The network infrastructure you already have in place – firewalls, routers, switches, etc. – produces data about the traffic moving through your network. This network flow data is often used for network performance analysis, but it’s also a valuable resource for network security teams. In fact, if you aren’t leveraging the power of network flow data, your network defenses aren’t as strong as they could be.
In short, network flow data gives you real-time visibility into what’s happening inside the network and complements your perimeter devices and point solutions. Think of perimeter devices as your first line of defense – they’re going to prevent a large percentage of bad things from getting onto the network. But they will never be able to catch 100% of the bad things; it only takes one bad thing to wreak serious havoc and once it gets inside, those perimeter devices can’t help. Likewise, point solutions that address a very specific problem increase security, but they don’t provide broad-based protection.
So what does the internal network visibility you get from network flow analysis solutions mean for infosec professionals? Here are six ways network security teams should be using network flow analysis for maximum security.
Today, no company – no matter how big or how small, or how many security controls are in place – is immune from attack. And today’s information security professionals are savvy, but so are attackers and their techniques are growing increasingly sophisticated. It’s hard enough to keep up with known attacks, but you also need to protect against unknown threats – such as zero-day attacks and advanced persistent threats (APTs). Because of the very nature of these attacks, your other security systems might not be able to spot them. Another example of an unknown threat is exfiltration of toxic data. Data loss prevention (DLP) systems are point solutions that can identify when structured sensitive data – such as social security or credit card numbers – are leaving the enterprise. But not all sensitive data is structured, so you need a way to identify when any data is being improperly exfiltrated.
Unfortunately, not all the bad guys are “out there.” Some of them are among us [link to “The Inside Scoop on Insider Threats” article] – they could be trusted insiders with malicious intent or they could be outside guys masquerading as trusted insiders. Either way, they can be particularly difficult to spot. Because network flow analysis focuses on the who, what, where, and when of network traffic, it can identify suspicious activity, even when the users themselves look legitimate.
It’s important to be able to detect network threats and security breaches fast. But you also need to be able to respond quickly so that the time between detection and resolution is as short as possible. Network flow data is extremely valuable in helping identify what happened, when it happened, how long it happened for, and what other systems may have been affected. You want to ensure that your network flow analysis tool captures full-fidelity network flow data and offers a high-speed database architecture that enables you to retain flows long enough to stage a meaningful investigation.
Every organization has policies that are meant to ensure that employees and systems behave in an acceptable – and safe – manner. But just having a policy in place doesn’t mean it’s adhered to. Network flow analysis can detect and alert on policy violations – for example, when risky and/or unsanctioned applications or services are in use – whether they are deliberate or inadvertent. Malicious hackers will frequently leave backdoors to compromised systems that are very visible in flow data.
Network flow analysis tools can help organizations support regulatory compliance. In addition to providing security controls, they can help you quickly trace which systems and networks – internal or external – communicated with your critical data containers, and alert on large data movement or communication with known bad actors.
Network operations teams use network flow data to monitor network performance, to identify problems before they affect user experience or system functionality, and to help in capacity planning. When NetOps and SecOps teams both leverage this data, it improves collaboration, which can help resolve problems faster with less finger-pointing.
FlowTraq monitors and analyzes network flow traffic in real time to immediately detect unusual behavior and deviations from “normal” patterns that indicate a wide range of security problems, including DDoS and brute force attacks, scanning, insider threats, data exfiltration, and more. And after an attack, FlowTraq provides complete digital evidence to understand exactly what happened.