Blog :: Network Operations :: Security Operations

Adding Context to Detection with Netflow

Adding context to Detection with Application Aware Netflow

Today’s Cyber Threats are becoming more and more sophisticated.  M-Trends 2016 Cyber Security report highlights two new trends from the past year.  First, more system breaches were made public in the news media. Second, the attackers were from a wider range of locations and their goals were more varied. These attackers disrupted business, stole personal information, and invaded routing and switching infrastructure. The report states, “Disruptive attacks are likely to become an increasing trend given the high impact and low cost…in that they can cause a significant and disproportionate amount of damage without requiring attackers to possess large amounts of resources or technical sophistication.” How do we stay vigilant with these unpredictable and ever changing tactics? The answer is adding context to detection with the flow data you are already collecting.

Adding Context to Detection with Application-Aware Netflow

application aware netflow

Advanced Reporting

Advanced Reporting allows access to custom threat detection algorithms, behavior baselines, alerting based on abnormalities, and additional reports.  We provide reports for Cisco, Palo Alto, Citrix Riverbed, and dozens of other vendors. Plixer engineering is constantly working to build support for their unique exports into our core systems. Thorough compatibility ensures that we provide the greatest context around every incident.

Contextual network behavior analysis integrates with your existing network authentication system.  You can narrow in on suspicious behaviors in seconds with Microsoft Active Directory, Cisco ISE, and most other authentication services. Reports search review all the information available on the end system including details by username, IP address, and MAC address.

Advanced Reporting allows Scrutinizer to bring greater value to the existing NMS or SIEM (e.g. Splunk). Not only does it fill the gaps, but it can collect much higher volumes of data, correlate it, and display the information in a graphical way that provides deeper insight into the root cause of an application issue or infection that is moving around the network.

adding context to detection

FlowPro Defender

Does your device lack the capability to export Application Layer information in the flow data? Gain greater visibility into your network by adding context to detection with our FlowPro Defender. Installing FlowPro Defender where it can observe your entire network DNS traffic provides details about what is entering and leaving your network over DNS. Malware operators (and some legitimate companies) abuse DNS to bypass your firewall and use your DNS servers (internal or external) to communicate directly with assets within your network. FlowPro Defender quickly identifies and alerts on assets compromised by malware using this type and other forms of DNS abuse for data theft. This is done using a combination of deep packet inspection and behavioral analytics.

FlowPro Defender compares all DNS look ups against a dynamic list of domains that is updated every hour. When a match occurs, the system issues an event to the SIEM (e.g. Splunk) or your flow collector. This creates an alarm that can lead to notification. When combined with Scrutinizer, the information is correlated with other suspicious activities, which can generate a second escalated alert. These steps dramatically reduce the chance of a false positive by ensuring that the malware is active on your network. Finally, FlowPro Defender identifies new zero-day threats that are using a domain generating algorithm (DGA) and finds misconfigured internal devices by tracking failed DNS look ups.

How Plixer Can Help

Do you want more visibility into your NetFlow data? Contact us today for more information on using Advanced Reporting features of Scrutinizer or the FlowPro Defender to add context to detection with your NetFlow.