Intrusion Prevention : Protect Intellectual Property!

Posted in detect network threats, detecting malware, ip host reputation, NetFlow Security, network threat detection on November 6th, 2012 by Adam Caesar
Intrusion Prevention : Protect Intellectual Property!

Today’s threat detection and intrusion prevention systems deployed at companies concerned with cybercrime utilize a layered approach to network protection.  Anti-virus programs are deployed on every end system and server.  Most of us have access lists on routers and switches and those who need to provide remote access to employees leverage encrypted VPN technologies.  Then of course there is the next generation firewall (e.g. Cisco, Dell – SonicWALL and Palo Alto) which performs deep packet inspection to compare bit patterns against regularly updated signatures.

“IPS (or deep packet inspection) is our #1 security defense; NetFlow is a very close #2
-Gavin Reid, Manager of Cisco CSIRT

Companies unwilling to put their intellectual property at greater risk take a more aggressive approach. Proactive security measures like removing full time Internet access to servers (i.e. online only for periodic software updates) have been successful.  Another popular method is removing employee administrator privileges on laptops, preventing them from installing harmful software, better known as adware or malware.  These additional, albeit a bit drastic, steps are often justified by the security teams in an effort to try and avoid the latest security exploit or Advanced Persistent Threat (APT).

It’s no secret that hackers & hacktivists are always one step ahead of the game. 2012 has been quite the year for the INFOsec community. NetFlow Anomaly DetectionBlue Coat recently published a report stating that Malnets have tripled in the past six months. Combine that with the ongoing Operation Cisco Raider, the House Intelligence Committee’s recent Huawei & ZTE accusation, the barrage of attacks on US Banking Institutions, and an implementation of LOIC (low-orbit ion cannon) by Anonymous earlier this year. Clearly, it isn’t just the onset of the “End of Days” that has us all fearing the worst and asking, “How can I beef up my network security?”.

Let’s take a look at a few different ways how NetFlow and IPFIX can improve threat detection. NetFlow has the advantage of not requiring regular antivirus signature updates. Instead, it can be used to watch for behavior patterns. Excessive flows, network scans, odd TCP flag patterns, irregular communication ratios, etc. are all indicators of a possible infection; NetFlow/IPFIX analysis then is an excellent network monitor for anomaly intrusion detection.

“As we work increasingly with the ability to understand traffic via NetFlow, which is free on every router we make, it has some really good value equations in situational understanding. Although you can’t see payload, you can see traffic in terms of how much and from what IP address to another, and that’s where it’s really valuable.”

-John N. Stewart

A host communicating with another host that has a poor reputation is one of the best ways to catch machines that could be involved in an Advanced Persistent Threat type of attack or some kind of command and control botnet or malnet. This type of constant monitoring process should be part of every serious IPFIX and NetFlow Solution. Ours has been doing it since 2008.

Adam

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.
Tags: , ,

2 Responses to “Intrusion Prevention : Protect Intellectual Property!”

  1. IBM Proventia IPFIX Support - NetFlow & sFlow Network Monitoring - NetFlowKnights.com Says:

    […] Security Network Intrusion Prevention System Firmware Version 4.6 adds on option to configure the collection of IPFIX flow data to […]

  2. Fortinet IPFIX Support - NetFlow & sFlow Network Monitoring - NetFlowKnights.com Says:

    […] Security forensics using IPFIX to monitor communication behaviors and even maintaining baselines is becoming more prevalent. By collecting flows representing all of the conversations traversing the network, you gain visibility into suspect conversations coming in and out of your network as well as moving laterally inside. When the signatures in the IDS/IPS fail to catch malware, NetFlow and IPFIX can recognize enough odd behaviors to identify an infection. Collecting flows from all of the firewalls, routers, and switches on your network essentially turns each device into a security probe and provides a great additional security layer to your network intrusion prevention solution. […]

Leave a Reply

You must be logged in to post a comment.