Blog :: Network Operations :: Security Operations

Intrusion Detection: Event Correlation

Network Intrusion Detection, Cyber Threats, Advanced Persistent Threats (APTs), Polymorphic Malware, Event Correlation – today all of these terms are foremost on many IT Security Professionals minds. What cyber security layer can we add to our existing protection efforts that will bring us greater peace of mind?

Our company cut its teeth in network performance monitoring and threat investigation reports.  Today however, displaying the top N conversations is just the beginning of the functionality we have engineered into our network monitoring solution.

Network Situational Awareness

The worst types of malware and the most advanced threats are flying in right under the radar, but, with NetFlow we have one more piece of the puzzle to make finding that problematic host easier.  Let’s say for example that an email phishing attack penetrated the IDS, the Anti-Spam Filter, and the Anti-Virus Software, click-jacked a user and installed polymorphic malware on a trusted machine. Now that Advanced Threat takes action, moves laterally, infects others, mining as much data as possible. It’s unlikely that APT will be caught by the inline security appliances looking for failed login attempts – the host is already trusted!

The Limitation of Signature-based Intrusion Detection

IPFIX or NetFlow are great for Network Threat Detection as both allow us to monitor outbound connections which generally pass right on by even the best deep packet inspection security appliances such as an IPS or firewall. Up to date Anti-Virus solutions won’t question most connections initiated by a locally hosted APT.  Even if Security Appliances did monitor outbound connections, the most insidious advanced threats utilize SSL connections, which means “Sorry Charlie” to signature-based threat detection solutions.

Network Threat Detection
Signature-based threat detection can’t keep up!

Correlating NetFlow with Text-based Logs

Correlating logs with NetFlow to detect network threats will ideally take these aforementioned issues into consideration. What other machines did an infected host try to connect to (i.e. NetFlow)? Do these machines contain successful or unsuccessful logins at or around the exact same time (i.e. syslog)? This is one example of log correlation with NetFlow. If we mix in IP host reputation checking, we achieve another layer of network threat detection.

I’m not saying that the days of proprietary signature-based security are coming to an end. Rather, I’m promoting the use of flow data to add another layer of security. How else could our solution earn customers an average of 2500% ROI  in cost-savings?