It’s hard not to be overwhelmed with the variety of security devices that organizations can purchase these days, such as Firewalls, intrusion detection devices, and more.. However, it seems that Enterprise Organizations often overlook one relatively inexpensive, yet valuable tool they can use. Luckily, I have the opportunity to ask enterprise clients if they collect flow (e.g., Cisco NetFlow) information from devices in their internal environment. These clients often respond that they do. When I further probe by asking how they utilize the flow records, most of the responses are, “For Application Performance Analysis.” While Application Performance Analysis is a necessary function, one must realize the security benefit from examining flow data as well.
Network Behavior Analysis (NBA) technology helps organizations profile their internal network behavior patterns in order to detect and stop suspicious activity on corporate networks in a timely manner, possibly preventing serious damage from an attack. NBA is designed to give information security teams a level of visibility that allows real-time identification and response to security threats. While NBA flow analysis is the typical method to collect data, there are some products which perform packet analysis via CPE equipment in addition to flow analysis.
Analyzing Flow Data has many benefits:
1) It allows organizations to “cast a wider net” – Purchase and management of traditional security devices such as firewalls and intrusion detection devices typically have greater cost vs. flow analysis. It’s important to note that there is value to layer 1-7 security analysis provided by traditional devices; however, many progressive organizations utilize NBA in areas where budget may preclude doing so or to supplement their traditional device strategy. Many devices such as routers and switches can easily enable flow record generation with minimal effort.
2) Network Profiling – Many of the NBA tools on the market today have the ability to profile typical networking patterns and report significant deviation for further investigation. An example would be a host that is scanning in a suspicious manner.
3) Signature Analysis in addition to Behavior Analysis – Many of the NBA offerings in the market today provide additional intelligence which may not be provided by traditional security devices. For example, a user may be communicating with a known Phishing Site or DDOS Command and Control Server. Traditional security devices may not have this capability.
4) White List ability – Many of the NBA offerings have the ability to catalog applications and servers, which often can prove valuable. For example, let’s assume that a user within the organization became infected with malware which created a SMTP engine and generated spam. In this example, a rule could be established that identifies email which does not originate from the organization’s SMTP Server as a security violation. Once identified, the organization’s incident response process would quickly remediate the infected host. Other server types such as DNS and DHCP can be white listed too so unauthorized server activity can be stopped very quickly.
5) SIEM Interoperability – Many organizations are quickly recognizing the value of installing a SIEM in their environment, either self-managed or utilizing a MSSP. Alerts from a flow analysis engine can be prioritized and reported to the SIEM, typically via syslog.
It’s unfortunate that many (up to approximately 80%) of the clients I speak to do collect flow records, but do not capitalize on the significant amount of security information it can provide. Best of all, many of these analysis services are cloud based, and require minimal capital expense while significantly increasing security visibility.