FlowTraq > Articles by: Gurdev Sethi

Author: Gurdev Sethi

Keep Your Network Healthy: Five Network Vital Signs to Monitor

Gurdev Sethi
By | November 6, 2015


Vital signs are measurements of the body’s most basic functions. The main vital signs routinely monitored by healthcare providers include body temperature, heart rate, respiration rate, and blood pressure. The first step in diagnosing an illness is to check for changes in your vital signs. What’s most interesting about vital signs is often not their specific value, but the change in value over time for a given patient. If vital signs such as blood pressure or temperature rise, it’s a reliable indicator that further testing may be needed to find the root cause of an impending illness.

The same is true of your enterprise network. There are a number of vital signs that you should monitor, and you need to know what changes to watch for. Here are five key network vital signs you should be monitoring.

1. New Clients and Servers

What to look for: There are lots of servers and clients on your network — and new ones being legitimately added as part of regular business operations. New rogue servers on the network and unexpected clients communicating with those servers could be a sign that something is wrong.
Diagnosis: A new, unknown file server on your network could be a sign that someone is trying to exfiltrate information. A new SubSeven/Back Orifice/SVN server could indicate a backdoor used by a hacker. A new Web server could mean illegal file sharing.

2. Scans

What to look for: Unusual or increased scanning behavior on the network could indicate that your systems
have been compromised and you need to find and stop the perpetrators fast.
Diagnosis: Scanning for open and available services is a common reconnaissance technique used by hackers who have found a way to infiltrate your network. Worms often resort to random scanning to find other systems to spread to.

3. Blacklisted Communications

What to look for: There are a number of hosts that are known to be botnet or malware distribution channels. Any communication within your network to those bad or suspicious hosts likely spells trouble.
Diagnosis: A communication with a known bad host could mean that malware is being downloaded or even that the attacker has already found a way into the network and is establishing additional control and exploits.

4. Volume-based Activity

What to look for: There’s a high volume of traffic flowing through your network pipes on a continuous basis. Unusual increases in network traffic and connections could represent an amplification, SYN flood, smurf/ fraggle, slowloris, Christmas tree, LAND, IP/TCP NULL, or other attack.
Diagnosis: These types of traffic patterns signal a potential in-progress DDoS attack that could take down your systems, so you need to be able to detect, classify, and mitigate them fast.

5. Data Exfiltration

What to look for: Data is routinely accessed and transferred out of your network. Unusually high volumes of data leaving the borders of the network — especially sensitive data such as customer/employee personal information, credit card data, or intellectual property — need to be investigated immediately.
Diagnosis: This could be a sign that someone is stealing data. There has been a data exfiltration epidemic of late. And when, as is too often the case, organizations discover that they have been hemorrhaging sensitive data for years, the financial and reputational fallout can be devastating.

New clients and servers, scans, external communications, and data transfer are all routine events on high-volume enterprise networks. The fact that they are happening isn’t a sign of a problem, just like having a temperature or a heart rate doesn’t mean you are sick — it’s just part of your body’s function. But when those activities change in volume or pattern, much like an elevated temperature or irregular heartbeat, it’s a sign that there could be something wrong. Your network’s vital signs are an early warning system, and monitoring them allows you to quickly identify and address changes so you can keep your network healthy.

Download this tip sheet as a PDF

FlowTraq can help you monitor your network’s vital signs. Try it for yourself – request a free 14-day trial.

Master the Game of Who: Leveraging Network Intelligence and User Activity to Combat Insider Threats

Gurdev Sethi
By | October 15, 2015


Many organizations focus on keeping bad guys out. But, whether you know it or not, there’s bad behavior – both unintentional and intentional – happening within your borders as well.

Whether a breach is caused by carelessness, mischief or major fraud, it’s going to cost you. And once you’ve been breached, speed matters. An intelligent strategy for protecting against insider threats gets you to “whodunit” – as well as what’s happening, how it’s happening, where it’s happening and how to stop it – faster.

In this on-demand session, Dr. Eric Cole of the SANS Institute leads a frank discussion with FlowTraq’s Vince Berk and SpectorSoft’s Mike Tierney about common inside threat scenarios, the phases of a malicious attack and how to quickly detect, mitigate and defend against all types of insider attacks.

Ready to experience FlowTraq for yourself?

Request a product demonstration or start your free trial now! Your security will never be the same.


“I’ll have the lettuce wraps with a side of credit card hacks…”

Gurdev Sethi
By | September 23, 2015


In a Family Guy episode, Peter Griffin lands a TV spot to rant about what “grinds his gears.” Hey, Peter, you know what really grinds my gears? Lettuce wraps. Well, no… not the wraps themselves. (They’re delicious.) What gets me is that during my next visit to PF Chang’s, I may be wondering whether my credit card or personal information is about to be compromised.

Last year, 33 PF Chang locations had their credit-card-processing terminals hacked – and it continued for roughly eight months. Yes – eight months.

If this were an isolated incident, my gears would grind a lot less. But it’s not an isolated incident – not by a long shot.

Target, Staples, United, CVS Photo, Home Depot, Big Fish Games, UPS, Morgan Stanley and (too close to home) Anthem – the one in which I (along with half of New Hampshire) had my personal information stolen. These are all brands that I do business with regularly. And what do I get for their carelessness? A scripted apology from the CEO and a horse-is-already-out-of-the-barn offer for credit monitoring. I also get the uncertainty of who – or what – is now in possession of my personal info. I am not sure I know where it is now – but I knew it was with Staples once. It was with Target. And now, it’s… out there. Is someone else cashing in my miles? Using my credit card? Has someone triangulated a piece of a password so that they can work on breaching my other accounts? Who knows?

And this is by no means a comprehensive list – we also have Office of Personnel Management (OPM), Premera, PR Newswire, and the latest disaster over at Ashley Madison. It’s happening almost every day.

If you think you haven’t been compromised, you’re kidding yourself. Check out this recent feature in the New York Times. This helpful little tool lets you plug in the brands/organizations you’ve interacted with… and spits out how many times it was possible for some creeper on the dark Web to grab your fingerprints, birth date, social security number, financial history or health history.

It feels a little like being followed around by pickpockets.

This is a Plea, Not a Pitch… Promise!

But the thing that really gets me is that this doesn’t have to be our new normal. There are ways – extremely cost-efficient and simple ways – to prevent this from happening.

Quick disclaimer: Yes, I’m a network security guy. Yes, I work at a company that specializes in network traffic detection. So what I’m about to say might sound self-serving. But the “self” I’m serving is the guy who goes out to dinner and books flights online and shops at Home Depot and uses health insurance. It’s “consumer” Larry I’m trying to protect here.

FlowTraq – and other solutions like FlowTraq that provide network traffic monitoring and anomaly detection – offer analysis and protection from these kinds of attacks. Network visibility is cost-effective, it’s scalable, it’s easy to use – and it gives you powerful insight into your network that you absolutely can’t get without it.

Budgets vs. Breaches

Nothing gets me more frustrated than hearing one of these CEOs apologize after the fact – “We’re in business, this is bound to happen occasionally. We weren’t equipped, but we are working toward a solution in the next six months.” Followed by the offer for credit monitoring after the intrusion. Being in the high-tech space and security business, I feel somewhat more aware of potential threats and take precautions as best I can. But, I am particularly worried about my relatives and friends who may easily be duped by hackers, and that gets me aggravated because I expect the companies we all do business with to be more vigilant, invest in the right security tools to block breaches, or at the very least, to identify threats immediately, rather than stumble upon them months after the hack occurred.

I know many of these incidents could have been avoided. There are no more excuses for these organizations – at this point, they need to know better.

We discuss security solutions daily with companies like all of those mentioned above. Too often, however, we hear, “Yes – this is great! We like it. Exactly what we need. But we don’t have budget right now.” Or, “Yes, we’ll see if we can get it approved in the next budget cycle.” I don’t think that is ok. Are the hackers waiting around until next quarter or next fiscal year? Or not already in there wreaking havoc?

The bad guys were on United’s network for a year. And, as I mentioned above, bad guys were cheating lettuce-wrap-lovers for eight months. With network behavior intelligence, you have real-time visibility into what’s happening right now. That means you can detect suspicious data movement, DDoS attacks, botnets, spam relays, zero-day worms, host scans, network scans, DNS amplification attacks, and brute-force attempts – all the time, any time – within seconds.

You see an anomaly? You can instantly see where it’s happening and how long it’s been happening – which is what gives you the power to stop it.

You might think you can’t afford a solution right now – but my question is, can you afford not to have one? If those guys are in your network right now, your organization is pretty much bleeding money at this very moment. Or maybe it’s bleeding intellectual property. Or personal information about your staff, partners and customers. It’s simply not worth waiting to find out…

Modern Technology for Modern Threats

Here’s where I’m going to make a case for using a software solution vs. hardware. We talk with a lot of network security ops teams. They’re typically small – maybe 10, 20 or 30 people serving an enterprise of thousands of users – and they’re generally not getting a lot of budget. If they’ve invested in physical solutions, they’re under pressure to make them last – they’re forced to treat security like a capital investment.

There’s always pressure to keep turnover to a minimum – but that’s not how security works. The life expectancy of a security appliance isn’t the same as the life expectancy of a piece of manufacturing equipment. If you’re lucky, you can get 18 months out of it.

You can bet that hackers are using the most cutting-edge tech out there. If you’re going to stand a chance against them, you have to have systems that let you detect and protect in real time, so you can be reactive and keep up with the increasing speed – and sinister characters – of the Internet.

Some Parting Tips…

We hear it all the time from customers: “I wouldn’t have seen [NEFARIOUS THREAT] without FlowTraq.” And “I have visibility that I’ve never had before.”

Network visibility is a game changer for security practitioners – and it should be a key part of your security infrastructure. Here’s what I recommend:

  • Be practical about the tool you pick (even if it’s not FlowTraq, though I highly recommend it…).
  • Don’t spend a fortune on it.
  • Deploy it as software so that you know it’ll be fast, it’ll stay current, it’ll be easy to integrate with whatever you currently have in place, and it’ll scale.
  • At the end of the day, I’m still going to get the lettuce wraps. But every time I flip my card out, I’m always going to wonder if that’s the day that my info gets exposed (again). And it doesn’t have to be that way.

    Impostors, Rogue Users, And Other Unwelcome Guests On Your Network

    Gurdev Sethi
    By | September 22, 2015


    We recently partnered with Dark Reading and SpectorSoft for this webcast that goes deep into the world of insider threats.

    Today’s cyber criminals have one dream: to navigate your enterprise’s network like a privileged user. Unfortunately for your business, there is a growing number of exploits that enable these criminals to do just that. And once they’re in, it can be hard to tell them from legitimate end users.

    How do you know when an impostor is on your network? What tools and techniques do they use to gain user credentials and capabilities? More importantly, how can you detect unauthorized users and lock them out – before they steal your data?

    In this on-demand webcast, a panel of network security experts (including our very own Vince Berk) discusses the methods that attackers use to assume a trusted identity on enterprise networks, and how they behave once they gain access. The panel also offers tips and best practices for identifying behaviors and actions that might tip off a malicious user – and enable you to stop them before they can exfiltrate sensitive information.

    The on-demand session is available for viewing on the Dark Reading site.

    Cisco Router Hack: It’s All About the Blind Spots

    Gurdev Sethi
    By | September 17, 2015


    A Cisco router hack – yet another network security breach – is in the news. Attackers replaced Cisco firmware to take control of the routed network traffic, possibly rendering it invisible to threat detection.

    When I read about breaches like this, I often turn to our security experts, and ask: “Can this be detected? Can we see this type of threat?”

    Usually our guys say yes and then explain how certain filters, detectors and behavior patterns shine a spotlight on network traffic that deserves a closer look. Not this time.

    I asked, “What about this Cisco router hack? Can we see that?”

    “No. Hopeless,” said Vince Berk, our co-founder and chief security architect. “If the exploited router is also the device exporting the NetFlow, there’s little we can do.”

    John Murphy, our senior security engineer, added, “It’s a different animal if your only flow source is the machine that’s been compromised. Once the attacker controls your telemetry, you’re blind.”

    The hope is that the connections to the router are detected before the compromise happens – then security teams stand a chance at catching it before it’s a big problem.

    “It’s like any other traffic to a sensitive device: the trick is making sure that you have your flow sources placed and configured so that they’re reporting on what you need to see. If you’ve done that, we can see the traffic — and any traffic to your router should be investigated, whether it’s an obvious attack or not,” Vince explained.

    According to our experts, this hack is a good one – and a long time coming.

    Cisco really isn’t to blame. Indications are that the firmware was uploaded through stolen user credentials. Once the attacker is in the router, they’ve got control over traffic – including uploading a new firmware, which is the router’s operating system.

    Similar infiltrations have occurred through network printer hacks. Valid credentials are used to upload and modify the firmware to make the printer an active network scanner, then the printer serves as a stepping stone to attack other systems in the network.

    Vince said, “It’s the first time (to my knowledge) that attackers have modified the firmware, as opposed to simply squatting the router and staying put. The port-knocking procedure to gain re-entry is smart, because it doesn’t leave a trace behind and won’t be found by vulnerability scanners. Only the exact right combination of connection requests following a precise sequence and timing will allow the attacker access. It’s next to impossible to find this kind of cause and effect on the network.” 

    What’s the lesson here?

    We should all be very vigilant to any traffic going directly to and from routers – they’re an extremely sensitive point in the network as all traffic passes through.

    This event makes the strongest case for real-time monitoring to closely watch traffic. If your network traffic monitoring tools are watching for unusual traffic or connections on the routers or other network devices before they occur, network blind spots can be avoided, minimizing the risk of vulnerability and data loss.

    10 Security Reports Every Enterprise InfoSec Director Should be Monitoring

    Gurdev Sethi
    By | September 9, 2015


    There’s no shortage of data from the various network security solutions deployed at your organization. How do you wade through it all to find the valuable information that can actually help you keep your enterprise network secure — and alert you when there’s a problem that you need to address? If you’re responsible for the security of your organization’s network and data, here are ten reports that you should be monitoring on a routine basis.

    1. New Services on Sensitive Hosts

    You know which hosts in your organization are sensitive and require extra protection. And you have policies and procedures to ensure that only ports, protocols, and services with validated business needs are running on each system. But you should also proactively monitor the services on those hosts. When a new service starts up — for example, if a workstation starts acting as a file server — that’s an indication that something unusual is going on and you need to know about it.

    2. Successful SSH Connections from Outside the Network

    There’s no doubt that SSH is a useful protocol. But it also comes with risks. In fact, according to a Ponemon institute survey, three out of four enterprises are vulnerable to root-level attacks against their systems due to their failure to secure SSH keys. Organizations need a process to protect SSH keys and passwords from misuse, but because SSH keys can be used to gain access to enterprise systems while remaining hidden, you should also monitor successful SSH connections from outside the network on a regular basis to quickly identify and take action on rogue SSH connections.

    3. Outbound Communication With Bad IPs

    There are lots of known bad or suspicious IP addresses/spaces out there and you want to make sure that your network systems aren’t communicating with them. Monitoring communications — especially outbound communications — with blacklisted systems, will help protect you from those known threats. Blacklists will often contain information about known botnet and malware distribution channels; communication with them is a certain red flag.

    4. Internal Reconnaissance Behavior

    Most organizations monitor lots of reports about their network borders, but there are many ways for an attacker to quickly and quietly become an insider. You should deploy telemetry and watch carefully what happens inside a network. Attackers will often scan for file shares or other local resources to make their way deeper into your organization.

    5. Top External Connectors

    Not all bad IPs are known. You want to be able to identify connections from bad sources even if they aren’t currently on a blacklist. But at any given moment, there will be any number of connections made to an enterprise network, including from external sources. Looking at where there are a large number of external connection attempts — broken down by autonomous system and IP address — can help identify hacker attempts to access the network.

    6. Top External Consumers of Data

    You don’t just want to focus on connections; you also want to look at who’s consuming the data that is traversing the network. Monitoring top external consumers — broken down by country, autonomous system, and IP address — can help identify data exfiltration in process so that you can shut it down quickly, especially when you consider parts and pieces of your network individually, and focus on their external endpoints.

    7. Large and/or Long Outbound Flows

    Network flow traffic provides information about the behavior of applications and systems on the network. Looking at the size, duration, and behavior of outbound flows can also help you identify data exfiltration attempts. Examining the outbound flows by duration and flow size can help you identify any particularly large or long-lived individual flows that could be a sign of a data breach or hacker control channels.

    8. Total Traffic and Connection Volumes on Pipes

    While you do want to monitor traffic and connections between sensitive systems and suspicious external parties, a well-orchestrated DDoS attack could fly under the radar of these views. You also need to monitor total traffic and connection volumes on the pipes that lead to your revenue-generating or other mission- critical assets, such as Web servers, content servers, etc. Visibility deeper into your own networks, as opposed to simply monitoring the border, can help you spot many forms of malicious activity, including lateral movement by hackers.

    9. Total Traffic and Connection Volumes on Assets

    You should also monitor the traffic and connections on the network assets, such as file servers and databases themselves. Even though these assets are likely being managed by others in your organization, those connections could signal potential security issues that you need to be aware of. For instance, typical access to customer or medical records will be on the order of dozens to perhaps a hundred per day, per user. If there are unusual spikes to thousands or more, you may be dealing with a malicious data exfiltration attempt.

    10. Total Traffic Volumes on Potential Attack Amplifiers

    Some network assets — most notably DNS servers and NTP servers — can be “weaponized” by a third party and used as a DDoS reflection or amplification vector. You want to look at the total volume of traffic to and from these assets to identify unusual activity that could mean these servers are being used to aid hackers. After all, being a good Internet neighbor reduces the amount of attack noise on the Internet, making it harder for attackers to hide in the background.

    Getting the Right Level of Visibility

    Monitoring these reports on a regular basis — or, even better, being proactively alerted in real time when any of the abovementioned conditions are met — can help InfoSec directors stay vigilant and keep the network safe from intruders. To get this information without being inundated with inessential data, you need the right capabilities. These include:

      • Full-fidelity network flow analysis. Network flow data — readily available from most routers and switches — provides detailed information about the traffic traversing the network, including source and destination ports, protocol, packets and bytes sent. While this data has long been used for network management, it also offers huge value for network security. You want to make sure that you are working with un-sampled flow records so that you have complete information, which is necessary if you need to further investigate a potential issue.
      • Network change detection. A tool with a network fingerprint generation function watches for changes, such as a new host contacted or an ordinary partner contacted on a new port. The network fingerprinting process creates a statistical profile of individual IP connections in order to identify individual sessions as abnormal. The process is data- and time-intensive — and can be verbose — so it is often deployed with filters tuned to focus on the organization’s most critical file servers, email servers, databases, etc.
      • Blacklist detection. You want to be able to scan incoming network sessions individually and match them against a list of individual IP addresses and CIDR blocks. You should be able to configure a blacklist detector with the URL of a threat list from which it will update in specified intervals. Ideally, each connection to a blacklisted IP or CIDR block should proactively generate an alert.
      • Volume detection. A volume detector is a powerful general statistical analysis tool that examines long-term traffic history to create baselines for specified network entities — which could be hosts, applications, autonomous systems, or even whole countries — in order to be able to quickly identify unusual volumes in terms of bytes, number of sessions, or unique counts.

    Download this tip sheet as a PDF

    Not sure how to get these reports? FlowTraq can help. Try it for yourself – request a free 14-day trial.

    The “New” Network Flows

    Gurdev Sethi
    By | September 2, 2015


    Because technology continues to evolve and gets smarter and faster every day, old labels don’t necessarily equate to old technology. For instance, today’s cars are equipped with Bluetooth and blind spot detectors and automatic starters, yet they are still cars — just like your father’s Oldsmobile (or more likely your grandfather’s).

    Along those same lines, significant innovations in server hardware and software allow network flow data (e.g., NetFlow, jFlow, sFlow and cFlow) to provide so much more information and value than they did 15 years ago — far beyond network analysis. That level of detail can be the difference in detecting network threats more quickly and keeping your network safe.

    More Than a Network Performance Tool

    Network flow data today can provide so much more value than simply frame packet transfers or information on network bottlenecks. Significant technological advances in flow analysis allow companies to analyze data in a way that makes it much more effective for security threat incident detection than it was even just a few years ago. For instance:

    • Today’s flow tools are faster and less expensive
    • The cloud provides storage availability for scalability
    • Algorithms have been refined to handle the much larger volumes of data on the network, while providing more valuable insights
    • Multi-processing CPU systems allow parallel processing of high volumes of network data that would have been impossible years ago, enabling more complex security analysis algorithms

    Network Flow Data for Premier Security Threat Incident Detection

    Because of the technological advances mentioned above, today’s network flows are some of the best sources for security incident threat detection. For example, they:

    • Provide important information about what’s happening on your network
    • Identify traffic anomalies and potential threats, such as scans, new and unwanted services, data exfiltrations, or botnet behaviors
    • Replay incidents of security breaches, even if they happened months ago
    • Find threats, such as malware downloads or hacker reconnaissance behavior in real time before they become an issue
    • Provide on-demand ability to drill down on network incidents
    • Do all of the above at an affordable price

    The Power of FlowTraq

    FlowTraq is unique in the way it uses network flow data to address many of your network security-related business problems with one powerful tool.

    Robust Resources

    Whether you have limited resources in terms of network security talent or you have a dedicated 24/7 cyber hunt team, FlowTraq can help by being supplemental eyes and ears, alerting you to network anomalies and unusual or suspicious network activity. With FlowTraq you get security incident detection in real time, at a surprisingly affordable price, so you can respond accordingly.

    Proprietary Technology

    Our unique technology approaches network security incident detection in a completely different way from other solutions. FlowTraq minimizes the time required for auditable recourse after a security breach, expands the capacity of security analysts to monitor ever-increasing network traffic volumes by focusing them on what needs attention right now, and boosts anomaly detection performance when deployed across multiple processors. We’re able to do this because of three essential ingredients.
    Specifically our:

    1. High-speed proprietary database that allows FlowTraq to process massive volumes of real-time network traffic faster than other flow-based network security tools, and tracks months’ or years’ worth of stored network traffic flows to be used for forensics.
    2. Unique proprietary algorithms that can learn a range of network behaviors and will instantly alert when anomalies are detected.
    3. Scalable architecture distributed over multiple servers that work together to form an intelligent FlowTraq Cluster for unmatched performance regardless of traffic volume.


    Full-fidelity Flow Recall

    FlowTraq’s full-fidelity feature allows for more powerful analysis and forensic capabilities than traditional network flow collectors. High flow traffic volumes can be more demanding on the hardware; fortunately, server hardware is more powerful and affordable than ever and FlowTraq is designed to take advantage of multi-core processors and virtual environments.

    A FlowTraq server handling a 24/7 sustained flow rate of 25,000 updates per second can be configured, for instance, on an 8-core CPU and with 8GB of RAM per core, for a total of 64GB. Disk space configuration can be matched to your required retention period. Full-fidelity retention of 25,000 flow updates per second will consume about 1TB per week; therefore, keeping three months of flow data at a saturated 10Gbit network will take about 12TB.

    In demanding environments, such as those with a flow load higher than 25,000 updates per second, many FlowTraq users run more than one FlowTraq server in a cluster configuration. This automatically balances the processing load over multiple systems and is completely transparent to the user. For example, a cluster of eight FlowTraq nodes will handle 200,000 flow updates per second of full-fidelity flow data.

    Beyond Traffic Monitoring

    While 80 percent of users rely on flow data just for network traffic volume monitoring, FlowTraq uses that same data for security incident detection including data loss, DDoS attacks, network scans, worms, insider threats and more by using a unique and fast software architecture that takes advantage of the resources you already have. The scalable architecture, use of algorithms and a proprietary database all add up to make FlowTraq an unparalleled tool for security incident detection.

    Download this tip sheet as a PDF

    FlowTraq can help you get the most from network flow data. Try it for yourself – request a free 14-day trial.

    The Three Types of Outlaws on Your Network – How to Spot ‘Em and How to Get ‘Em Out

    Gurdev Sethi
    By | August 26, 2015


    Cyberspace is like the Wild West — it’s a vast frontier and there’s a lot of lawlessness out there. Your organization has staked a claim on its corner, building a valuable infrastructure for your business, and you’ve got to protect it from outlaws who can do harm. But not all outlaws are the same. In the Old West there were gunslingers and cattle thieves and train robbers — so who are the outlaws that could be jeopardizing the security of your network and business data and assets? Here are three very different types of outlaws you want to keep off your enterprise network.

    1. The Script Kiddie

    Script kiddies are “drive-by shooters” — they’ll attack any network indiscriminately. They tend to focus on the hacking techniques and exploits themselves rather than on the targets. They can wreak havoc by gaining access to network systems and assets, and even defacing them. But even if they happen to gain access to highly sensitive systems or data, they may not even know what “loot” they stumbled on and typically won’t take advantage of that access. While script kiddies pose a real threat and can cause a significant amount of damage in the form of lost productivity and damaged reputation, they are just a nuisance compared to the other types of outlaws.

    2. The Advanced Persistent Threat (APT)

    The APT, on the other hand, targets specific organizations for very specific — and
    nefarious — purposes using sophisticated techniques. Unlike the script kiddie, this outlaw is actively seeking to penetrate your most sensitive systems and data with the intent of doing harm. The APT is going to be stealthy, being very careful about not getting detected, taking the time to observe your environment and then making calculated strategic moves to break in.

    3. The Malicious Insider

    Not all threats come from the outside. Someone who is already inside the network — who you
    trust — could be exfiltrating data because they are disgruntled, are being paid, or are even being blackmailed. Malicious insiders have legitimate access to enterprise systems and data, so they can be difficult to detect from a network perspective.

    What Motivates Outlaws?

    There are many reasons why hackers want to infiltrate your network, but they all tend to fall into one of the following four categories:

    • Monetary gain: there’s profit to be made
    • Ideology: wants to make a point about the organization
    • Coercion: is being compelled by someone else
    • Ego: wants to prove power and influence

    Script kiddies are often in it forego and monetary gain. The APT is likely driven by ideology and monetary gain. And the malicious insider could be acting on ideology or coercion.

    How to Spot Them

    There are lots of tools that network security professionals use to keep the network and its applications and data secure: firewalls, endpoint protection, intrusion detection/prevention systems, data loss prevention systems, etc. And these are all important components of a sound enterprise network security strategy. But outlaws are smart, they know how these solutions work — and they are constantly looking for ways around them. But in the process of trying to skirt network security systems, they create trails that can be spotted — if you know what to look for and have the right tools in place.

      • Scanning — Port scanning is a common reconnaissance technique used to identify systems
        on your network that may be vulnerable and allow the outlaw to move through the network laterally. You need to be able to identify scanning behavior and distinguish potential outlaws from legitimate scanning within the network, for example by NMAP tools as part of a network asset management program.
      • New service — If an outlaw does manage to breach a system on your network, he’ll likely look to set up a back door so he can get back in at any time. This can be done by spinning up a new service or application on that compromised system. When they get back in, that connection is a “new server” — and could be on an unusual port — and can be detected.
      • Blacklisted connections — Many attackers’ systems are known by authorities and are on blacklists. You want to be able to alert on any connections that are made from your network, to those systems.
      • Data exfiltration — Outlaws looking to steal data, whether they are external or internal, need to move that data out of the network. Identifying when hosts are receiving data outside of normal thresholds — such as sending files at unusual times or in unusual volumes — can help catch data thieves.

    How To Get Them Out

    Once you’ve spotted evidence that an outlaw of any kind may be infiltrating — or attempting to breach — the network, you need to get him out fast. To do that, you need detailed information about their activities. With full-fidelity flow analysis on complete flow data that’s retained over time, you have that detail with specifics about all the connections the outlaw made. This enables you to search for similar connections and strategically determine how to shut him down completely. Here are some tips to help you do just that.

    Deploy Scan Detection

    Host scans (where multiple hosts are contacted in rapid succession) and port scans (where one host attempts a large number of ports in succession), as well as combinations of the two, are very common outlaw tactics. Simple scan detectors can be built using a threshold detector; but for best protection, use an intelligence tool that discerns normal behavior from scanning in order to reduce false positives. To do this, set up a scan detector to monitor traffic over time to create a statistical baseline. The best scan detectors can take day of the week into account (meaning it is more sensitive to days of the week where traffic is usually lower, such as the weekend) and can exclude very short sessions, such as DNS traffic or incomplete connections. A scan detector is useful both as a defensive measure and for compliance: it detects both threats against the monitored network, while also helping ensure that one’s network is not a source of trouble for others.

    Set Alerts When New Services are Established

    Raise alerts when never-before-seen communications take place, such as a new host contacted, or an ordinary partner contacted on a new port. Use a tool with a fingerprint generator function, which operates as a network change detector, to watch for changes in the behavior of individual servers. This is particularly useful for detecting malware and data exfiltration.
    Create statistical profiles of individual IP addresses in your network in order to identify individual sessions that are abnormal. Over time you will see a set of connections that are typical in terms of client and server IPs and likely applications (determined by service port).

    Generate Blacklist Alerts

    Select one or more blacklists and use a blacklist detector to scan incoming network sessions individually. Match them against a list of individual IP addresses and CIDR blocks. Each connection to a blacklisted IP or CIDR block should generate an alert.
    Make sure that your blacklist detectors stay up to date with the latest threat information.

    Data Exfiltration Based on Volume

    Experimentation with a volume detector is frequently rewarded with new insights into network behavior. Such a detector is useful, for example, in determining whether a host has suddenly started receiving communications over a larger set of applications (essentially the inverse of a port scan) — a useful way of detecting distributed scans or deployment of new applications on critical servers.A volume detector is a powerful general statistical analysis tool that examines long-term traffic history to create baselines for specified network entities — which could be hosts, applications, autonomous systems, or even whole countries — in order to be able to quickly identify unusual volumes in terms of bytes, number of sessions, or unique counts.

    Download this white paper as a PDF

    FlowTraq helps you find the network outlaws and run them out of town. Try it for yourself – request a free 14-day trial.

    Network Behavior Intelligence For The Age Of Big Data

    Gurdev Sethi
    By | July 15, 2015


    Solutions architected for yesterday’s data volumes can’t keep up with “today-sized” networks

    Since the digital revolution began, the amount of data we produce daily has grown exponentially. Today there is more data out there than ever before. According to IDC, we created 2.8 zettabytes (ZB), or 1.8 trillion GBs, of information in 2012, and they estimate that we will generate 40 ZB by 2020, essentially doubling the amount of data every 18 months. Given the unprecedented growth of big data, network behavior intelligence systems that could once handle typical data volumes can no longer keep up. So how can you ensure that you’ll be able to keep up with the growth of big data in the future?

    1. Scalability
    While lots of systems talk about how fast they are, what’s even more important is your system’s ability to scale and handle more bandwidth, without latency. Older systems were built to handle yesterday’s data volumes. But modern day systems have multiple processors that allow you to scale based on increasing bandwidth needs. When it comes to network behavior intelligence systems, ideally you want to look for speed and scalability – but if you have to choose, scalability will give you the most throughput and enable you to get more tasks done at one time. Older systems just can’t keep up, even if you buy more and more of them.

    2. Finding a Needle in a Haystack
    While it’s never been easy to find the proverbial needle in a haystack – the network threat that flies under the radar – it’s actually gotten harder because the haystack has gotten bigger. Not just wider, but higher and deeper as well. As data volumes continue to explode, the ability to identify network anomalies has become more challenging because the needles haven’t gotten any bigger, just the haystacks. All it takes is one hacker to get through or one data leak to put your network at risk. To defend your network effectively, you can no longer rely on linear analysis of old systems. Twenty years ago, network analysts could keep up with the volume, but with millions of flows per second running through your network today, it’s impossible with old technology. A gap has formed between what’s easily trackable and what’s not, and perpetrators have taken advantage of that gap, requiring you to spend more time identifying network threats. Old systems cannot bridge that gap, but new systems can. They are designed to handle huge volumes so you can protect your network and find those needles in your haystacks, before they cause too much damage.

    3. Big Picture View
    In this age of big data and growing networks, many companies choose to purchase more copies of their old network behavior intelligence systems. But this creates a new problem – no one is looking at the big picture. You can hire 1,000 network analysts to study their piece of the network(s) – but network attacks are very subtle and smartly disguised to look like normal network behavior. For instance, if you are a huge government organization and have 500 computer networks across the U.S., you might have multiple individuals who are monitoring each network individually, but at what cost? Without a big picture view, no one will notice that an attacker is hitting 500 of your networks at the same time. Or, if you are a hosting company and have 100 customers with 100 different networks and 100 different copies of an old network behavior intelligence tool, the same attacker might scan all your networks at once. And if your analysts perform security investigations on those networks in an isolated fashion, they may miss the big picture. With a unified view you can see the simultaneous attacks and address them on the spot. Older systems don’t give you this ability, but newer systems let you see the big picture with one login and one complete dashboard – even as you continue to scale and add more units.

    4. Forensics
    Increased data flow not only makes it challenging to identify network anomalies, it also makes it harder to figure out what happened after an attack, because there’s so much more information to sort through. And performing forensics after a breach is critical to determining where your network is vulnerable. In our experience, it can take up to five weeks to identify a data breach, and the challenge with older systems is that they can’t store that much data – only a few hours or so. So even if you do perform forensics, you don’t have the information you need to figure out what happened. The truth is so many organizations are consumed with what’s happening in the moment that they miss the point that network security should be a continuous process, and forensics is a big piece of that. But to do it right you need a newer system that is architected to enable you to use complete data in real time.

    5. Higher Accuracy
    When you’re trying to find that needle in a haystack, superficial data doesn’t help you. You need granular, historical data, and you need all the information, not just a sampling of network traffic. Older tools are limited in their accuracy, while newer tools are more detailed and let you drill down into data to investigate attacks and better protect your organization from network threats. Newer network behavior intelligence systems allow you to learn from the past to determine what could happen in the future. And they have figured out how to use speed and scalability of modern architecture to protect today’s networks – today and tomorrow.

    Is your network behavior intelligence solution able to keep up with your “today-sized” network? If you want to learn more, reach out to us at or take FlowTraq for a spin with a free trial.

    Slides: Challenges in Answering InfoSec Questions At Scale

    Gurdev Sethi
    By | June 24, 2015


    Recently, Dr. John Murphy and Alex Barsamian presented to the Boston chapter of the National Information Security Group on “Challenges in Answering InfoSec Questions At Scale.” It was a great session – lots of insightful questions, discussions on best practices and a great exchange of ideas.

    Get the slides now

    These slides provide a high-level overview of the presentation – check them out. Then, if you want to know more, contact us at

    « Previous PageNext Page »