reporting broke.  Have no fear, we fixed this issue in Scrutinizer version 10.1 which is being released in a couple of days.  But, WAIT! There’s more!

Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!