Many companies are primarily concerned with Internet security threats.  I feel that majority of security threats are derived internally. According to Forrester Research, the majority of security breaches involve internal employees, with some estimates as high as 85 percent.

What I want to point out today is that we should not only be concerned about internal threats but, we should go about dealing with them a bit differently than external threats.

Monitoring for the Scan
Monitoring for SYN, XMAS, RST/ACK, FIN, etc. scans on the internet will initially result in amazement.  The volume of these types of attacks on your internet connection are constant (i.e. hourly) and generally more of a nuisance than a real security threat.  Why would I reduce these Internet scans to merely calling them ‘annoying’?  Because trying to stop the constant barrage of these types of connections is impossible.  Chasing them down and stopping them is often impossible and for every one you stop, 6-10 more stack up.  Most companies deal with these scans simply by blocking them.

Monitoring for the above scans should most certainly be done internally.  Detecting a SYN scan internally for example, can often lead to a source that is infected with some nasty that was brought into the network either by a software download or via prior non internal use of the machine.  Perhaps the laptop went home, got infected and then came into the office (see internet threat video).  It happens all the time.

Compromised Internet Hosts
Other security practices involve monitoring who internal hosts are communicating with on the internet.  If they are exchanging traffic with a host listed on a “known bad guy list”, an event can be triggered to take action (e.g. block the conversation).  Because “the list” involves the Internet, checking for this type of traffic need only be done on Internet routers and not every NetFlow exporting or sFlow exporting piece of equipment.

What about False Positive Alarms
Due to the nature some business applications, false alarms will occur with all solutions however, a well designed security system will allow select routers, switches and end systems to be excluded from individual anomaly detection algorithms. A period of helping the system learn the different behaviors on the network allows the intelligence of the system to better recognize and alarm on unwanted traffic patterns.

Select routers and switches for each algorithm:


Exclude specific hosts from selected algorithms:


A partial list of the different traffic anomalies detected by Flow Analytics can be found in the manual on page 14.  In part 2 of this blog I will discuss conversations and flow behavior as well as alarming for specific behavior patterns.

Mike Patterson author pic


Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.


Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply