Can I ask you something? As the manager of the network I’m sure you and your team end up investigating a lot of potential threats. My question is: what is your guess as to the ratio of NetFlow alarms you investigate from your NetFlow tool to the number of calls you receive from a user on the network complaining about a problem? In other words, are the canned (i.e. non custom) NetFlow detected alarms more helpful or are your own investigations and user complaints more helpful?
The reason I ask is because the lions share of the NetFlow case studies we write regarding NetFlow analysis experiences end up being related to problems found where an application was doing something it didn’t need to be or could be done at a different time of the day. Second to this would be viruses and botnets. I feel that good reporting and filtering in a NetFlow tool like we find in Wireshark packet analyzer is equally or more important to NetFlow Network Behavior Alarming. I believe most people would agree that waiting for alarms that tell you the majority of problems on the network is wishful thinking.
I’m a big fan of creating custom behavior watches using saved reports. Many NetFlow Analyzers and this includes the expensive ones, don’t have good filtering and custom alarming abilities. I’ll digress further on this in another blog on NetFlow filtering.
Although our NetFlow tool constantly scans the flows for anomalous activity and alarms for it, most IT professionals using our tools are so busy, that they often only have time to respond to something very obvious in the dash board or generally react to telephone calls. Few people watch the alarm log or even respond to every alert because of the potential for an insignificant issue or they use the alarm log after they find a problem.
Read more »
Michael Patterson
Founder and CEO
For a free 30 day trial of Scrutinizer, Download Now!
Sign up for Advanced NetFlow Training™ coming to a city near you!
