Blog :: General :: Network Operations :: Security Operations

Incident Response System Guidelines

Working in support, customers often ask me how to start using NetFlow and IPFIX in their network monitoring tool, to get a more proactive approach to detecting threats. This is why I have decided to go over a few incident response system guidelines that will save you time and money when your network is hit by the next string of malware or advanced persistent threat (APT). Jalisa pointed out yesterday that the average security breach cost can be up to $3.5 million. Let’s go over a few ways to utilize NetFlow and IPFIX to lessen the impact.

NetFlow and IPFIX Network Behavior Analysis:

If you are currently using NetFlow and IPFIX, is the only time you turn to that flow data after a phone call with your network team about abnormal behavior? Would you consider it a benefit to know that there is a possible infection a few hours or even days before that phone call? Of course you would! When evaluating different incident response systems, take a look at some of the policies that are included out of the box. It should be as simple as applying the traffic from the devices you want to monitor. You can let the algorithms run in the background, searching for possible threats. This will save you from hours to days of digging through NetFlow data searching for abnormal behavior After these policies have detected a potential threat, it should display the alarms and let you know where to start digging.

Threat Policies

Custom NetFlow Correlation and Thresholds:

Another way to utilize NetFlow and IPFIX is with custom data correlation and thresholds. Now that you have taken the time to apply your devices to the ‘Out-of-the-Box’ threat policies, you can turn your attention to your own unique traffic, and set some custom reports with thresholds you want to be alerted on. For example, I want to know when a single conversation on a specific link exceeds 80 percent of the total traffic. The graph below shows the filter I want to add to this report.

You may notice the IP in the filters column on the left has a red box next to it. This is because I know that that IP generates a lot of traffic during the day and I don’t want that to trigger my threshold. The threshold is set to give me an alert when any single row exceeds 80 percent of the total traffic. This will now show on the policy map that we took a look at earlier.

Custom Threshold

Network Mapping Tool:

Even if you have members of your networking team that are not involve with flow data, they should still have a way to see and monitor the traffic in your network. This is where custom mapping and visualization of the traffic comes into play. The ability to create a visual representation of the traffic patterns will make an easy and effective way of using the custom thresholds and saved reports from before. We have a map set up to show our network traffic. We have thresholds set on all the link between devices to change the color of the linking line from green to yellow to orange and finally red as the total traffic increases. You could place this map up on a screen in the office; even at a glance you can see any possible issues.

Custom Flow Map


There are many more features that you will be looking for when in the market for a new incident response system, but this should be a good start to getting you on the right path to taking a proactive approach to network security. Early detection will save time and money when the next infection hits your network. Will you be ready?