According to a recently released report by Standard and Poor, lenders could have their credit rating lowered if they fail to protect themselves from cyber-threats or breaches.  In their credit FAQ titled “How ready are banks for the rapidly rising threat of cyberattack?” S&P outlines their concern for better cybersecurity.  Specifically, their report states that, “[i]f we believe that a bank is ill-prepared to withstand a cyberattack, we could downgrade the bank before an actual attack.”  In this article, I’d like to outline how to protect against cyber-attacks using NetFlow and IPFIX, so you aren’t s&pdowngraded by S&P.

With the ever-increasing risk of cyber-attacks from enemies like hostile nation-states, terrorist organizations, criminal groups, activists promoting an ideology, and hackers, and from industrial espionage, it is important to have a solution in place to prevent (or at least detect) these threats.  Internal threat detection systems should employ the use of NetFlow and IPFIX.

How can NetFlow and IPFIX protect against cyber-attacks?

But how do NetFlow and IPFIX protect against such attacks?  Since NetFlow and IPFIX collect 100% of the information about your network traffic, they provide a way to see where threats are entering your infrastructure and where problem devices are hiding.  Here are two ways that describe how NetFlow helps protect your S&P rating and adds an additional layer of cyber threat defense.

  1. By using flow data and baselining the normal traffic on your network, abnormal patterns can be uncovered.  This strategy allows a security analytics’ system that is harvesting flows to avoid any reliance on traditional signature patterns to discover contagions.  It does this by keeping track of suspicious behaviors over time and building a threat index.  This strategy allows it to uncover infected computers riddled with APTs, worms, Trojans and other forms of malware that are often missed by signature-based systems.
  2. By providing policy violations events for applications or hosts communicating outside of their profile, attacks can be quickly diagnosed.  Since many network administrators know the typical network profile, they can create policies that trigger events when new patterns don’t match the baseline. For example, if the security team witnesses traffic from machines in the marketing department reaching out to the corporate POS servers, suspicions rise.  NetFlow and IPFIX can be used to trigger for these unwanted traffic events. As a result, they provide a type of internal IDS system that can be used for detecting traffic patterns with malicious intentions.

On the same lines as policy violations, since NetFlow and IPFIX are essentially a historical log of network traffic, they provide the industry’s most extensive archiving abilities for forensic investigation and an audit trail.  As long as you store the data, you will have a historical record of what happened on your network.

Keep in mind, though, that these capabilities are not guaranteed by every NetFlow and IPFIX collector.  You need to ensure that your vendor is capable of analyzing the flow data and correlating it efficiently with potential cyber-attacks.

If you have any questions about how NetFlow and IPFIX protect against cyber-attacks, reach out to our support team.  They’d be happy to go into more details.

 

Justin

Justin Jett is Director of Audit and Compliance at Plixer with roles ranging from system administration of web services to technical product marketing for Plixer’s incident response system, Scrutinizer. Jett, a graduate of the University of Maine at Farmington, is an avid learner of all things security, with a particular interest in TLS and DNS attacks.

Related

Plixer logo
General

Plixer—a fresh perspective

2019 marks Plixer’s 20th year providing network analytics solutions to IT teams all over the world. Today we’re launching a new identity.