Blog :: Network Operations :: Security Operations

Detecting Worms and Malware with NetFlow: Network Threat Detection

Since 2005, Plixer and Cisco have been touting NetFlow (not Net Flow) as an IT Security and threat detection solution. Cisco calls NetFlow the “primary network anomaly-detection technology (pp4) and that “NetFlow allows the user to identify anomalies by producing detailed accounting of traffic flows”.  We are not the only ones with this belief. On their community site, Symantec has a reference to NetFlow as a “valuable enhancement” to IDS (intrusion detection) and IPS (intrusion prevention).

For years, Scrutinizer’s Flow Analytics has been painstakingly saving every flow for Network Behavior Analysis to catch APTs (Advanced Persistent Threats), policy violations, p2p (BitTorrent), BotNets, DoS

Flow Expert Tab : Business Aware, Network Secure

attacks and many other types of threats that run-of-the-mill signature-based protection systems are built to detect. We take threat detection a step further with IP Host Reputation lookups on all addresses.

In Part One, I demonstrated how Flow Analytics alarms on network vulnerability exploits or unwanted bandwidth utilization. Today I want to point out that you can also save any of the algorithms to a dashboard;

providing one-click access to a Bulletin-Board of host violations, time-stamped with a description.

The drop-down here illustrates why Structured Relational Data is so important:

  • Default Flow Report: unless changed, this is the Conversation WKP (Well Known Port) Report for the last five minutes
  • Flow View: breaks down the flows saved for that conversation, with the option to run a Flow Hopper report on any particular Flow
  • Exclude Exporter/Violator: Prevent further alarms on Device(Router, Switch, Firewall)/Host (workstation)
  • ‘xxxx’ : What is This? : External link to the Scrutinizer Manual for Alarms
  • HTTP, Telnet, FTP, SSH: various utilities used to connect to the Source IP
  • Search: this option will bring up a report with all conversations the violating IP Address is involved in (Source or Destination)
  • Alarms: view & configure the active alarms in Scrutinizer
  • WMIUsers: View all users connected to the Violator (if WMI is accessible)
Flow Analytics : Bulletin Board Alarms

Structured Relational Data at its best. Scrutinizer: Business Aware, Network Secure. Our NetFlow collector is a proven solution for reducing your Mean Time to Know and Mean Time to Resolution (MTTK & MTTR). If you’re still not convinced of Scrutinizer’s ‘Best Of’ title, check out any ONE Case Study.

If you need EVEN MORE proof, give us a call at 207-324-8805. I’d be happy to schedule a live demonstration for you – reach me at x240.