There are many uses of NetFlow but one of the most important and often overlooked is the network security value NetFlow and IPFIX can provide. Based on feedback gathered over 10 years from hundreds of NetFlow customers, here’s the top five uses of NetFlow analysis for network security in ascending order…

#5 – Incident response and reducing MTTK

Flows provide a 24×7 account of all network activity. An unblinking eye on everything that happens within the network boundaries. They’re like a CCTV system for your enterprise. And given the light-weight nature of flow data, you can store weeks, month, even years of flows without spending $100,000+ on expensive packet libraries from companies like NetWitness and Nikson. When an incident does occur, the information needed to identify the root cause and enact an orderly clean-up is in the flows. This is called reducing the MTTK (Mean Time To Know) and is invaluable to the security pro looking to reduce the impact of a breach.

 #4 – Provide deep situational awareness

This bullet is a bit more difficult to describe given its ambiguity but the idea is that from a tactical perspective, flows provide a “what’s happening to my network right now” view that other systems struggle to provide. While traditional IDSs and other security systems only alert when something is actively detected, Scrutinizer constantly collects information providing a view into the network happenings even when bad things don’t appear to be occurring. It’s perfect for a NOC or SOC (security operations center) wall – especially given the dashboarding Scrutinizer offers.

#3 – Enable internal network visibility

The idea of monitoring the internal network, not just the perimeter, is somewhat new. With the advent of BYOD policies, MiFi devices, and the mobile worker, the internal network is not near as safe as it used to be. Many customers understand this and are looking for ways to get a better handle on traffic patterns in the network core and access layers. When we talk about “edge” and “access” and “core” in the context of network security monitoring we mean this:

The Internet and your perimeter-based firewalls, proxy servers, DLP solutions, and other technologies represent the “edge”. Core routers and switches such as Cisco’s Catalyst 6500 and Nexus 7000 populate the “core”. The “access” layer is where all the action is. This is where the BYOD movement has its greatest impact and both the most important place in the network to monitor while also representing the most difficult place to bring security analysis top bear. You’ll  find smartphones, IP phones, laptops, servers, and virtualized infrastructure at this layer.

#2 – Reduce cost of network security monitoring

Just enter a few commands on the router and you have network visibility at that location. The larger and more distributed your enterprise the more value NetFlow will provide. 500 remote sites? Don’t send out hundreds of IDSs or heavyweight packet-sniffing appliances, enable NetFlow on the routers at each remote site instead and rely on flow-based visibility.

Monitoring very high speed networks is also much less expensive. 10G IDS/IPS are *very* expensive – in the $100,000+ range. Monitoring 10G+ networks with Scrutinizer is more a function of flows per second, the network speed doesn’t matter.

NetFlow-based security monitoring can often result in a 15 to 1 cost savings ratio over traditional packet-based monitoring technologies.

#1 – Detect attacks without signatures

Without a doubt the item that drives most interest in flow-based security is the fact that flow-based analysis relies on algorithms and behavior rather than signature matching. This gives Scrutinizer Flow Analyzer an ability to detect attacks before a signature is available. You won’t hear us use “zero-hour” a lot because I feel like it’s been over-hyped by all the security vendors but that’s really what a flow-based security analysis technology provides – rapid detection of attacks that other technologies will often miss.

Given the increased threat from APTs, mobile malware, botnets, etc. security professionals are looking for new ways to detect and react. Scrutinizer’s Flow Analytics security capabilities *is* a new way to detect and react. So try it out. Download Scrutinizer here or give us a call to set up a demonstration and answer any questions you may have about the security benefits of NetFlow and IPFIX.


Adam Powers author pic

Adam Powers

Experienced technology professional specializing in information security. Skilled orator and accomplished public presenter (see webinars, blogs, etc below). Lead advocate for NetFlow and IPFIX technology adoption.


Leave a Reply