Behaviour monitoring

Using NetFlow for behaviour monitoring

Not all threat, anomaly and malware spread is detectable by traditional log management. Many organisations can collect traffic information to understand an monitor data flows between systems across the network. Historically, and indeed still today, packet capture (PCAP) was used to see flows between system. PCAP is a very useful Network engineering tool, but has some maor problems:

  1. It only sees data passing across the capture point – thus can miss significant areas of the network
  2. Since it captures all of the data, moving it to where it can be analysed takes a huge amount of bandwidth
  3. This also means you need large numbers of disk to store the captured data
  4. Since the PCAP contains data, it must be secured

Fortuntately Cisco developed NetFlow* and donated it to the community (as IP-FIX) and it is now implemented in most business class network equipment and overcoms all of the issues above.

NetFlow allows administrators to automate monitoring the behaviour of devices connected to a network. It allows insight into network abuse and anomalies that may represent a threat – such as the spread of malware infection, users attempting accessing known malware sites and providing early indication of hacks and data breaches.

What the standards say

Sub category Framework reference
DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed CIS CSC 1, 4, 6, 12, 13, 15, 16
·       COBIT 5 DSS03.01
ISA 62443-2-1:2009
ISO/IEC 27001:2013 A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2
NIST SP 800-53 Rev. 4 AC-4, CA-3, CM-2, SI-4

Why use NetFlow?

NetFlow and its variants such as sFlow and IPFIX allows efficient monitoring of communications between devices across the network.  Unlike packet capture (PCAP), which involves the collection of traffic via specialised hardware, NetFlow is generally available as standard in most networking equipment today. It can be enables via a few simple configuration commands and allows collection of data at a fraction of the overhead of PCAP.

NetFlow analysis technologies are readily available, though few – like Rebasoft – offer the detailed analysis capabilieis needed for security threat detection, application performance and troubleshooting problems. Rebasoft’s NetFlow technology – in a specially optimised component called “Application Auditor” – delivers a number of key capabilities:

  • Masquerade hacks – to see if a hacker is using a compromised system as a “stepping off” point to attack other systems
  • Critical device protection – ensures that printers, EPOS and other IoT systems are not compromised
  • Malware worm – detects unusual communications between systems that can indicate malwar spreading
  • Botnet/reputation – detects connections or attepted connections to “bad” sites which might contain malware or even command an control systems for an existing malware infection

Besides the security use cases, Rebasoft’s collected data can help your network teams with

  • Performance/APM
  • Troubleshooting/alerting

Saving you money on duplicate systems and reducing downtime

Request demo

* NetFlow is a networking feature that was introduced by Cisco in the 90’s and taken up by many others. It is a standard feature on many network devices and allows NetFlow reporting systems to see communications without needing to perform in-depth packet capture. It can be used for security and network performance monitoring and troubleshooting.

NetFlow capture information about communications without capturing the actual data. This means it is no more than 1-2% of the monitored traffic volumes on the network to store and process.

Share This Story, Choose Your Platform!