Author: James Dougherty

I have worn many hats in my professional life. Support engineer, developer, network admin and manager are all points on my resume, but the one common thread with all of these jobs is that I enjoy working with people; that is what I do here at Plixer. I make sure that everyone understands our product and can get the most out of it. It's just simple 'no bull' support! Let me know if you have any questions, I would be happy to help. - Jimmy D

Security Operations

More on Endpoint Visibility: Mobile Security and Your Network Security Strategy

05.16.18 - James Dougherty

Why should your endpoints be an important part of your network security strategy? Because even though they are out in the wild, endpoints are part of your network! We really should stop viewing endpoint devices as being separate from the rest of the network. The truth is, once an endpoint device connects to your network, it is part of your LAN/WAN and is a security concern. This means that each device with a remote connection creates a potential entry point for security threats.

One of the obstacles that security teams face with locking down endpoints, like those pesky BYOD devices, is that they mostly rely on solutions that require something to be installed on their device. Making sure that the monitor is updated, running properly, and hasn’t been compromised can be difficult to manage. Not to say that there aren’t applications out there that can help overcome this obstacle, but the obstacle is real nonetheless. Still, monitoring via an endpoint client doesn’t address the issue of monitoring the traffic for specious activates.

Visibility is the key, but how?

Today’s networks are getting far more complex and the lines between the traditional network and the cloud network are blurry. In most cases, with technology like BYOD, wireless connections, VPNs, and cloud-based services, there’s not a lone point of entry and exit anymore. Because of that, we just can’t lock things on the firewall and walk away. You need to be able to see and monitor those devices traffic for suspicious activity.

So how can admins obtain this visibility and in a way that is easily managed? This is where traffic metadata comes into play. Many of today’s vendors support flow technology that records conversation data. Examples of this are NetFlow, IPFIX, AppFlow, etc. With this flow data, we have a record of each and every conversation. We know who was talking to whom, when they were saying it, and what they were saying. Best of all, this data comes from your routers, firewalls, access points, switches, load balancers, and more. With this model you have core devices reporting on traffic from all your endpoints. You now have visibility with less responsibility!

Security! Security! Security!

I know what you’re saying: “Jimmy D, you’re trying to pull a fast one aren’t you?” I can understand. From the top view it looks like you are trading a management nightmare for a data nightmare, but that’s not the case. Typically the metadata collector is designed to store and report on this vast amount of data. Scrutinizer, for example, can handle millions of flows per second and still report almost instantly. So the real question is, how does this help with security?

The point of endpoint security it to protect networks that are remotely bridged to client devices. You can gain visibility into this traffic by using flow metadata. Flow metadata, like NetFlow, has evolved considerably in the past years. It provides contextual information that can be used by systems to detect abnormalities in that network’s traffic. In Scrutinizer, we have the Flow Analytics engine that takes this flow data and looks for Indicators of Compromise (IOCs). It also monitors the IOCs for multiple incidents per host. In most cases, the generated alert is escalated for investigation.

Again, even though these endpoints are remote devices, they are still part of your network. With flow technology and the right collector, you can now see those conversations. Most importantly, you can monitor them for suspicious activities.

The right tool for the right job.

For example, maybe a tablet or a phone connected via VPN and was infected by an app. Mobile Malware Infections like these are not all that uncommon. Client-side security on the endpoint may or may not catch the issue at this level. Let’s say the infection becomes active and starts to do network recon. At this point Scrutinizer would be able to see the suspicious traffic patterns like ICMP Scans, SYN scans, RST/ACK attacks, and more. Once that alert is raised you can then use Scrutinizer as your main forensics tool for investigating the incident. You can quickly find out who the infected person was, who they were talking to, and how they were doing it.

Now we’ve found the violating endpoint, but how can this help secure the entire network? Because we collect all the conversations on the network, we can easily search for anyone else on the network who was communicating in a similar manner. This is powerful!

Best of all, you are not limited to what is happening now. Scrutinizer will save all of this data for as long as you need it. So when an issue does comes to light you still have the historical data to easily search through. You of course have more options like building your own monitors, multiple levels of alerting, or integration into your SIEM or security suite, but in the end having a strong foundation of granular data is what turns your security incident from something that is on the six o’clock news to a non-issue.

Is one of your requirements is improving your security posture and gaining deeper visibility but you don’t know where to start? Why not evaluate Scrutinizer?

Compliance

Data Retention: Leveraging NetFlow/IPFIX to Meet Your Compliance Needs

03.14.18 - James Dougherty

In my spare time, limited as it might be, I have been taking a deep dive class on anonymous browsing. Specifically, it goes into great detail on ways to hide under the radar and on many of the legal aspects of both sides. So far the class has been right up my alley!

Network Operations

Net Neutrality: How Service Providers’ Peering Changes Could Impact Your Business

01.03.18 - James Dougherty

Net neutrality has been a big player in the business and technology news for the past few weeks. It’s clearly a controversial subject. From the sidelines, the biggest question seems to be, “How will service providers’ peering changes impact my business?”

Wireless NetFlow

Wireless Network Visibility Using NetFlow

11.01.17 - James Dougherty

This month I was working with a customer who was having a hard time understanding what AP MAC was being reported by Scrutinizer when using a Cisco Wireless LAN Controller. Honestly, I didn’t know everything that I needed to know about the subject so I decided to dig deeper and learn how our customers were using Cisco’s WLCs on their networks.
Read more

Compliance

High Availability NetFlow Collection

08.30.17 - James Dougherty

Sometimes, opportunity comes from necessity. In the past week I was working on a larger deployment that had multiple compliance concerns. One of the specific rules required that we provide a fault tolerant solution. As you might have guessed, this required me to document how Scrutinizer leverages our Flow Replicator to provide the required fault tolerance. So when it came time to write my blog, it seemed logical to take the information that I gathered and share it with our blog community!

What is Fault Tolerance?

The first question that came up was, “What is fault tolerance?” A quick search on the inter-web gives us a WIKI definition: “Fault tolerance is the property that enables a system to continue operating properly in the event of the failure of (or one or more faults within) some of its components.” I don’t know about you, but that’s a bit clinical. When I think about fault tolerance, I tend to think about the word “confidence.”

It’s all about the confidence you need when it’s 2 AM in the morning and you just received an alert of a major network attack. Plus, at the same time you also find out that one of your flow collectors went down for whatever reason. In these situations, I tend to ask myself things like, “Do I have confidence in my granular data?” and “Do I have confidence in my solution?”

With Scrutinizer, fault tolerance is handled in two ways. First, in a simple deployment, you can have a primary and secondary collector. This allows you to have two data sets stored in parallel. If one of the data sets goes down, the other can be used for reporting.

The second aspect of this deployment is the Flow Replicator. The Flow Replicator allows you to forward the UDP stream from multiple sources to one collector. Multiple Replicators can be used to provide fault tolerance.

How does this work in the real world?

As a flow monitoring tool, Scrutinizer provides traffic analysis and reporting, which gives organizations the deepest visibility, accountability, and measurability of network utilization by user, device, and application. This visibility enables companies to easily build reports that help deal with a compliance audit. In a fault tolerance deployment, this is accomplished in two ways.

We start at the data feed. In this situation, we would use the Replicator as the one source to send all flows to. Basically, multiple UDP sources are sent to one management IP and then the Replicator sends all that flow data to Scrutinizer. In the Replicator, you can set roles. In this case, you have a primary role and secondary collector role. The primary and secondary collectors will be collecting the same data in parallel. The primary device will be the reporter until the need arises for the secondary to be called upon.

The next questions is how do you provide fault tolerance for the data feed? How does fault tolerance work with the Replicator? Simple: a secondary Flow Replicator can be set up to provide a fault tolerant environment in case the primary Flow Replicator goes offline.

“The secondary Flow Replicator (SFR) actively monitors the state of the primary Flow Replicator (PFR) and frequently synchronizes its database with the settings from the primary. When a Flow Replicator is in secondary mode, it will no longer maintain its current configuration and any current configuration is lost. At any time, the SFR will not allow any configuration changes. With the exception of the role and show commands, all profile and global configuration must be changed on the PFR.”

Our fault-tolerant environment will function with either a virtual or hardware appliance. Our online Replicator manual digs a little deeper on the two methods available for Fault Tolerance Environments, but if you have any questions let me know.

Do your requirements demand better visibility into your network traffic along with the ability to provide a high availability solution, but you don’t know where to start? Why not evaluate our Replicator on your network?

Network Operations

NetFlow vs Packet Capture: Have Both

06.14.17 - James Dougherty

In the past, network admins used packet capture technology to dig down into what was happening on their network. For troubleshooting general networking issues, this was good. But networks grew, issues became global, and security became a main player in an admin’s day. Sadly, this growth presented some problems with using packet capture technology.

With a packet capture, you are grabbing the whole enchilada, payload and all. Sometimes this is needed, but much of the time it’s not. Basically, shifting through all that data for evidence of an intrusion is like finding a needle in a haystack. Data of this size also presents an issue with filtering/reporting and in reality, a full packet capture might not be worth the investment.

Holy payload, Batman!

Every superhero has a sidekick, right? Well, NetFlow is the Robin to the packet capture Batman. I know, silly analogy, but stay with me for a minute—it gets better. As I mentioned before, one of the biggest issues with using a packet capture is the sheer load of the data. With this load comes added cost. Not just added storage costs, but the cost involved with making sure that you have the right hardware and software to manage and report on the data.

Also, packet capture probes have to be deployed in targeted locations to gain the needed visibility. This process can also be cumbersome and costly. The maintenance demands of probes alone limit the deployments on a large scale. So in practice, it is usually impossible to gain enterprise-wide visibility using packet analyzers by themselves. We need packet capture, but it needs something to complement it. Our Batman needs a Robin.

At this point you might be thinking that I am anti-packet capture. You’re saying things like, “Jimmy D, he’s all NetFlow,” and “He’s the NetFlow Detective, so no pcap for him.” That is far from the truth. In reality, packet capture technology is still the go-to tool in some situations. Specifically, NetFlow lacks the ability to provide the actual data transferred in the suspect conversation. It’s this payload visibility that is vital in on-the-fly forensics investigations.

In the event of a data breach, for example, you need to be able to quickly understand what happened, how it happened, and what systems or data sources were compromised. Packet capture provides a complete and accurate historical record of network traffic, so you can reconstruct events and drill down to the actual network packets to pinpoint exactly what took place.

So riddle me this Batman, how does NetFlow help?

As the Robin to the packet capture Batman, NetFlow provides you with the “who,” “what,” and “when” of network transactions, but because of its light metadata, it lacks the weight of a packet capture.

NetFlow is UDP technology that gives metadata visibility on things like the senders/receivers IP address, the ports they communicated on, the time it happened, the date that conversation occurred, the length of the conversation, and the amount of data that was transferred. I am oversimplifying the metadata that can be reported on, but you get the idea. NetFlow provides lots of detail without the overhead. Matter of fact, with some of the latest versions of NetFlow, like Flexible NetFlow, you are able to see much more than basic IP accounting.

This metadata creates a lightweight view of all of your network’s traffic. It’s the sidekick we were looking for. It’s our Robin! Network forensics and security monitoring tools, like Scrutinizer, can also use this data to monitor and alert for traffic abnormalities along with other IOCs. Since the flow is so light, you can store it for as long as you want, making digging into your conversations easier. Let’s not forget that NetFlow, or any of the other variants, is built into your device. Your routers, firewalls, and other supported devices now become your probes.

So how do they work together?

NetFlow monitors your entire network’s traffic and it does it with limited overhead. Flow collection delivers the most important details offered by SNMP while providing over 90% of the visibility most IT professionals used to turn to packet analysis for. Because of this, security teams can leverage flows to monitor for abnormal behavior and trigger for suspicious events that are a sign of unwanted infiltrations. Sometimes you need more granular insight to the “what” in a conversation. This is where packet capture shines, because it retains the packet payload in its entirety.

Integrating packet capture technology, like the Endace Packet Capture Solution, into your NetFlow tool allows you to combine the benefits of NetFlow monitoring with the deep-dive appeal of a packet capture. It lessens the load that a packet capture requires while still providing the raw data when you need it.

In the end, that’s what it’s all about—lessening time to resolution when an incident occurs on your network. Combing the two technologies can lessen investigation time from hours or days to just minutes. To make a long story short, it’s like having your own dynamic duo in your toolbox. If you would like to see how Scrutinizer can be used to monitor for abnormal behavior on your network or how to leverage packet capture tools with NetFlow, download a free trial of Scrutinizer.

Security Operations

DDoS Attacks are the Modern Day Fire Alarm Prank

04.05.17 - James Dougherty

I love working with schools. I love seeing young students exploring technology that I could only dream about when I was younger. (In some ways, I guess that is why I live by a major university here in North Carolina.) So when I am scheduled to meet with a school, I know that it is going to be an exciting call. Yesterday was no exception.

Network Operations

Scrutinizer API: Communicating with other applications

01.25.17 - James Dougherty

I was working with an evaluator the other day who needed an example of how to use the Scrutinizer API to generate data and export it to a CSV file. Honestly, I knew how the API functioned, but didn’t have much experience using it. With that in mind and being the daredevil that I am, I figured this evaluator’s request would be the perfect opportunity to roll up my sleeves and get my hands dirty.

Security Operations

Dark DDoS: Masked Data Exfiltration

11.23.16 - James Dougherty

I was attending the 12th annual NC InfoSeCon conference back in October and in one of the presentations, the speaker mentioned Dark DDoS attacks. I found this part of the talk unbelievably interesting. Combine that with the recent fuel shortage here in NC and my mind started wandering with concerns over global digital terrorism and its part in the upcoming zombie apocalypse! Ok, maybe not to that degree, but I did decide to dig deeper into the methodologies behind these types of attacks.

Network Operations

Amazon: AWS Log Reporting

10.12.16 - James Dougherty

I was having a conversation with a customer the other day about Amazon AWS monitoring. He had some interesting insight on his company’s overall migration to Amazon Web Service (AWS). He started with, “Here’s the core of it, cloud based deployment isn’t going away for us. Though there are no directives, by this time next year I’m expecting all but two of our public-facing applications to be sitting outside of our buildings.” He even went on to say, “There’s a very real possibility that within 2-3 years we decommission half of our computer rooms”. Needless to say, any application that they use for network visibility and incident response needs to support Amazon AWS monitoring. I loved his input and because of it I decided to dig deeper. Read more