If this ever changin’ world
in which we live in
makes you give in and cry
say I’m only one guy

This classic scenario can be applied to SIEM, SOAR, and a whole host of network monitoring solutions. The payoff: centralize the platform and you will reduce complexity. No doubt this is true, but security alerts and events are at an all-time high; teams managing the alerts are burdened more by volume than anything else. Automation, for some of these processes, is the next big leap. But automation isn’t an option for everyone. Most organizations still rely on security teams to interact with their systems daily. In either scenario, the pivotal piece of this equation starts with the detection and initial action. This is called security orchestration.

What is security orchestration?

Almost all security monitoring tools are moving toward an orchestrated model. This means that the tools streamline complex workloads by aggregating events into a single funnel for faster analysis. In turn, this promises to reduce remediation or investigation time when security threats are identified. So by that logic, security orchestration is the methodology used when answering two questions:

  • What constitutes an event?
  • How do I interact with it as efficiently as possible?

Every network generates alerts and the key improvement to this process rests with the accuracy and legitimacy of these alerts.

Okay, so you’ve got NetFlow (that don’t impress me much)

For some reason, SecOps teams don’t get excited when NetFlow comes up in conversation—and I’ve heard this on more occasions than I can count (note: we have not checked with Shania Twain for her opinion).

I believe the lack of enthusiasm stems from a core misconception that NetFlow is a static dataset with capped value. So what makes Scrutinizer, Plixer’s network traffic analysis tool, different? How are Plixer’s other solutions, FlowPro and Replicator, tied to Plixer’s vision of security?

I’ll talk about how true or untrue (spoiler alert) that concept of a static dataset is. Then I’ll highlight three key areas where we provide distinct security orchestration advantages as a result.

Painting a Plixer

NetFlow v5: released in 2002, with 18 elements as a fixed template AKA the fixed dataset.

NetFlow v9: released in 2004, with 79 elements and customizable templates.

IPFIX: released in 2013, with 386 elements

Scrutinizer ingests all versions of NetFlow, NetFlow equivalents, IPFIX, and—most importantly—non-NetFlow metadata. Whereas IPFIX has 386 elements, metadata collection offers over 3,000 additional elements and is the real differentiator.

This metadata isn’t something that Scrutinizer creates, it’s something that it can interpret. Plixer holds the top spot for 3rd-party integration, which means the platform excels at correlating detached data points that other collection tools don’t see. Through integrations like our FlowPro probes or Gigamon’s Metadata Engine, we add elements to flow templates that enrich the data gathered. The customized information generally contains index references to the standard flow record, which allows us to align that information throughout the platform. Scrutinizer will even report on itself, which ensures flows are not being dropped.

NetFlow use cases are often relegated to monitoring for traffic degradation or application performance. This isn’t a demerit; the information is very granular, thus the time spent doing forensic and root cause analysis is much faster. But we can apply the same principles of speed and accuracy to threat hunting and early-warning alerts.

The functionality isn’t trapped within Scrutinizer, either. It’s fully capable of scripting alerting behavior via API, which allows security teams to export and implement this into an already humming workflow. This is where Scrutinizer bridges the gap between more accurate correlation of Indicators of Compromise and the scalability for networks of any size.

The devil is in the details. Plixer’s unique security orchestration story comes from the ability to correlate traditional NetFlow with diverse sets of non-NetFlow metadata. This widely adaptable solution scales to a diverse set of customer environments, and with over 50 third-party integrations, teams can expertly address a wide variety of use cases. Start your free trial today.

Stephen Tutterow author pic

Stephen Tutterow

Stephen is a Field Engineer with Plixer based in Atlanta, GA. He especially enjoys breaking down complex subject matter into simple steps and working with customers on implementation strategy and design. When he’s not on the job, Stephen spends his time listening to podcasts, making puns, and enjoying the company of friends and family.


Leave a Reply