In a recent study, we discovered that over 53% of all FlowTraq users also use Splunk in some capacity. The majority indicates they stream FlowTraq security alerts generated from their flow data into Splunk, but less than half have actually installed the FlowTraq Splunk App.
We think this should change, and here’s why.
FlowTraq provides powerful alerts on network events – such as unwanted data leakage, DDoS attacks, and botnet traffic – using any of the regular flow formats (sFlow, NetFlow, or IPFIX). These alerts can be streamed in any number of ways, but most commonly they are sent to tools like Splunk, which is great, because analyst searches can quickly correlate network events with security detections in FlowTraq. But doing the reverse isn’t quite as easy. Not all security events – e.g., failed login, failed privilege escalation attempt, or unexpected software condition – may be detectable in network traffic and it’s not immediately straightforward to correlate such host-based events to possible evidence on the network.
The FlowTraq for Splunk App was designed to give the analyst this very power.
By presenting the familiar Splunk “search” interface together with a graph of the network traffic, network peers, and other relevant traffic details, the analyst can quickly correlate host-based events to traffic records stored in FlowTraq – in fact, all searching and time navigation is honored in the view. By way of example, as hundreds of failed login attempts are discovered for a host, a quick search would reveal both the pattern of network traffic and all the system events associated with it.
It works both ways. Say FlowTraq detects a possible data leak from a system in your network, and a syslog event was sent to Splunk. Upon investigating this FlowTraq alert, the analyst can broaden the scope to discover other relevant security events, such as a successful remote login and subsequent access to data resources. The successful login would immediately lead to evidence in the flow data of earlier connection attempts to other systems in your network.
This all starts to build the full picture of what’s going on: a remote attacker has gained valid credentials through a phishing attempt, and has slowly infiltrated dozens of systems in your network. Traces of successful logins and the many network connection attempts are brought together to provide the incriminating evidence. The data leak is discovered and stopped, and all other compromised accounts cleaned up.