Archives

Category Archive for ‘Anomaly Detection’

What is NetFlow & How Can Organizations Leverage It?

NetFlow is a feature originally introduced on Cisco devices (but now generally available on many vendor devices) which provides the ability for an organization to monitor and collect IP network traffic entering or exiting an interface.
Through analysis of the data provided by NetFlow, a network administrator is able to detect things such as the source and destination of traffic, class of service, and the causes of congestion on the network.

NetFlow is designed to be utilized either from the software built into a router/switch or from external probes.

The purpose of NetFlow is to provide an organization with information about network traffic flow, both into and out of the device, by analyzing the first packet of a flow and using that packet as the standard for the rest of the flow. It has two variants which are designed to allow for more flexibility when it comes to implementing NetFlow on a network.

NetFlow was originally developed by Cisco around 1990 as a packet switching technology for Cisco routers and implemented in IOS 11.x.

The concept was that instead of having to inspect each packet in a “flow”, the device need only to inspect the first packet and create a “NetFlow switching record” or alternatively named “route cache record”.

After that that record was created, further packets in the same flow would not need to be inspected; they could just be forwarded based on the determination from the first packet. While this idea was forward thinking, it had many drawbacks which made it unsuitable for larger internet backbone routers.

In the end, Cisco abandoned that form of traffic routing in favor of “Cisco Express Forwarding”.

However, Cisco (and others) realized that by collecting and storing / forwarding that “flow data” they could offer insight into the traffic that was traversing the device interfaces.

At the time, the only way to see any information about what IP addresses or application ports were “inside” the traffic was to deploy packet sniffing systems which would sit inline (or connected to SPAN/Mirror) ports and “sniff” the traffic.  This can be an expensive and sometimes difficult solution to deploy.

Instead, by exporting the NetFlow data to an application which could store / process / display the information, network managers could now see many of the key meta-data aspects of traffic without having to deploy the “sniffer” probes.

Routers and switches which are NetFlow-capable are able to collect the IP traffic statistics at all interfaces on which NetFlow is enabled. This information is then exported as NetFlow records to a NetFlow collector, which is typically a server doing the traffic analysis.

There are two main NetFlow variants: Security Event Logging and Standalone Probe-Based Monitoring.

Security Event Logging was introduced on the Cisco ASA 5580 products and utilizes NetFlow v9 fields and templates. It delivers security telemetry in high performance environments and offers the same level of detail in logged events as syslog.

Standalone Probe-Based Monitoring is an alternative to flow collection from routers and switches and uses NetFlow probes, allowing NetFlow to overcome some of the limitations of router-based monitoring. Dedicated probes allow for easier implementation of NetFlow monitoring, but probes must be placed at each link to be observed and probes will not report separate input and output as a router will.

An organization or company may implement NetFlow by utilizing a NetFlow-capable device. However, they may wish to use one of the variants for a more flexible experience.

By using NetFlow, an organization will have insight into the traffic on its network, which may be used to find sources of congestion and improve network traffic flow so that the network is utilized to its full capability.

8 Keys to Understanding NetFlow for Network Security, Performance & Overall IT Health

Seven Reasons To Analyze Network Traffic With NetFlow

NetFlow allows you to keep an eye on traffic and transactions that occur on your network. NetFlow can detect unusual traffic, a request for a malicious destination or a download of a larger file. NetFlow analysis helps you see what users are doing, gives you an idea of how your bandwidth is used and can help you improve your network besides protecting you from a number of attacks.

There are many reasons to analyze network traffic with NetFlow, including making your system more efficient as well as keeping it safe. Here are some of the reasons behind many organizations  adoption of NetFlow analysis:

  • Analyze all your network NetFlow allows you to keep track of all the connections occurring on your network, including the ones hidden by a rootkit. You can review all the ports and external hosts an IP address connected to within a specific period of time. You can also collect data to get an overview of how your network is used.

 

  • Track bandwidth use. You can use NetFlow to track bandwidth use and see reports on the average use of This can help you determine when spikes are likely to occur so that you can plan accordingly. Tracking bandwidth allows you to better understand traffic patterns and this information can be used to identify any unusual traffic patterns. You can also easily identify unusual surges caused by a user downloading a large file or by a DDoS attack.

 

  • Keep your network safe from DDoS attacks. These attacks target your network by overloading your servers with more traffic than they can handle. NetFlow can detect this type of unusual surge in traffic as well as identify the botnet that is controlling the attack and the infected computers following the botnet’s order and sending traffic to your network. You can easily block the botnet and the network of infected computers to prevent future attacks besides stopping the attack in progress.

 

  • Protect your network from malware. Even the safest network can still be exposed to malware via users connecting from home or via people bringing their mobile device to work. A bot present on a home computer or on a Smartphone could access your network but NetFlow will detect this type of abnormal traffic and with auto-mitigation tools automatically block it.
  • Optimize your cloud. By tracking bandwidth use, NetFlow can show you which applications slow down your cloud and give you an overview of how your cloud is used. You can also track performances to optimize your cloud and make sure your cloud service provider is offering a cloud solution that corresponds to what they advertised.
  • Monitor users. Everyone brings their own Smartphone to work nowadays and might use it for purposes other than work. Company data may be accessible by insiders who have legitimate access but have an inappropriate agenda downloading and sharing sensitive data with outside sources. You can keep track of how much bandwidth is used for data leakage or personal activities, such as using Facebook during work hours.
  • Data Retention Compliance. NetFlow can fill in the gaps where other technologies cannot deliver. A well-architected NetFlow solution can help business and service providers to achieve and maintain data retention compliance for a wide range of government and industry regulations.

NetFlow is an easy way to monitor your network and provides you with several advantages, including making your network safer and collecting the data you need to optimize it. Having access to a comprehensive overview of your network from a single pane of glass makes monitoring your network easy and enables you to check what is going on with your network with a simple glance.

CySight solutions takes the extra step to make life far easier for the network and security professional with smart alerts, actionable network intelligence, scalability and automated diagnostics and mitigation for a complete technology package.

CySight can provide you with the right tools to analyze traffic, monitor your network, protect it and optimize it. Contact us  to learn more about NetFlow and how you can get the most out of this amazing tool.

8 Keys to Understanding NetFlow for Network Security, Performance & Overall IT Health

Deploying NetFlow as a Countermeasure to Threats like CNB

Few would debate legendary martial artist Chuck Norris’ ability to take out any opponent with a quick combination of lightning-fast punches and kicks. Norris, after all, is legendary for his showdowns with the best of fighters and being the last man standing in some of the most brutal and memorable fight scenes. It’s no surprise, then, that hackers named one of their most dubious botnet attacks after “tough guy” Norris, which wreaked havoc on internet routers worldwide. The “Chuck Norris” botnet, or CNB, was strategically designed to target poorly configured Linux MIPS systems, network devices such as routers, CCTV cameras, switches, Wifi modems, etc. In a study on CNB, the University of Masaryk in the Czech Republic, examined the attack’s inner workings and demonstrated how it employed Netflow as a countermeasure to actively detect and incapacitate the threat.

Lets look at what gave CNB its ability to infiltrate key networking assets and how, through flow-based monitoring, proactive detection made it possible to thwart the threat and others like it.

What made the Chuck Norris attack so potentially devastating?

What made the CNB attack so menacing was its ability to access all network traffic by infiltrating routers, switches and other networking hardware. This allowed it to go undetected for long periods, whereby it was capable of spreading through networks fairly quickly. As Botnet attacks “settle in”, they start issuing commands and take control of compromised devices, known as “bots”, that act as launch pads for Denial of Service (DoS) attacks, illegal SMTP relays, theft of information, etc.

Deploying Netflow as a countermeasure to threats like CNB

In the case of the CNB attack, Netflow collection data revealed how it infiltrated devices on TELNET and SSH ports, DNS Spoofs and web browser vulnerabilities, enabling Security teams to track its distribution on servers to avoid further propagation. Netflow’s deep visibility into network traffic gave Security teams the forensics they needed to effectively detect and incapacitate CNB.

Analysts are better positioned to mitigate risk to the network and its data through flow-based security forensics applied at the granular level coupled with dynamic behavioral and reputation feeds. Only with sufficient granularity and historic visibility can the risk of an anomaly be better diagnosed and mitigated. Doing so helps staff identify breaches that occur in real-time, as well as data leaks that take place over a prolonged period.

Flow-based monitoring solutions can collect vast amounts of security, performance and other data directly from networking infrastructure, giving Network Operations Centers (NOCs) a more comprehensive view of the environment and events as they occur. In addition, certain flow collectors are themselves resilient against cyber attacks such as DDoS. NetFlow technology isn’t only lightweight in terms of resource demands on switches and routers, but also highly fault-tolerant and limits exposure to flow floods including collection tuning, self-maintaining collection tuning rules and other self-healing capabilities.

As a trusted source of deep network insights built on big data analysis capabilities, Netflow provides NOCs with an end-to-end security and performance monitoring and management solution. For more information on Netflow as a performance and security solution for large-scale environments, download our free Guide to Understanding Netflow.

Cutting-edge and innovative technologies like CySight delivers the deep end-to-end network visibility and security context required assisting in speedily impeding harmful attacks.

Performance Monitoring & Security Forensics: The 1-2 Punch for Network and IT Infrastructure Visibility

3 Ways Anomaly Detection Enhances Network Monitoring

With the increasing abstraction of IT services beyond the traditional server room computing environments have evolved to be more efficient and also far more complex. Virtualization, mobile device technology, hosted infrastructure, Internet ubiquity and a host of other technologies are redefining the IT landscape.

From a cybersecurity standpoint, the question is how to best to manage the growing complexity of environments and changes in network behavior with every introduction of new technology.

In this blog, we’ll take a look at how anomaly detection-based systems are adding an invaluable weapon to Security Analysts’ arsenal in the battle against known – and unknown – security risks that threaten the stability of today’s complex enterprise environments.

Put your network traffic behavior into perspective

By continually analyzing traffic patterns at various intersections and time frames, performance and security baselines can be established, against which potential malicious activity is monitored and managed. But with large swathes of data traversing the average enterprise environment at any given moment, detecting abnormal network behavior can be difficult.

Through filtering techniques and algorithms based on live and historical data analysis, anomaly detection systems are capable of detecting even the most subtly crafted malicious software that may pose as normal network behavior. Also, anomaly-based systems employ machine-learning capabilities to learn about new traffic as it is introduced and provide greater context to how data traverses the wire, thus increasing its ability to identify security threats as they are introduced.

Netflow is a popular tool used in the collection of network traffic for building accurate performance and cybersecurity baselines with which to establish normal network activity patterns from potentially alarming network behavior.

Anomaly detection places Security Analysts on the front foot

An anomaly is defined as an action or event that is outside of the norm. But when a definition of what is normal is absent, loopholes can easily be exploited. This is often the case with signature-based detection systems that rely on a database of pre-determined virus signatures that are based on known threats. In the event of a new and yet unknown security threat, signature-based systems are only as effective as their ability to respond to, analyze and neutralize such new threats.

Since signatures do work well against known attacks, they are by no means paralyzed against defending your network. Signature-based systems lack the flexibility of anomaly-based systems in the sense that they are incapable of detecting new threats. This is one of the reasons signature-based systems are typically complemented by some iteration of a flow based anomaly detection system.

Anomaly based systems are designed to grow alongside your network

The chief strength behind anomaly detection systems is that they allow Network Operation Centers (NOCs) to adapt their security apparatus according to the demands of the day. With threats growing in number and sophistication, detection systems that can discover, learn about and provide preventative methodologies  are the ideal tools with which to combat the cybersecurity threats of tomorrow. NetFlow Anomaly detection with automated diagnostics does exactly this by employing machine learning techniques to network threat detection and in so doing, automating much of the detection aspect of security management while allowing Security Analysts to focus on the prevention aspect in their ongoing endeavors to secure their information and technological investments.

8 Keys to Understanding NetFlow for Network Security, Performance & Overall IT Health

How to counter-punch botnets, viruses, ToR and more with Netflow (Pt. 2)

Data Retention Compliance

End-Point Profiling

Hosts that communicate with more than one known threat type should be designated a high risk and repeated threat breaches with that hosts or dependent hosts can be marked as repeat offenders and provide an early warning system to a breach or an attack.

It would be negligent of me not to mention that the same flow-based End-Point threat detection techniques can be used as part of Data Retention compliance. In my opinion this enables better individual privacy with the ability to focus on profiling known bad end-points and be used to qualify visitors to such known traffic end-points that are used in illicit p2p swap sessions or access to specific kinds of subversive or dangerous sites that have been known to host such traffic in the past.

Extreme examples of end-point profiling could be to identify a host who is frequently visiting known jihadist web sites or pedophiles using p2p to download from peers that have been identified by means of active agents to carry child abuse material. The individual connection could be considered a coincidence but multiple visitations to multiple end-points of a categorized suspicious nature can be proven to be more than mere coincidence and provide cause for investigation.

Like DDoS attack profiles there may be a prolific amount of end-points involved and an individual conversation is difficult to spot but analysis of the IP’s involved in multiple transactions based on the category of the end-point will allow you to uncover the “needles in the haystack” and to enable sufficient evidence to be uncovered.

Profiling Bad traffic

End-Point Threat detection on its own is insufficient to detecting threats and we can’t depend on blacklists when a threat morphs faster than a reputation list can be updated. It is therefore critical to concurrently analyze traffic using a flow behavior anomaly detection engine.

This approach should be able to learn the baselines of your network traffic and should have the flexibility to baseline any internal hosts that your risk management teams deem specifically important or related such as a specific group of servers or high-risk interfaces and so-forth enabling a means to quantify what is normal and to identify baseline breaches and to perform impact analysis.

This is where big-data machine learning comes into play as to fully automate the forensics process of analyzing a baseline breach automating baselines and automatically running diagnostics and serving up the Predictive AI Baselining analytics needed to quickly identify the IP’s that are impacting services to provide extreme visibility and if desired mitigation.

Automated Diagnostics enable security resources to be focused on the critical issues while machine learning processes continue to quantify the KPI’s of ongoing issues bringing them to the foreground quickly taking into account known blacklists, whitelists and repeat offenders.

As a trusted source of deep network insights built on big data analysis capabilities, Netflow provides NOCs with an end-to-end security and performance monitoring and management solution. For more information on Netflow as a performance and security solution for large-scale environments, download our free Guide to Understanding Netflow.

Cutting-edge and innovative technologies like CySight delivers the deep end-to-end network visibility and security context required assisting in speedily impeding harmful attacks.

Performance Monitoring & Security Forensics: The 1-2 Punch for Network and IT Infrastructure Visibility

3 Key Differences Between NetFlow and Packet Capture Performance Monitoring

The increasing density, complexity and expanse of modern networking environments have fueled the ongoing debate around which network analysis and monitoring tools serve the needs of the modern engineer best – placing Packet Capture and NetFlow Analysis at center-stage of the conversation. Granted, both can be extremely valuable tools in ongoing efforts to maintain and optimize complex environments, but as an engineer, I tend to focus on solutions that give me the insights I need without too much cost on my resources, while complementing my team’s ability to maintain and optimize the environments we support.

So with this in mind, let’s take a look at how NetFlow, in the context of the highly-dense networks we find today, delivers three key requirements network teams rely on for reliable end-to-end performance monitoring of their environments.

A NetFlow deployment won’t drain your resources

Packet Capture, however rich in network metrics, requires sniffing devices and agents throughout the network, which invariably require some level of maintenance during their lifespan. In addition, the amount of space required to store and analyze packet data makes it an inefficient an inelegant method of monitoring or forensic analysis. Combine this with the levels of complexity networks can reach today, and overall cost and maintenance associated with packet sniffers can quickly become unfeasible. In the case of NetFlow, its wide vendor support across virtually the entire networking landscape makes almost every switch, router or firewall a NetFlow “ready” device. Devices’ built-in readiness to capture and export data-rich metrics makes it easy for engineers to deploy and utilize . Also, thanks to its popularity, NetFlow analyzers of varying feature-sets are available for network operations center (NOC) teams to gain full advantage of data-rich packet flows.

Striking the balance between detail and context

Considering how network-dependent and widespread applications have become in recent years, NetFlow’s ability to provide WAN-wide metrics in near real-time makes it a  suitable troubleshooting companion for engineers.   And with version 9 of NetFlow extending the wealth of information it collects via a template-based collection scheme, it strikes the balance between detail and high-level insight without placing too much demand on networking hardware – which is something that can’t be said for Packet Capture. Packet Capture tools, however, do what they do best, which is Deep Packet Inspection (DPI), which allows for the identification of aspects in the traffic hidden in the past to Netflow analyzers. But Netflow’s constant evolution alongside the networking landscape is seeing it used as a complement to solutions such as Cisco’s NBAR and other DPI solutions who have recognized that all they need to do is use flexible Netflow tools to reveal details at the packet level.

NetFlow places your environment in greater context

Context is a chief area where NetFlow beats out Packet Capture since it allows engineers to quickly locate root causes relating to performance by providing a more situational view of the environment, its data-flows, bottleneck-prone segments, application behavior, device sessions and so on. We could argue that packet sniffing is able to provide much of this information too, but it doesn’t give engineers the broader context around the information it presents, thus hamstringing IT teams from detecting performance anomalies that could be subscribed to a number of factors such as untimely system-wide application or operating system updates or a cross-link backup application pulling loads of data across the WAN during operational hours.

So does NetFlow make Packet Capture obsolete?

The short answer is, no. In fact, Packet Capture, when properly coupled with NetFlow, can make a very elegant solution. For example, using NetFlow to identify an attack profile or illicit traffic and then analyzing corresponding raw packets becomes an attractive solution. However, NetFlow strikes that perfect balance between detail and context and gives NOCs intelligent insights that reveals broader factors that can influence your network’s ability to perform. Gartner’s assertion that a balance of 80% NetFlow monitoring  coupled with 20% Packet Capture as the perfect combination of performance monitoring attests to NetFlow’s growing prominence as the monitoring tool of choice. And as it and its various iterations such sFlow, IPFIX and  others continue to expand the breadth of context it provides network engineers, that margin is set to increase in its favor as time.

8 Keys to Understanding NetFlow for Network Security, Performance & Overall IT Health

Two Ways Networks Are Transformed By NetFlow

According an article in techtarget.com “Your routers and switches can yield a mother lode of information about your network–if you know where to dig.”  The article goes on to say that excavating and searching through endless traffic data and logs manufactured by your network system is a lot like mining for gold, and punching random holes to look for a few nuggets of information isn’t very efficient. Your search will be much more fruitful if you know where to look and what it will look like. Fortunately, the data generated by a NetFlow traffic reporting protocol yields specific information and you can easily sort, view and analyze the information into what you want to use or need.In contemporary networks, there is a need to collect and retain a good set of traffic records for several different purposes. These include the ability to monitor traffic for network planning, security and analysis as well as track traffic usage for billing purposes. Every business experiences network problems. The goal is to transform these “bad behaving” networks by investigating the data that is being generated by the routers, switches and other hardware that make up the system.

  • Trace and repair network misconfigurations

Problems with networks can run the gamut from mismatched applications and hardware to wireless access points opened to accommodate BYOD users and other business uses. While there is always talk about software flaws and news about the latest internet threat, those things often distract IT pros from the real, every-day threat of unstable networks that have been configured to accommodate legacy hardware and a multitude of software applications.

The increasing complexity of the Internet itself, with the interconnection of lots of different devices and device types adds to the challenge of operating a computer network. Even though developing protocols to respond to unpredicted failures and misconfigurations is a workable solution, these out-of-date configurations can still cause frequent problems and denial of service (DOS). With many modern network devices monitoring functions and gathering data, retrieving and utilizing the NetFlow information makes tracing and repairing the problem of misconfigurations possible, easier and efficient.

  • Detect security breaches

There are many uses for NetFlow but one of the most important is the benefit of network security. This quote from an article by Wagner and Bernhard, describing worm and anomaly detection in fast IP networks, bears out the security problems facing governments, businesses, and internet users today.

“Large-scale network events, such as outbreaks of a fast Internet worm are difficult to detect in real-time from observed traffic, even more so if the observed network carries a large amount of traffic. Even during worm outbreaks, actual attack traffic is only a small fraction of the overall traffic. Its precise characteristics are usually unknown beforehand, making direct matching hard. It is desirable to derive parameters that describe large amounts of traffic data in such a way that details are hidden, but the type of changes associated with worm outbreaks and other network events are visible.”

NetFlow provides a 24/7 account of all network activity. There is an “unblinking” eye observing anything and everything that happens within the network boundaries. All the data needed to identify and enact a clean-up is recorded in the flow and this is invaluable to a security pro trying to reduce the impact of a breach in the network. NetFlow provides a visible, “what’s happening right now” view that other systems cannot provide. Most security systems alert after something has been detected, while NetFlow is constantly gathering information even when things seem to be just fine. In addition, NetFlow-based analysis relies on traffic behavior and algorithms which provides rapid detection of breaches that other technologies often miss

8 Keys to Understanding NetFlow for Network Security, Performance & Overall IT Health

How Traffic Accounting Keeps You One Step Ahead Of The Competition

IT has steadily evolved from a service and operational delivery mechanism to a strategic business investment. Suffice it to say that the business world and technology have become so intertwined that it’s unsurprising many leading companies within their respective industries attribute their success largely to their adoptive stance toward innovation.

Network Managers know that much of their company’s ability to outmaneuver the competition depends to a large extent on IT Ops’ ability to deliver world-class services. This brings traffic accounting into the conversation, since a realistic and measured view of your current and future traffic flows is central to building an environment in which all the facets involved in its growth, stability and performance are continually addressed.

In this blog, we’ll take a look at how traffic accounting places your network operations center (NOC) team on the front-foot in their objective to optimize the flow of your business’ most precious cargo – its data.

All roads lead to performance baselining 

Performance baselines lay the foundation for network-wide traffic accounting against predetermined environment thresholds. They also aid IT Ops teams in planning for network growth and expansion undertakings. Baseline information typically contains statistics on network utilization, traffic components, conversation and address statistics, packet information and key device metrics.

It serves as your network’s barometer by informing you when anomalies such as excessive bandwidth consumption and other causes of bottlenecks occur. For example, root causes to performance issues can easily creep into an environment unnoticed: such as a recent update to a business critical application that may cause significant spikes in network utilization.  Armed with a comprehensive set of baseline statistics and data that allows Network Performance and Security Specialists to measure, compare and analyze network metrics,   root causes such as these can be identified with elevated efficiency.

In broader applications, baselining gives Network Engineers a high-level view of their environments, thereby allowing them to configure Quality of Service (QoS) parameters, plan for upgrades and expansions, detect and monitor trends and peering analysis and a bevy of other functions.

Traffic accounting brings your future network into focus

With new-generation technologies such as the cloud, resource virtualization, as a service platforms and mobility revolutionizing the networks of yesteryear, capacity planning has taken on a new level of significance. Network monitoring systems (NMS) need to meet the demands of the new, complex, hybrid systems that are the order of the day. Thankfully, technologies such as NetFlow have evolved steadily over the years to address the monitoring demands of modern networks. NetFlow accounting is a reliable way to peer through the wire and get a deeper insight to the traffic that traverses your environment. Many Network Engineers and Security Specialists will agree that their understanding of their environments hinges on the level of insight they glean from their monitoring solutions.

This makes NetFlow an ideal traffic accounting medium, since it easily collects and exports data from virtually any connected device for analysis by a CySight . The technology’s standing in the industry has made it the “go-to” solution for curating detailed, insightful and actionable metrics that move IT organizations from a reactive to proactive stance towards network optimization

Traffic accounting’s influence on business productivity and performance

As organizations become increasingly technology-centric in their business strategies, their reliance on networks that consistently perform at peak will increase accordingly. This places new pressures on Network Performance and Security Teams  to conduct iterative performance and capacity testing to contextualize their environment’s ability to perform when it matters most. NetFlow’s ability to provide contextual insights based on live and historic data means Network Operation Centers (NOCs)  are able to react to immediate performance hindrances and also predict with a fair level of accuracy what the challenges of tomorrow may hold. And this is worth gold in the context of the ever-changing and expanding networking landscape.

8 Keys to Understanding NetFlow for Network Security, Performance & Overall IT Health

Integrated Cyber Network Intelligence: Your Network has been infiltrated. How do you know where and what else is impacted?

Why would you need Granular Network Intelligence?

“Advanced targeted attacks are set to render prevention-centric security strategies obsolete and that information must become the focal point for our information security strategies.” (Gartner)

In this webinar we take a look at the internal and external threat networks pervasive in todays enterprise and explore why organizations need granular network intelligence.

Webinar Transcription:

I’m one of the senior engineers here with CySight. I’ll be taking you through the webinar today. It should take about 30 to 40 minutes, I would say and then we will get to some questions towards the end. So let’s get started.

So the first big question here is, “Why would you need something like this? Why would you need Granular Network Intelligence?” And the answer, if not obvious already, is that, really, in today’s connected world, every incident response includes a communications component. What we mean by that is in a managed environment, whether it’s traditional network management or security management, anytime that there’s an alert or some sort of incident that needs to be responded to, a part of that response is always going to be communications, who’s talking to who, what did they do, how much bandwidth did they use, who did they talk to?

And in a security particular environment, we need to be looking at things like whether external threats or internal threats, was there a data breach, can I look at the historical behavior or patterns, can I put this traffic into context as per the sort of baseline of that traffic? So that insight into how systems have communicated is critical.

Just some background industry kind of information. According to Gartner, targeted attacks are set to render prevention-centric security strategies obsolete by 2020. Basically, what that means is there’s going to be a shift. They believe there’s going to be a shift to information and end-user-centric security focused on an infrastructure’s end-points and away from sort of the blocking and tackling of firewalls. They believe that there’ll be three big trends continuous compromise, meaning that an increased in level of advanced attacks, targeted attacks. It’s not going to stop. You’re never going to feel safe that someone won’t be potentially trying to attack you.

And most of those attacks will become financially motivated attacks, attempts to steal information and attempts to gather credit card data, if you have that, intellectual property, ransomware-type attacks. So this is not necessarily, “Hey, I’m just going to try and bring down your website or something,” in a traditional world where maybe people are playing around a little bit. This is more organized attacks specifically designed to either elicit a ransom or a reward or just steal information that could be turned into money out in a black market and it’s going to be more and more difficult for IT to have control over those end-user’s devices.

Again, very few organizations just have people sitting at their desks with desktop computers anymore. Everybody’s got laptops. Everybody’s got a phone or other tablet that’s moving around. People work from home. They work from the road. They’re connecting in to network resources from anywhere in the world at any time and it becomes more and more challenging for IT to sort of control those pathways of communications. So if you can’t control it, then you have to certainly be able to monitor it and react to it and the reaction is really in three major ways; determining the origin of the attack, the nature of the attack, and the damage incurred.

So we’re certainly assuming that there are going to be attacks, and we need to know where they’re coming from, what they’re trying to do, and have they been able to get there? You know, have we caught it in time or has something already been infected or has information been taken away from the network and that really leads us into this little graphic that we have about not being in denial. Understanding that, unfortunately, many people, in terms of their real visibility into the network, are somewhere in the blind or limited-type area. They don’t know what they don’t know, they think they should know but they don’t know, and etc.

But where they really need to be is at, “There’s nothing they don’t know.” And they need tools to be able to move them from wherever they are into this upper left-hand quadrant and certainly, that’s what our product is designed to do. So just kind of looking at the entire landscape of information flow from outside and inside and really understanding that there are new kinds of attacks, crawlers, botnets, ransomware, ToR, DoS and DDoS attacks that have been around for a while.

Your network may be used to download or host illicit material, leak intellectual property, be part of an attack, you know, something that’s command and controlled from somewhere else and your internal assets have become zombies and are being controlled by outside. There are lots of different threats. They’re all coming at you from all over the place. They’re all trying to get inside your network to do bad things and those attacks or that communication needs to be tracked.

Gartner also believes that 60% of enterprise security budgets will be allocated for rapid detection and response by 2020, up from less than 10% just a few years ago. What they believe is that too much of the spending has gone into prevention and not enough has gone into monitoring and response. So the prevention is that traditional firewalling, intrusion detection or intrusion prevention, things like that, which certainly is important. I’m not saying that those things aren’t useful or needed. But what we believe and what other industry analysts certainly believe is that that’s not enough, basically. There needs to be more than the simple sort of “Put up a wall around it and no one will be able to get in” kind of situation. If that were the case, then there would be no incidents anywhere because everybody’s got a firewall; large companies, small companies. Everybody’s got that today, and yet, you certainly don’t go more than a couple of days without hearing about new hacks, new incidents.

Here in the United States, we just came through an election where they’re still talking about people from other countries hacking into one party or another’s servers to try and change the election results. You know, on the enterprise side, there are lots and lots of businesses. Yahoo recently in the last couple of months certainly had a major attack that they had to come clean about it and of course both of those organizations, certainly Yahoo, you know, they’re an IT system. They have those standard intrusion prevention and firewall-type systems, but obviously, they aren’t enough.

So when you are breached, you need to be able to look and see what happened, “What can I still identify, what can I still control, and how do I get visibility as to what happened.” So for us, we believe that the information about the communication is the most important focal point for a security strategy and we can look at a few different ways to do that without a signature-based mechanism. So there’s ways to look at normal traffic and be able to very rapidly identify deviation from normal traffic. There’s ways to find outliers and repeat offenders. There’s ways to find nefarious traffic by correlating real-time threat feeds with current flows and we’re going to be talking about all of these today so that a security team can identify what was targeted, what was potentially compromised, what information may have left the building, so to speak.

There’s a lot of challenges faced by existing firewalls, SIEM, and loosely-coupled toolsets. The level of sophistication, it’s going up and up again. It’s becoming more organized. It’s an international crime syndicate with very, very intelligent people using these tactics to try and gain money. As we’ve talked about, blocking attack, laying end-point solutions are just not enough anymore and of course, there’s a huge cost in trying to deploy, trying to maintain multiple solutions.

So being able to try and have some tools that aren’t incredibly expensive, that do give you valuable information really, can become the best way to go. If you look at, say, what we’re calling sensors; packet captures, DPI-type systems. They, certainly, can do quite a lot, but they’re incredibly expensive to deploy across a large organization. If you’re trying to do packet capture, it’s very, very prohibitive. You can get a lot of detail, but trying to put those sensors everywhere is just… unless you’ve got an unlimited budget, and very few people do, that becomes a really difficult proposition to swallow.

But that doesn’t mean NetFlow can’t still use that kind of information. What we have found and what’s really been a major trend over the last couple of years is that existing vendors, on their devices, Check Point, Cisco, Palo Alto, packet brokers like Ixia, or all of the different people that you see up here, and more and more all the time, are actually adding that DPI information into their flow data. So it’s not separate from flow data. It’s these devices that have the packets going through them that can look at them all the way to layer seven and then include that information in the NetFlow export out to a product like ours that can collect it and display that.

So you can look into payload and classify according to payload content identifying traffic on port 80 or what have you, that you can connect the dots between inside and outside when there’s NAT. To be able to read the URLs and quickly analyze where they’re going and what they’re being used for. Getting specialized information like MAC address information or, if it’s a firewall, getting denial information or AAA information, if it’s a wireless LAN controller, getting SSID information, and other kinds of things that can be very useful to track down where people were talking.

So different types of systems are adding different kinds of information to the exports, but all of them, together, really effectively give you that same capability as if you had those sniffing products all over the place or packet capture products all over the place. But you can do it right in the devices, right from the manufacturer, send it through NetFlow, to us, and still get that quality information without having to spend so much money to do it.

The SANS organization, if you’re not familiar with them, great organization, provide a lot of good information and whitepapers and things like that. They have, very often, said that NetFlow might be the single most valuable source of evidence in network investigations of all sorts, security investigations, performance investigations, whatever it may be.

The NetFlow data can give you very high value intelligence about the communications. But the key is in understanding how to get it and how to use it. Some other benefits of using NetFlow, before packet capture is the lack of need for huge storage requirements. Certainly, as compared to traditional packet capture, NetFlow is much skinnier than that and you can store much longer-term information than you could if you had to store all of the packets. The cost, we’ve talked about.

And there are some interesting things like legal issues that are mitigated. If you are actually capturing all packets, then you may run into compliance issues for things like PCI or HIPAA. In certain different countries and jurisdictions around the world have very strict regulations about maintaining the end-data and keeping that data. NetFlow, you don’t have that. It’s metadata. Even with the new things that you can get, that we talked about a couple of slides ago, it’s still the metadata. It’s still data about the data. It’s not the actual end information. So even without that content, NetFlow still provides an excellent means of guiding the investigations, especially in an attack scenario.

So here, if you bundle everything that we’ve talked about so far into one kind of view and relate it to what we do here at CySight. You would see it on this screen. There are the end-users of people/content and things today, the Internet of things. So you’ve got data coming from security cameras and Internet-connected vehicles and refrigerators. It could be just about anything, environmental-type information. It’s all producing data. That data is traversing the network through multiple different types of platforms, or routers, switches, servers, wireless LAN controllers, cloud-based systems and so forth, all of which can provide correlation of the information and data. We call that the correlation API.

We then take that data into CySight. We combine it with outside big data, we’re going to talk about that in a minute, so not only the data of the connections but actual third-party information that we have related to known bad actors in the world and then we can use that information to provide you, the user, multiple benefits, whether it’s anomaly detection, threat intelligence, security performance, network accounting, all of the sort of standard things that you would do with NetFlow data.

And then lastly, integrate that data out to other third-party systems, whether it’s your managed service provider or security service provider. It could be upstream event collectors, trappers, log systems, SOAPA ecosystems, whether that’s on-premise or in the cloud or hybrid cloud. All of that is available via our product. So it starts at the traffic level. It goes through everything. It provides the data inside our product and as well as integrates out to third-party systems.

So let’s actually look into this a little more deeply. So the threat intelligence information is one of the two major components of our cyber security areas. One, the way this works is that threat data is derived from a large number of sources. So we maintain a list, effectively, a database of known bad IP addresses, known bad actors in the world. We collect that data through honeypots, and threat feeds, and crowd sources, and active crawlers, and our own internal user cyber feedback from our customers and all of that information combined allows us to maintain a very robust list of known bads, basically. Then we can combine that cyber intelligence data with the connection data, the flow data, the session data, inside and outside of your network, you know, the communications that you’re having, and compare the two.

So we have the big data threats. We can process that data along with what’s happening locally in your network to provide extreme visibility, to find who’s talking to who, what conversations are your users having with bad actors, ransomware, botnets, ToR, hacking, malware, whatever it may be and we then provide, of course, that information to you directly in the product. So we’re constantly monitoring for that communication and then we can help you identify it and remediate it as soon as possible.

As we look into this a little bit   zoomed in here a little bit, you can see that that threat information can be seen in summary or in detail. We have it categorized by different threat levels, types, severities, countries of origin, affected IPs, threat IPs. As anyone who’s used our product in the past knows, we always provide an extreme amount of flexibility to really slice and dice the data and give you a view into it in any way that is best consumed by you. So you can look at things by type, or by affected IP, or by threat IP, or by threat level, or whatever it may be and of course, no matter where you start, you can always drill in, you can filter, you can re-display things to show it in a different view.

Here’s an example of identifying some threat. These are ransomware threats, known ransomware IPs out there. I can very easily just right-click on that and say, “Show me the affected IP.” So I see that there’s ransomware. Who’s affected by that? Who is actually talking to that? And it’s going to drill right down into that affected IP or maybe multiple affected IPs that are known to be talking to those ransomware systems outside. You could see when it happened. You can see how much traffic.

Certainly, in this example our top affected IP here certainly has a tremendous amount of data, 307 megs over that time period, much more than the next ones below that and so that’s clearly one that needs to be identified or responded to very quickly. It can be useful to look at this way, to see if, “Hey,” you know, “Is this one system that’s been infiltrated or is it now starting to spread? Are there multiple systems? Where is it starting? Where is it going and how can I then sort of stem that tide?” It very easy to get that kind of information.

Here’s another example showing all ransomware attack, traffic, traversing a large ISP over a day. So whether you’re an end-user or certainly a service provider, we have many, many service provider customers that use this to monitor their customer’s traffic and so this could be something that you look at to say “Across all of my ISP, where is that ransomware traffic going? Maybe it’s not affecting me but it’s affecting one of my customers.” Then we can be able to drill into that and to alert and alarm on that, potentially block that right away as extra help to my customers.

Ransomware is certainly one of the most major scary sort of things that’s out there now. It’s happening every day. There are reports of police stations having to pay ransom to get their data back, hospitals having to pay ransom to get their data back. It’s kind of interesting that, to our knowledge, there has never been a case where the ransomers, the bad guys out there haven’t actually released the information back to their customers and supply the decryption key. Because they want the money and they want people to know, “Hey, if you pay us, we will give you your data back,” which is really, really frightening, actually. It’s happening all the time and needs to be monitored very, very carefully. This is certainly one of the major threats that exist today.

But there are other threats as well; peer-to-peer traffic, ToR traffic, things like that. Here’s an example of looking at a single affected IP that is talking to multiple different threat IPs that are known to have been hosting illicit content over this time period. You could see that, clearly, it’s doing something. You know, if there is one host that is talking to one outside illicit threat IP, okay, maybe that’s a coincidence or maybe it’s not an indication of something crazy going on. But when you can see that, in this case, there’s one internal IP talking to 89 known bad threat IPs who have been known to host illicit traffic, okay, that’s not a coincidence anymore. We know that something’s happening here. We can see when it happened. We know that they’re doing something. Let’s go investigate that. So that’s just another way of kind of giving you that first step to identify what’s happening and when it’s happening.

You know, sometimes, illicit traffic may just look like some obscured peer-to-peer content but it actually…Auditor, our product allows you to see it for full forensic evidence. You know, you could see what countries are talking to, what kind of traffic it is what kind of threat level it is. It really gives you that full-detailed data about what’s happening.

Here’s another example of a ToR threat. So people who are trying to use ToR to anonymize their data or get around any kind of traffic analysis-type system will use ToR to try and obfuscate that data. But we have, as part of our threat data, a list of ToR exits and relays and proxies, and we can look at that and tell you, again, who’s sending data into this sort of the ToR world out there, which may be an indication of ransomware and other malware because they often use ToR to try and anonymize that data. But it, also, could be somebody inside the organization that’s trying to do something they shouldn’t be doing, get data out which could be very nefarious. You never want to think the worst of people but it does happen. It happens every day out there. So again, that’s another way that we can give you some information about threats.

We, also, can help you visualize the threats. Sometimes, it’s easier for those to understand by looking at a nice graphical depiction. So we can show you where the traffic is moving, with the volume of traffic, how it’s hopping around in, in this case a ToR endpoint. ToR is weird. The point of ToR is that it’s very difficult to find an endpoint from another single endpoint. But being able to visualize it together actually allows you to kind of get a hand on where that traffic may be going.

In really large service providers where, certainly, people who are interested in tracking this stuff down, they need a product that can scale. We’ve got a very, very great story about our massive scalability. We can use a hierarchical system. We can add additional collectors. We can do a lot of different things to be able to handle a huge volume of traffic, even for Tier 1-type service providers, and still provide all of this data and detail that we’ve shown so far.

A couple other examples, we just have a number of them here, of different ways that you can look at the traffic and slice and dice it. Here’s an example of top conversations. So looking for that spike in traffic, we could see that there was this big spike here, suddenly. Almost 200 gig in one hour, that’s very unusual and can be identified very, very quickly and then you can try and say, “Okay, what were you doing during that time period? How could it possibly be that that much information was being sent out the door in such a short period of time?”

We also have port usage. So we can look at individual ports that are known threats over whatever time period you’re interested in. We could see this is port 80 traffic but it’s actually connecting to known ToR exits. So that is not just web surfing. You can visualize changes over time, you can see how things are increasing over time, and you can identify who is doing that to you.

Here’s another example of botnet forensics. Understanding a conversation to a known botnet command and control server and so many times, those come through, initially, as a phishing email. So they’ll just send millions of spam emails out there hoping for somebody to click on it. When they do click on it, it downloads the command and control software and then away it goes. So you can actually kind of see the low-level continual spam happening, and then all of a sudden, when there’s a spike, you actually get that botnet information, the command and control information that starts up and from there all kinds of bad things can happen.

So identifying impacted systems that have more than one infection is a great way to really sort of prioritize who you should be looking at. We can give you that data. I could see this IP has got all kinds of different threats that it’s been communicating to and with. You know, that is certainly someone that you want to take a look at very quickly.

I talked about visualization, some. Here are a few more examples of visualizations in the product. Many of our customers use this. It’s kind of the first way that they look at the data and then drill into the actual number part of the data, sort of after the visualization. Because you could see, from a high-level, where things are going and then say, “Okay, let me check that out.”

Another thing that we do as part of our cyber bundle, if you will, is anomaly detection and what we call “Two-phased Anomaly Detection.” Most of what I’ve talked about so far has been related to threat detection, matching up those known bads to conversations or communications into and out of your network. But there are other ways to try and identify security problems as well. One of those is anomaly detection.

So anomaly detection is an ability of our product to baseline traffic in your network, lots of different metrics on the traffic. So it’s counts, and flows, and packets, and bytes, and bits per second, and so forth, TCP flags, all happening all the time. So we’re baselining all the time, hour over hour, day over day and week over week to understand what is normal and then use our sophisticated behavior-based anomaly detection, our machine learning ability to identify when things are outside the norm.

So phase one is we baseline so that we know what is normal and then alert or identify when something is outside the norm and then phase two is running a diagnostic process on those events, so understanding what was that event, when did it happen, what kind of traffic was involved, what IPs and ports were involved, what interfaces did the traffic go through, what does it possibly pretend, was it a DDoS-type attack, was it port sweeper or crawler-type attack – what was it? And then the result of that is our alert diagnostic screen like you can see in the background.

So it qualifies the cause and impact for each offending behavior. It gives you the KPI information. It generates a ticket. It allows you to integrate with other third-party SNMP traps, trap receivers so we can send our alerts and diagnostic information out as a trap to another system and so everything can be rolled up into a more manager and manager-type system, if you wish. You can intelligently whitelist traffic that is not really offensive traffic that we may have identified as an anomaly. So of course, you want to reduce the amount of false positives out there and we can help you do that.

So to kind of summarize…I think we’re just about at the end of the presentation now. To summarize, what can CySight do in our cyber intelligence? It really comes down to forensics, anomaly detection, and that threat intelligence. We can record and analyze, on a very granular level, network data even in extremely complex, large, and challenging environments. We can evaluate what is normal versus what is abnormal. We can continually monitor and benchmark your network and assets. We can intelligently baseline your network to detect activity that deviates from those baselines. We can continuously monitor for communication with IPs of poor reputation and remediate it ASAP to reduce the probability of infection and we can help you store and compile that flow information to use as evidence in the future.

You’re going to end up with, then, extreme visibility into what’s happening. You’re going to have three-phase detection. You have full alerting and reporting. So any time any of these things do happen, you can get an alert. That alert can be an email. It can be a trap out to another system as I mentioned earlier. Things can be scheduled. They’re running in the background 24/7 keeping our software’s eyes on your network all the time and then give you that forensics drill-down capability to quickly identify what’s happened, what’s been impacted, and how you can stop its spread.

The last thing we just want to say is that everything that we’ve shown today is the result of a large development effort over the last number of years. We’ve been in business for over 10 years, delivering NetFlow-based Predictive AI Baselining analytics. We’ve really taken a very heavy development exercise into security over the last few years and we are constantly innovating. We’re constantly improving. We’re constantly listening to what our customers want and need and building that into future releases of the product.

So if you are an existing customer listening to this, we’d love to hear your feedback on what we can do better. If you are potentially a new customer on this webinar, we’d love your ideas from what you’ve seen as to if that fits with what you need or if there’s other things that you would like to see in the product. We really do listen to our customers quite extensively and because of that, we have a great reputation with our customers.

We have a list of customers up here. We’ve got some great quotes from our customers. We really do play across an entire enterprise. We play across service providers and we love our customers and we think that they know that and that’s why they continue to stay with us year after year and continue to work with us to make the product even better.

So we want to thank everybody for joining the webinar today. We’re going to just end on this note that we believe that our products offer the most cost-effective approach to detect threats and quantify network traffic ubiquitously across everything that you might need in the security and cyber network intelligence arena and if you have any interest in talking to us, seeing a demo, live demo of the product, getting a 30-day evaluation of the product, we’re very happy to talk to you. Just contact us.

If you’ve got a salesperson and you want to get threat intelligence, we’re happy to enable it on your existing platform. If you are new to us, hit our website, please, at netflowauditor.com. Fill out the form for a trial, and somebody will get to you immediately and we’ll get you up in the system and running very, very quickly and see if we can help you identify any of these security threats that you may have. So with that, we appreciate your time and look forward to seeing you at our webinar in the future. Bye.

8 Keys to Understanding NetFlow for Network Security, Performance & Overall IT Health

The Strategic Value of Advanced Netflow for Enterprise Network Security

With thousands of devices going online for the first time each minute, and the data influx continuing unabated, it’s fair to say that we’re in the throes of an always-on culture.

As the network becomes arguably the most valuable asset of the 21st century business, IT departments will be looked at to provide not just operational functions, but, more importantly, strategic value.

Today’s network infrastructures contain hundreds of key business devices across a complex array of data centers, virtualized environments and services. This means Performance and Security Specialists are demanding far more visibility from their monitoring systems than they did only a few years ago.

The growing complexity of modern IT infrastructure is the major challenge faced by existing network monitoring (NMS) and security tools.

Expanding networks, dynamic enterprise boundaries, network virtualization, new applications and processes, growing compliance and regulatory mandates along with rising levels of sophistication in cyber-crime, malware and data breaches, are some of the major factors necessitating more granular and robust monitoring solutions.

Insight-based and data-driven monitoring systems must provide the deep visibility and early warning detection needed by Network Operations Centre (NOC) teams and Security professionals to manage networks today and to keep the organization safe.

For over two decades now, NetFlow has been a trusted technology which provides the data needed to enable the performance management of medium to large environments.

Over the years, NetFlow analysis technology has evolved alongside the networks it helps optimize to provide information-rich analyses, detailed reporting and data-driven network management insights to IT departments.

From traffic accounting, to performance management and security forensics, NetFlow brings together both high-level and detailed insights by aggregating network data and exporting it to a flow collector for analysis. Using a push-model makes NetFlow less resource-intensive than other proprietary solutions as it places very little demand on network devices for the collection and analysis of data.

NetFlow gives NOCs the information they need for pervasive deep network visibility and flexible Predictive AI Baselining analytics, which substantially reduces management complexity. Performance and Security Specialists enjoy unmatched flexibility and scalability in their endeavors to keep systems safe, secure, reliable and performing at their peak.

Although the NetFlow protocol promises a great deal of detail that could be leveraged to the benefit of the NOC and Security teams, many NetFlow solutions to date have failed to provide the contextual depth and flexibility required to keep up with the evolving network and related systems. Many flow solutions simply cannot scale to archive the necessary amount of granular network traffic needed to gain the visibility required today. Due to the limited amount of usable data they can physically retain, these flow solutions are used for only basic performance traffic analysis or top talker detection and cannot physically scale to report on needed Predictive AI Baselining analytics making them only marginally more useful than an SNMP/RMON solution.

The newest generation of NetFlow tools must combine the granular capability of a real-time forensics engine with long-term capacity planning and data mining abilities.

Modern NetFlow applications should also be able to process the ever expanding vendor specific flexible NetFlow templates which can provide unique data points not found in any other technology.

Lastly, the system needs to offer machine-learning intelligent analysis which can detect and alert on security events happening in the network before the threat gets to the point that a human would notice what has happened.

When all of the above capabilities are available and put into production, a NetFlow system become an irreplaceable application in an IT department’s performance and security toolbox.

Performance Monitoring & Security Forensics: The 1-2 Punch for Network and IT Infrastructure Visibility