Managed Security Service Providers need solutions that deliver unique features that aren’t always a top priority to enterprise consumers. According to Gartner, “MSSPs in the Leaders quadrant are typically appropriate options for enterprises requiring frequent interaction with the MSSP for analyst expertise and advice, portal-based correlation and workflow support, and flexible reporting options.”
One unique feature of almost all modern networks that’s incredibly powerful yet often overlooked by both the MSSP and the enterprise is NetFlow and IPFIX collection. In this post, I’ll outline the top 10 key values provided to a NetFlow-enabled MSSP…
- Advanced threat detection: NetFlow and flow analysis techniques provide a unique perspective on network traffic that can’t be found in traditional signature-based technologies such as UTMs, IPSs, and next-gen firewalls. For example, watching host traffic for odd communication ratios such as flow volumes to byte and packet counts can often lead to accurate detection of DDoS attacks. By comparing IP Addresses to host reputation databases, botnets can be detected which could be part of a larger Advanced Persistent Threat (APT) underway against the customer’s environment. Security-based flow analysis is a major differentiator for the MSSP that makes use of it. Here’s a quick top 5 reasons NetFlow is valuable for network security.
- Visibility across the entire customer’s network: You can’t manage what you can’t see. End-to-end visibility of the customer’s environment is key. Hop by hop – router to router network path visibility of a flow through the infrastructure provides the MSSP with the ability to troubleshoot issues with an IPS, firewall, or other network access control. NetFlow provides end-to-end visibility. It’s present everywhere, from network edge to access.
- Scalable network auditing: large customers generate hundreds of thousands of log events, each describing some unique aspect of network and server access. High speed NetFlow collection technology such as that provided by Scrutinizer can offset the need for cumbersome syslog and SNMP-based logging strategies. And while some SIEM and log management solutions can accept NetFlow, MSSPs are warned against selling themselves short with check-box NetFlow solutions.
- Rapid access to incident details and forensics: Fast drill down abilities to identify the malware culprit is imperative. Where is the ingress connection of a particular host? Where did the problem begin? Again, NetFlow can be the saving grace here. 24x7x365 visibility into all network activity solve the problem of “what was going on at the time of the attack”.
- Flexible reporting: This separates the toys from the solutions. Advanced NetFlow collection technology can provide detailed reports on hosts, critical networks, incidents, and attackers. Omitting any element exported in NetFlow or IPFIX is quick way to shorten the list of NetFlow collector vendors you should consider.
- Multi-tenancy: Secure login per customer with reports catered to each customer’s network is critical. All MSSPs know this. Again, NetFlow reporting can further augment the level of detail the MSSP can provide to its customer base – but only if the NetFlow collector supports multi-tenancy.
- Service responsiveness and uptime: What is the end user experience to the MSSP’s cloud-based service portal? What is the round trip time? How do connection times to a resource compare to other customers? NetFlow through integration with such technologies as Cisco’s MediaNet provide this information in addition to everything else mentioned above.
- Rapid deployment and implementation: As customers grow through acquisitions or new datacenter additions, the MSSP must be able to gain rapid visibility into the new additions. NetFlow-based monitoring requires no additional hardware. It’s already in the network. The customer need simply turn it on.
- Efficient firewall log collection: this bullet is something of a work in process but the firewall industry is slowly migrating syslog to NetFlow and IPFIX. Here’s why.
- Ideal for a cloud-based MSSP: NetFlow and IPFIX are lightweight and can be transported anywhere. Across WANs, through VPNs, even from the customer’s routers to the MSSP directly. Unlike traditional packet capture technologies that require the MSSP to log into a device located at the customer premise, flows travel unidirectionally (like syslog or SNMP traps) and can be accessed locally at the MSSP.
Whether the Managed Security Service Provider is out-sourced or a service-oriented, in-house group of IT professionals, network flow collection is a valuable asset that must be considered as the network grows and deeper visibility is required. There are additional benefits that didn’t make this list. If you’re an MSSP or a MSSP’s customer and want to learn more about how NetFlow and IPFIX can improve the quality of your service offering. We’re the leader in NetFlow collection and analysis. Contact us for a more detailed discussion.