Archives

Category Archive for ‘Network Intelligence’

Benefits of Network Security Forensics

The networks that your business operates on are often open and complex.

Your IT department is responsible for mitigating network risks, managing performance and auditing data to ensure functionality.

Using NetFlow forensics can help your IT team maintain the competitiveness and reliability of the systems required to run your business.

In IT, network security forensics involves the monitoring and analysis of your network’s traffic to gather information, obtain legal evidence and detect network intrusions.

These activities help keep your company perform the following actions.

  • Adjust to increased data and NetFlow volumes
  • Identify heightened security vulnerabilities and threats
  • Align with corporate and legislative compliance requirements
  • Contain network costs
  • Analyze network performance demands
  • Recommend budget-friendly implementations and system upgrades

NetFlow forensics helps your company maintain accountability and trace usage; these functions become increasingly difficult as your network becomes more intricate.

The more systems your network relies on, the more difficult this process becomes.

While your company likely has standard security measures in place, e.g. firewalls, intrusion detection systems and sniffers, they lack the capability to record all network activity.

Tracking all your network activity in real-time at granular levels is critical to the success of your organization.

Until recently, the ability to perform this type of network forensics has been limited due to a lack of scalability.

Now, there are web-based solutions that can collect and store this data to assist your IT department with this daunting task.

Solution capabilities include:

  • Record NetFlow data at a micro level
  • Discover security breaches and alert system administrators in real-time
  • Identify trends and establish performance baselines
  • React to irregular traffic movements and applications
  • Better provisioning of network services

The ability to capture all of this activity will empower your IT department to provide more thorough analysis and take faster action to resolve system issues.

But, before your company can realize the full value of NetFlow forensics, your team needs to have a clear understanding of how to use this intelligence to take full advantage of these detailed investigative activities.

Gathering the data through automation is a relatively simple process once the required automation tools have been implemented.

Understanding how to organize these massive amounts of data into clear, concise and actionable findings is an additional skill set that must be developed within your IT team.

Having a team member, whether internal or via a third-party vendor, that can aggregate your findings and create visual representations that can be understood by non-technical team members is a necessary part of NetFlow forensics. It is important to stress the necessity of visualization; this technique makes it much easier to articulate the importance of findings.

In order to accurately and succinctly visualize security issues, your IT staff must have a deep understanding of the standard protocols of your network. Without this level of understanding, the ability to analyze and investigate security issues is limited, if not impossible.

Utilizing a software to support the audit functions required to perform NetFlow forensics will help your company support the IT staff in the gathering and tracking of these standard protocols.

Being able to identify, track and monitor the protocols in an automated manner will enhance your staff’s ability to understand and assess the impact of these protocols on network performance and security. It will also allow you to quickly assess the impact of changes driven by real-time monitoring of your network processes.

Sound like a daunting task?

It doesn’t have to be. Choose a partner to support your efforts and help you build the right NetFlow forensics configuration to support your business.

8 Keys to Understanding NetFlow for Network Security, Performance & Overall IT Health

End Point Threat Detection Using NetFlow Analytics

Webinar Transcription:

Hi, good afternoon everyone. I’m from CySight. Our webinar today is on some of the finer security aspects of our product, specifically Anomaly Detection and End Point Threat Detection. End Point Threat Detection being one of the newer pieces that we’ve added to the system. It should take about half an hour today, and then we’ll let you get back to your day. A reminder that everyone is on ‘mute’ during the presentation. We have a number of attendees here today, and we want to keep down the background noise, so everybody will automatically be muted. However, we encourage questions so, if you do have any, then please use the control panel, there’s a little question tab you can type in your question, and I will see them and respond to them probably towards the end of the webinar.

So, with that we’re going to get started. Again, we appreciate everyone taking the time today to listen to what we have to say and learn about our product, and learn about some of the new features. If you’re on here and you’re an existing customer, that you’ll learn a little bit about one of our new features. So, today we’re going to be talking a lot about security, that’s really the focus of this presentation. NetFlow in general, and CySight in particular can do a lot of things with the data that we have, and one of those things is really focused on being able to identify security threats to your network.

This is obviously very important, right? I mean you literally cannot go a day anymore without hearing of some company, some organization out there that’s been attacked or that has been infiltrated. I was reading about a hospital system recently that was held up by a Ransomware company, and actually had to pay money to unlock their files and this is not a home user, this is not a person who opened up the wrong email and their desktop got under attack or held for ransom. This is a legitimate hospital organization that had that happened to them and so, it really underscores the pervasiveness of these kinds of attacks.

Crawlers, botnets, Ransomware, they’re finding new ways to cause denial of service attacks and other kinds of attacks that can put your business or organization at an extremely high risk and, your network could be used to download or host illicit materials, leak intellectual property. That’s another thing that we’ve seen, this sort of cybercrime. Intellectual property cybercrime where it’s not that they’re just trying to bring down your site or bring down your network, but they’re actually trying to take intellectual property out and again, either hold it for ransom or just sell it or whatever it may be. So, this is certainly an important topic.

There are a number of major challenges for security teams to try and figure out what’s going on and how to lock down that network. The sophistication of the cybercrime organizations out there is just growing and growing. They’re always seemingly one step ahead of the for-profit companies that are trying to block them; the anti-virus companies, firewall companies and so forth. The growing complexity of the infrastructure is making it more difficult, there’s not a single point of entry and exit anymore. You’ve got BYOD, you’ve got lots of wireless, you’ve got VPNs, cloud-based services, you’ve got all kinds of things that people are using today. So it’s not just a lock it down at the firewall and we’re good, it’s really all over the place, and you need to be able to look at the traffic to understand what’s going on.

Of course, it’s very difficult or can be very difficult to retain and analyze that network transaction data across a big organization. Again, you have lots of lots of systems, lots of points of entry and exit, and it can be a challenge to really be able to collect all of that data and be able to use it. Because of that, because of the highly complicated and complex nature of networks, we’ve got this graphic here that talks about the really scary things that are out there. About do you know where things are happening? Do you…? You have certain aspects that you know and that you maybe know that you don’t know, but the really scary stuff is when you don’t know what you don’t know, right? It’s happening or could be happening and you have no idea, and you don’t even know that you should be looking at that, or could be looking at that data to try and understand what’s going on.

But in fact, products like ours and technologies like ours, allow you to, or allow a system to be watching for those unknown unknowns all the time. So, it’s not something that you wake up in the morning and say, “I’m going to go, look at this.” It’s actually happening in the background and looking for you. That machine learning capability is really what makes the new level of systems like ours trying… you know being able to catch up with the sophistication of the attack profiles out there.

When there is an attack or when there is a detection of something, then Incident Response Teams always have to look at that communications component, right? So, they’re going to look at hardware, they’re going to look at software, but they also have to look at the communications. They have to look at historical behavior, they have to look to see if there’s been data breaches, they have to look to see if there’s been internal threats.

There is a certain percentage, depending on who you talk to, 30%, 35%, 40% of data breaches happen from the inside out. So, these are internal employees who have access to something that they shouldn’t, and they email that out or they otherwise try to get that data out of the network. Of course, there’s the external threats from bad actors, those malicious types that are probing, probing, probing trying to find holes to get in and do whatever, the nefarious things that they’re trying to do.

So, being able to have some insight into the nature of how those systems, all of your systems communicate with each other and how they have communicated is critical. It’s really about being able to go from the blind area into a much more aware and certain area, right? So, do you really have… and thinking about, do you really have visibility in terms of what’s going on inside your network, because if you don’t, that can certainly hurt you.

The way we look at it, there’s the very basic things that virtually everybody has. Everybody has a firewall, most people have virus protection on their desktops. That sort of blocking and tackling, very basic prevention at the edge of a network is only a piece, right? It is not the most effective place anymore. You have to have it, we certainly wouldn’t tell you not to have it, but if you really want to move to a defense in depth, then it’s more than just trying to put up a blocking of things coming in. It’s being able to look at the live traffic and see what’s happening and identify if there are threats going on that got through. If something gets through the defenses that you have, how can you then further identify that it has happened and what’s going on? If you just think, “Well, I’ve got this firewall and I got my rules setup and I’m good, nothing can ever touch me,” and don’t look any further, then you’re really setting yourself up for a failure.

So, the way we approach the problem as a piece of this overall security landscape, is through the use of NetFlow information. So, NetFlow’s been around for a long time, it’s a quite a mature technology. But the great thing about it is, it’s continually even further maturing as we go on. What used to be sort of a traffic accounting product only, that was based on data coming from core routers and switches, has now been extended out to other systems in the network. Things like wireless LAN controllers, cloud servers, firewalls themselves. You can get the data from taps and probes that collect passively information about data traffic, and then turn that into a NetFlow export that can be sent to us that we can read.

Virtually every vendor… certainly every major vendor out there supports Flow in some way … Cisco of course is NetFlow and we use the term NetFlow to generically mean all of the various Flow types out there.  Jflow from Juniper, anything that’s IPFIX compatible as the standard, and some of the other kind of specialized versions of Flow, if you will. But all of them have the common theme that they’re going to look at that traffic and they’re going to be able to send that metadata to a collector like ours and then we can use that information intelligently to help both give you and allow you to report on and look deeply into the data, but also, and what we’re going to be talking about today, is really using that intelligence that’s built into the product to be able to identify threats, look at anomalies. Not just show you who your top talkers were, but actually say, “Hey, look. We’ve identified people that are communicating to known bad actors out there,” or, “We’ve seen an unusual bit of behavior in traffic between here and there, and this is something that really needs to be investigated.”

Talking about more of the specifics about how we do that. There’s two major pieces we’re going to be focusing on today. The first one is Anomaly Detection. Anomaly Detection for us means that we can baseline your network and the traffic on your network across a number of different dimensions. There’s actually quite a few metrics that we’re watching, some of the ones you could see below like flows, and packets, and bytes, and bits per second, packet size, it can be flags, it can be counts it can be all kinds of different metrics, and we can baseline each of them over time, across all of your interfaces or potentially even other aspects. So, it could be a specific conversation or a specific application, but at its most basic level through all of your interfaces to understand what is normal and what is normal activity for that time of day, that day of the week from those devices or whatever it may be.

Then of course, once we know what is normal, we can detect any activity that deviates from that normal baseline, right? This gives you a really great way of watching traffic 24/7 for things that you wouldn’t potentially pick up if you were just you know kind of eyeballing it if you will, or waiting certainly for someone to contact you and say there’s a problem. So, the statistical power of an application to be doing this behind the scenes and running all the time, and noticing things that you wouldn’t notice in the middle of the night, is incredibly useful for this sort of thing and then when we do detect an anomaly, we move into phase two as we call it, into diagnostics? So, diagnostics says, “Okay, there’s been some anomaly that has been detected, let’s look at this. Let’s figure out what’s going on here. We then kick off this diagnostic approach, which qualifies the cause and impact for each offending behavior breach. We’re looking it for KPIs that are specific to things like DOS attacks or scanners or sweepers or peer-to-peer activity. We roll all of that information up into a single ticket so to speak, for you on a screen that you can very easily look at and understand exactly what’s going on. When did it happen? Where did it happen? What was involved? What baseline was breached? What does that mean? What could that possibly be?

You can also do of course advance things like intelligent whitelisting. You can send the information out of our system up to another system that you may have, like an ITSM or trouble ticket system, via SNMP and via email and so forth. So, really this again this is the intelligent piece of the product with machine learning as its background. So it’s doing this whether you’re watching it or not. It’s looking for those baseline breaches and then when we see them, it’s really coordinating all of the information about what happened into a single easy-to-use place, which you can then drill down into using all of our standard features to try and identify other things that are happening or where do you need to go next.

Anomaly Detection or NBAD as you may hear us talk about it, has been in the product for a number of years now. So, that’s not something new, it’s continually being improved, and it’s a wonderful piece of the product, and it’s been there for a while.

The new thing that we have introduced and are introducing is what we call our Endpoint Threat Detection. So this is another module added onto the product that adds additional security capabilities while still utilizing all of the things that you typically utilize. So we’re still taking the data from NetFlow information but now we are applying to that information other outside data sources that we have, basically using some big data threat feeds collated from multiple sources that you can match up to or coordinate with the information about your traffic.

So, I’ve got information about my traffic, I’ve had that. Now, I’ve got information about what is bad in the world and in real time, where known bad actors, known bad IP addresses, Ransomware, malware, DDoS attacks, Tor and so forth are coming from and then looking at the two of them and saying, “Are any of my people talking to those things?” At the very most basic level that’s what we’re looking for, right? So, it’s things global in terms of getting all of these feeds and using pattern matching, and Anomaly Detection and so forth, and then it’s acting very local against the traffic that you have in your network.

This capability of having network connection logging or NetFlow, just as everybody in the industry agrees, is one of the best places that you can get this data. It’s almost impossible to get the kind of granular level of information from any other source. Especially if you are held to any sort of standard in terms of retention or policies around not being able to look directly into the data. If you’ve got compliance requirements that say, “Hey, I can’t store my customers’ data.” That is fine with NetFlow because NetFlow is not looking inside the packets; it’s looking at the metadata. Who’s talking to whom, and when are they doing it, and how much talking are they doing and so forth. But it’s not actually reading an e-mail or anything inside of that. So, you’re not going to run into a foul of any of those regulatory problems, but you’re still able to get a huge amount of benefit from a network investigation using that data.

It’s important that even without content, NetFlow provides an excellent means of guiding that investigation because there’s still so much data there. As it’s called in our world, metadata – Data about the data! There’s still so much information there. But what’s great also is that, you don’t have to retain content… unlike let’s say a probe or other type of system that is collecting every bit and byte. You run into problems there too, they’re expensive, and you run into storage requirements trying to store historically every conversation including the data, over a long period of time is just incredibly expensive and incredibly unwieldy to do. The amount of storage you have to have to be able to do that, and the difficulty in quickly and effectively retrieving that information and searching for things, just becomes next to impossible. But when you can still get the same benefit of what you need to look at from a security standpoint without those complications of price and just the logistics of handling it all, you end up with having a really valuable product and that’s what NetFlow can give to you.

So, with our Endpoint threat Detection, I’ve got a few screens here that can really dive down into what it looks like and how it works. Again, we’ve got these big data feeds of threat information out there in the world, collected from various sources, and honeypots and so forth and we’re continuously then monitoring for communications with those IPs of poor reputation. So, you’ve got your communication that we can see because of NetFlow, and you’ve got these known bad actors out there that we know about. We can match up those two pieces of information and when we do it, we’re not just saying it happened, but we’re giving you much more detail about it happening. So, if we kind of zoom in here a little bit, threat data can be seen in summary or in detail. We’ve got a categorization of what’s happening and different threat types. So, I can see this is a peer-to-peer kind of thing, is this known malware, is it Tor, is it an FTP or an SSH attacker? What kind of thing is happening from or on these known bad IP address?

So, from a high of macro level you can see what the threat categories are and what the threat types are and then of course, you can drill down using the standard CySight tools to investigate them and provide complete visibility into that threat. So, now I’ve seen it, I have traffic that’s been identified as a threat. I can use our drill down, right-click, or however you want to do it capability. In this case we’re showing a right-click on threat detection and saying show me the affected IP addresses. I want to know, let’s drill down and see in this case on Ransomware, command and control Ransomware what the infected IP addresses are and then you’re going to get into the individual affected IPs, the threat IP where it’s coming from and, how much traffic was done?

These are Ransomware-type attacks, and I can see this is happening in my network at this period of time and I can even then of course change the view to be a time view. When did this start? Has this been a long-lived thing that’s been going on over a period of time where it’s been sucking information out of my organization, or did this pop off and go away? And if it did, when did that happen? All of that kind of deep level investigation is something that you can get using all of the normal tools that we have. You can get this deep dive investigation of traffic for regular traffic. Not just malicious traffic, but just using our tool for what I’ll call normal traffic accounting. Who is talking to who and when, is all available to you and more now with the threat detection features.

So, we’re watching for those threats, we’ve identified them and then using all of the common things that you’re used to using if you’re already a customer of ours, being able to identify or drill down into that data and provide those reports when you want to see it.

Here’s another example: let’s look at threat-port usage over the last few hours. So, it’s may be a couple hour time frame and I can see specifically which ports, which protocols have been detected as potential threats. What kind of threats, of course again how much traffic did they use? How long has this gone on for, and so forth. So, you can in fact in this case, know that increasing Tor usage. That we’ve highlighted in yellow and green … but you can also notice it’s been this continual botnet chatter, this red line. It’s just been going on and on forever, and that’s obviously something that needs to be absolutely looked into. It might be very difficult to find this in any other way, it’s just ongoing background chatter that’s been happening. It may not spike to anything that’s incredibly large that would set off a threshold alert, or maybe not even set off an anomaly alert. But, we’ve identified this is being definitely an issue because it’s communicating to something that we know is bad out there.

Of course you have all of the common reporting type tools. So, you can automate those threats, I want a threat report every hour emailed to me, or every day, or whatever makes sense or a roll up report every month to provide to management to say, okay, over the last 30 days, here are all the threats that were identified as happening in our network, and then here’s what’s been remediated, here’s what we’ve blocked, here’s what we’ve stopped, here’s what we’ve fixed, here’s what we’ve cleaned up kind of thing and all of those reports that look good and can be scheduled in a great for both live use and for management, are part of and parcel of the product that we’ve been delivering for over a decade now.

As well as those deep dive threats forensics. So the high level reports are good for some people but the deep dive of course reports are important for other people and that’s something that we can give you because we store an archive all of this flow information, it’s not just the top 100, or the top 500, it’s the top 5,000 or 10,000 or every single Flow using our compliance version. The compliance version store has the ability to store all of those flows all the time for you to pull up and review may not have been yesterday, it may have been last week or last month or six months ago or whenever. You can still drill in, you can still see every individual flow in terms of IPs, source and destination and ports and protocols interfaces and all of that kind of information. It gives you that super granular capability that you’re just not going to find anywhere else.

We also try to give you different viewpoints; we’re very big on flexibility in terms of giving you an easy-to-understand way of looking at the traffic. Some people like to view numbers and other people like to view pictures, and there’s lots of ways that we can show that data to you. The visualization capability is outstanding within our product and one of the ways that that can be really useful. We’ve got this example here of a Tor correlation attack. So, it’s de-anonymizing Tor is a difficult but super important issue within the world of identifying Tor, and so for us, when we see that there has been Tor traffic we can build this visualization and we can see all the different places that that Tor traffic has hopped to within your network or in and out of your network and that really gives you a way to get in and say, “Okay, I need to look here, I need to stop at here, I need to stop at there.” From a service provider perspective, this can be a really, really useful example of what we can do in the power of our product.

So with the last few minutes here, I know we’re getting close to the time frame, but we do want to talk about the many options you have in terms of our scalable architecture. Whether you are small or mid-size organization, or very, very large organization, we have a way of delivering our product to you. It could be in a single standalone environment with a single database and single software installation, it could be as you grow and maybe you have various components of traffic that are disseminated globally, and you need local collection, we can do that. So, we can offer split off collectors or helper collectors that communicate up to a single master database or we can even do multi-site server, multi-database hierarchical architecture for really, really massively scaled organizations. So, no matter who you are, if you’re listening to this, if you’re just small organization with one site and a few devices, or a massively global corporation with thousands of devices and data traversing it in many different areas, we can fit your organization and we can architect a solution that is right for you.

We’ve got a number of exciting features one of the great things about us is that, we never stop developing and we never stop investigating what the best things are to add to the product. We’ve got some really cool enhancements coming on, all things that people have asked about or have inquired about, or we’ve decided to build on our own and we love talking to our customers.

Our best source of future development is request from our customers. So, anything that you can think of I can’t guarantee that that our team will do it, but I can certainly guarantee you that we’ll listen to you and we’ll think about it and we’ll do our absolute best to solve whatever issue you may have and because of our commitment to our customers and our willingness to listen to them, we really have built up a wonderful group of customers. You can see a few of their logos on the screen here again, everything from traditional organizations enterprises to service providers, educational institutions, Telco’s, whatever it may be, we can handle it and we’d love if you’re not already a customer of ours, but you’re listening to this webinar, certainly we’d love to have your logo on this list in the future and we feel like once you get to working with us and really get used to our product, you’re going to be super thrilled about how we do things. What we offer to you and the support we provide to you.

So, with that I think we’re at the end of the presentation, almost exactly right on time here, about 30 minutes. So, I want to thank everyone for taking the time to join today, as always it does not look like we have… I’m just looking. Does not look like we have any questions right now, so, if you do have any now would be the time to type them in. But if not, we just want to thank you for joining us today. This presentation has been recorded and will be available to any of the folks who registered, and it’ll eventually make it up into the website. So, please check it out. Also please check out our website for other information about future webinars or other documentation that we have, there’s a lot of good resources up there and we invite you to take a look at those and certainly if you have any questions to reach out to us either to the sales team or the support or engineering team depending on what you’re interested in.

So, with that, I’ll end the session and I look forward to speaking with all of you at some point in the future.

Thanks.

8 Keys to Understanding NetFlow for Network Security, Performance & Overall IT Health

The Internet of Things (IoT) – pushing network monitoring to its limits

In the age of the Internet of Things (IoT), billions of connected devices – estimated at 20 billion by the year 2020 – are set to permeate virtually every aspect of daily life and industry. Sensors that track human movement in times of natural disasters, kitchen appliances reminding us to top up on food supplies and even military implementations such as situational awareness in wartime are just a few examples of IoT in action.

Exciting as these times may be, they also highlight a new set of risk factors for Security Specialists who need to answer the call for more vigorous, robust and proactive security solutions. Considerations around security monitoring and management are set to expand far beyond today’s norms as entry points, data volumes and connected hardware multiply at increasing rates in the age of hyper-interconnectedness.

Security monitoring will need to take a more preemptive stance in the age of IoT

With next-generation smart products being used in industries such as utilities, manufacturing, transportation, insurance, and logistics, networks will become exposed to new security vulnerabilities as IoT and enterprises intersect. Smart devices connected to the enterprise can easily act as a bridge to the network, potentially exposing organizations’ information assets. Apply this scenario to a world where virtually every device can communicate with the network from practically anywhere, and the need for more forward-thinking security monitoring becomes apparent. Device-to-device communications will need stronger encryption and ways for network teams to monitor and understand communications, behavior and data patterns. With more “unmanned” computers, appliances and devices coming on-line, understanding new network anomalies will be a challenge.

Networks will become far more heterogeneous

Embedded firmware, operating systems, shorter life-cycles, expanding capabilities and security considerations unique to IoT devices, will make networks far more complex and expansive than what they are today. IoT will hasten more heterogeneous environments, which security teams must be prepared for. The device influx will also drive IPv6 adoption and introduce new protocols. According to Technology.org, “Enterprises will have to look for solutions capable of guarding data gateways in IoT devices using tailored protocol filters and policy capabilities. Besides, regular security updates and patches will become integral to product lifecycle to eliminate every possibility of a compromise.”  This will increase reliance on technologies such as granular Netflow collection that provides forensics and anomaly detection, which offers enterprises, trusted security solutions that are both easily deployed and capable of evolving organically alongside new technologies as they are introduced to environments.

IoT will introduce new types of data into the enterprise

Traffic signal systems, power stations, water sanitation plants and other services vital to society are all incorporating IoT to some degree. Device security in a physical and non-physical context will be important as enterprises need to look at ways of preventing unauthorized entry into the network. Gartner asserts that, “IoT objects possess the ability to change the state of the environment around them, or even their own state (for example, by raising the temperature of a room automatically once a sensor has determined it is too cold, or by adjusting the flow of fluids to a patient in a hospital bed based on information about the patient’s medical records)”.

Considering the risk to human life inherent in hacks into systems of this nature, the level of monitoring and surveillance for compliance is becoming more pertinent each day as these kinds of threats are starting to occur. This will place a high demand on end-point security solutions to be both timely and accurate in its correlation of network data to give Security Teams the needed granularity to provide context around current and evolving risks.

The now infamous Chrysler hack is a primary example of the potentialities of IoT-based breaches and the threats they pose to human safety.

The role of Netflow in forearming the enterprise in the age of IoT

Monitoring systems will be required to identify, categorize and alert Network Operations Centers (NOCs) on a plethora of new datasets, demanding big data capabilities from their network monitoring solutions. NetFlow, if used correctly, can offer an opportunity to provide enterprises with substantial intelligence and an early warning mechanism to assist them in managing the steady move toward IoT and take a forearmed stance in security operations. Netflow’s ability to match to the scale at which the enterprise will grow means NOCs will neutralize the threat of being overwhelmed in a deluge of devices that will generate volumes of data that require around the clock monitoring.

They can achieve deep visibility – central to security in an IoT world – with a NetFlow monitoring, reporting and analysis tool that provides the ability to perform deep security forensics and intelligent baselining, anomaly detection, diagnostics and endpoint threat detection. NetFlow end-point solutions speak to the changing needs of the large environments by reducing Mean Time to Know (MTTK), which in turn shrinks Mean Time to Repair and Resolve (MTTR).

For more information on how CySight is helping organizations build comprehensive network security, performance and management solutions, contact us, or download a free copy of our guide on 8 Keys to Understanding NetFlow for Network Security, Performance & Overall IT Health.

 8 Keys to Understanding NetFlow for Network Security, Performance & Overall IT Health

How to Achieve Security and Data Retention Compliance Obligations with Predictive AI Cyber Flow Analytics

Information retention, protection and data compliance demands are an important concern for modern organizations. And with data being generated at staggering rates and new entry points to networks (mobile devices, wireless network, etc.) adding their own levels of complexity, adherence to compliance obligations can prove challenging. In addition, when considering high profile network hacks such as the Sony, Dropbox and Target intrusions, it quickly becomes clear that no organization is immune to the possibility of having their systems compromised. This backdrop demonstrates the importance of finding a suitable network monitoring solution that is able to navigate the tightrope between meeting regulatory requirements without placing too much strain on hardware resources.

In this blog we’ll touch on two of these regulatory standards: the Health Insurance Portability and Accountability Act (HIPAA) and Supervisory Control and Data Acquisition (SCADA), and look at how Network Specialists can leverage NetFlow’s ability to provide insightful metrics that aid in the building of a water-tight security apparatus.

NetFlow and HIPAA

Few have greater concerns around information privacy than the health care industry. If compromised, medical records containing patients’ sensitive information can lead to disaster for both health care organizations and individuals. The Privacy Rule, as stipulated by HIPAA, addresses the data retention compliance and protection measures expected of health care organizations to ensure critical patient records remain safe, uncompromised and reliable.

One of these protection measures is the continuous monitoring of information systems to prevent security breaches or unintended exposure of information to the wrong people. NetFlow is ideal for monitoring and enforcing security by giving detailed insight into both local, inbound and outbound traffic. It also allows you to easily identify the nature of the traffic and see how traffic flows between devices as it traverses your environment.

NetFlow’s ability to detect and report on anomalies through analysis by a NetFlow analyzer can give health care organizations unmatched network visibility and data granularity. Its availability on most networking devices makes it ideal for deployment in and monitoring of large-scale environments such as hospitals and other health care facilities. Also, flow exports to NetFlow analyzers are comparatively lightweight, which makes it possible for organizations to collect and store network audit data for extended periods of time.

NetFlow and SCADA

SCADA is a standard that facilitates communication channels between remote equipment as a means to control their functions. Examples of SCADA at work are remote management of Heating Ventilation and Air Conditioning (HVAC) systems, industrial equipment and Closed Circuit Television systems. SCADA is a type of industrial control system (ICS). Security around SCADA-enabled systems are paramount to human safety, as typical utilization of SCADA include sewerage systems, power plant and water treatment facilities. Also, these management systems typically communicate via the Internet, making them vulnerable to hackers who may seek to use them as entry points into corporate networks.

NetFlow provides built-in support for SCADA and facilitates real-time monitoring and management of communication between remote devices, making it possible to take corrective action on-the-fly if needs be. It also enables users to make operational decisions based on both real-time and historic data that gives context to anomalies and events as they occur. Users are also able to perform functions remotely without visiting sites to perform updates and other maintenance tasks. By providing detailed and up-to-date information on business-critical systems, NetFlow is enabling businesses to be more proactive in the monitoring, management and maintenance of remote devices and systems.

Employing the right NetFlow reporting tool is key to manage compliance obligations

The missing link in leveraging the power of NetFlow in data retention and protection efforts is a powerful, comprehensive and robust NetFlow reporting tool. When considering your regulatory obligations, ensure that your choice of NetFlow reporting tool gives you the detailed, granular and contextual information you need to make insightful, data-driven decisions around the security, integrity and stability of your information assets.

8 Keys to Understanding NetFlow for Network Security, Performance & Overall IT Health