Learn why thousands of IT teams rely on Plixer’s Scrutinizer Incident Response System as a key part of their cyber defense strategy.
Network as a Sensor
Bring visibility to 100% of all traffic in every corner of the network. Nearly all existing routers, switches, firewalls, and virtual servers are capable of exporting either NetFlow or IPFIX. This translates to incredible visibility into all internal and Internet-bound communications.
Use NetFlow and IPFIX
IT teams should collect and store NetFlow and IPFIX from every point in the network infrastructure. Think of this central repository as a data warehouse for the footage collected from the security cameras or surveillance system. When called upon, details about a specific end system or application can be extracted and replayed. In a few clicks, IT members gain deep, real-time visibility into everything related to the event being investigated.
Who, What, When, and Where
Every time a network-related problem arises, from an employee using BitTorrent to dealing with a potential data theft, one of the first things sought after is additional context surrounding the event. To take a reliable course of action, IT needs insight. Flow data exported from network devices can be used to quickly drill down into the precise who, what, when, and where of the issue. Take a look at the NetFlow Configuration Guide to learn how to enable NetFlow, IPFIX, or sFlow on most major vendors offering appliances that support the export of flow data. Start using the network as a sensor by turning it into a network security surveillance system.
Threats have become varied and incredibly sophisticated. Because of this, there is a good chance that many networks are hosting a variety of infections. Unfortunately, there isn’t an all-in-one solution that detects, investigates, and mitigates every hybrid piece of malware that the security team will encounter. The incident response abilities of the security team are greatly enhanced with a long-term repository of flow data and a flexible analysis engine for diving deep into traffic patterns.
Total Visibility of the Network is Crucial
Holistic traffic visibility when performing forensic investigations ensures that uncovered threats can be traced back to the origin. It also allows security teams to regain confidence that the contagion has been eradicated and hasn’t returned. Pervasive security means that it extends to all areas of the network, from virtual machines to cloud computing.
When choosing a Network Traffic Analysis System, make sure that it:
- Has the ability to monitor the entire network, across distributed collectors, from a single interface
- Provides proactive time-lapsing behavior monitoring and threat detection algorithms that do not require configuration
- Allows for the creation of customized behavior monitors with thresholds that can trigger alerts
Enhance Signature Monitoring
Enhance the organizational signature-monitoring practices that are already in place by leveraging baselines, which can better understand the normal behaviors of the critical applications on the network. Then set up monitors that trigger events for subtle changes in communication patterns. Individual events can trigger false positives, but when viewed collectively, unwanted behaviors can be accurately identified.
Uncover Odd Behavior
Once installed, Scrutinizer immediately goes to work with pre-configured behavior-monitoring algorithms. For example, the constantly-updated domain reputation database will assist with the positive detection of botnets. The system will also create baselines of the organization’s typical communication behaviors. Although the baselines are constantly evolving, the profiles built from the numerous flow analytics components are used to detect atypical activities.
When paired with the FlowPro Defender, additional insight is gained in areas of the network where flow data isn’t otherwise available. It also performs Deep Packet Inspection (DPI) on DNS requests to detect various methods of DNS tunneling that are used in electronic data theft.
Build a Threat Index
Every algorithm that shops as part of the core system or that is added by a security administrator is capable of triggering an event. To reduce false positives, each event is used to build a Threat Index™. When the Threat Index for an end system or policy breaches a threshold, an alert is triggered.
Isolate Down to the Second
Scrutinizer can store 100% of raw flow data for decades. When it is time to investigate, IT teams can perform a quick search to isolate specific end system in seconds, even if the malware first entered the network years prior.
When the network or security operations center calls and reports that the firewall, IDS, router, or mail server has signaled an abnormal event, how does the team investigate the end system? How quickly can they respond?
Packets vs. Flows
Unlike the verbose and spotty visibility provided by packet analyzers, flow technologies exist on every router and switch and provide visibility into almost every corner of the network. With the improved investigative insight provided by flow technologies, the demand for packet capture is shrinking. Flow data is also easier for collectors to aggregate when displaying top reports on hosts, applications, protocols, interfaces, etc. across the entire distributed enterprise.
Flow-based measurement should be used 80% of the time or more, leveraging packet data in key critical network locations. – Gartner Group
Shrink the MTTR
Long periods of slow connection times or complete outages can be devastating to a business. Shortening the mitigation time is vital. Using NetFlow and IPFIX to warehouse 100% of all network connections and then leveraging an advanced Network Traffic Analyzer like Scrutinizer dramatically shortens the Mean Time To Know (MTTK). Equipped with the granular details that NetFlow provides, security teams can also respond to threats more quickly and shorten the Mean Time To Respond (MTTR).