Top 5 Uses of NetFlow for Network Security
Posted in BYOD, Flow Analytics, NetFlow, NetFlow Analysis, NetFlow Security, network behavior analysis, Security on July 24th, 2012 by Adam Powers
There are many uses of NetFlow but one of the most important and often overlooked is the network security value NetFlow and IPFIX can provide. Based on feedback gathered over 10 years from hundreds of NetFlow customers, here’s the top five uses of NetFlow analysis for network security in ascending order…
#5 – Incident response and reducing MTTK
Flows provide a 24×7 account of all network activity. An unblinking eye on everything that happens within the network boundaries. They’re like a CCTV system for your enterprise. And given the light-weight nature of flow data, you can store weeks, month, even years of flows without spending $100,000+ on expensive packet libraries from companies like NetWitness and Nikson. When an incident does occur, the information needed to identify the root cause and enact an orderly clean-up is in the flows. This is called reducing the MTTK (Mean Time To Know) and is invaluable to the security pro looking to reduce the impact of a breach.
#4 – Provide deep situational awareness
This bullet is a bit more difficult to describe given its ambiguity but the idea is that from a tactical perspective, flows provide a “what’s happening to my network right now” view that other systems struggle to provide. While traditional IDSs and other security systems only alert when something is actively detected, Scrutinizer constantly collects information providing a view into the network happenings even when bad things don’t appear to be occurring. It’s perfect for a NOC or SOC (security operations center) wall – especially given the dashboarding Scrutinizer offers.
#3 – Enable internal network visibility
The idea of monitoring the internal network, not just the perimeter, is somewhat new. With the advent of BYOD policies, MiFi devices, and the mobile worker, the internal network is not near as safe as it used to be. Many customers understand this and are looking for ways to get a better handle on traffic patterns in the network core and access layers. When we talk about “edge” and “access” and “core” in the context of network security monitoring we mean this:
The Internet and your perimeter-based firewalls, proxy servers, DLP solutions, and other technologies represent the “edge”. Core routers and switches such as Cisco’s Catalyst 6500 and Nexus 7000 populate the “core”. The “access” layer is where all the action is. This is where the BYOD movement has its greatest impact and both the most important place in the network to monitor while also representing the most difficult place to bring security analysis top bear. You’ll find smartphones, IP phones, laptops, servers, and virtualized infrastructure at this layer.
#2 – Reduce cost of network security monitoring
Just enter a few commands on the router and you have network visibility at that location. The larger and more distributed your enterprise the more value NetFlow will provide. 500 remote sites? Don’t send out hundreds of IDSs or heavyweight packet-sniffing appliances, enable NetFlow on the routers at each remote site instead and rely on flow-based visibility.
Monitoring very high speed networks is also much less expensive. 10G IDS/IPS are *very* expensive – in the $100,000+ range. Monitoring 10G+ networks with Scrutinizer is more a function of flows per second, the network speed doesn’t matter.
NetFlow-based security monitoring can often result in a 15 to 1 cost savings ratio over traditional packet-based monitoring technologies.
#1 – Detect attacks without signatures
Without a doubt the item that drives most interest in flow-based security is the fact that flow-based analysis relies on algorithms and behavior rather than signature matching. This gives Scrutinizer Flow Analyzer an ability to detect attacks before a signature is available. You won’t hear us use “zero-hour” a lot because I feel like it’s been over-hyped by all the security vendors but that’s really what a flow-based security analysis technology provides – rapid detection of attacks that other technologies will often miss.
Given the increased threat from APTs, mobile malware, botnets, etc. security professionals are looking for new ways to detect and react. Scrutinizer’s Flow Analytics security capabilities *is* a new way to detect and react. So try it out. Download Scrutinizer here or give us a call to set up a demonstration and answer any questions you may have about the security benefits of NetFlow and IPFIX.
Adam Powers
@adampowers22
For a free 30 day trial of Scrutinizer, Download Now!
Sign up for Advanced NetFlow Training™ coming to a city near you!
Tags: internal attacks, ipfix, NetFlow, network security, zero-day
[...] will help protect your business. If this isn’t enough, here’s 5 more reasons to use NetFlow for threat detection [...]
[...] Advanced threat detection: NetFlow and flow analysis techniques provide a unique perspective on network traffic that can’t be found in traditional signature-based technologies such as UTMs, IPSs, and next-gen firewalls. For example, watching host traffic for odd communication ratios such as flow volumes to byte and packet counts can often lead to accurate detection of DDoS attacks. By comparing IP Addresses to host reputation databases, botnets can be detected which could be part of a larger Advanced Persistent Threat (APT) underway against the customer’s environment. Security-based flow analysis is a major differentiator for the MSSP that makes use of it. Here’s a quick top 5 reasons NetFlow is valuable for network security. [...]
[...] IT security guys, even if they don’t manage firewall rules, will get tons of network security benefit from NetFlow coming from the [...]
[...] Network Security (DoS, APT, Data Loss, Policy Violation Detection, ec.) [...]