Last week, I introduced the broken Internet, with SIEM technology as a way to help identify bad things happening on your network. This week, I continue this theme by looking at a technology often deployed with SIEM: NetFlow analysis.
NetFlow is a protocol developed by Cisco. Its original purpose was to provide transparency into traffic flow for network performance and design analysis. Today, however, NetFlow has become a de facto industry standard for both performance and security analysis.
Over time, security analysts found that event correlation alone might not be enough to quickly detect anomalous behavior. NetFlow, in addition to a SIEM portal, allows quick insight into traffic flow. It helps detect network behavior outside expected norms for a specific network.
NetFlow compatible devices, as shown in Figure 1, collect information about packets traveling through one or more ports. The collected information is aggregated and analyzed. If supported, alerts are sent to security personnel when traffic flow through a switch port, for example, exceeds a defined threshold. (See Figure 2 for a portal example.) This is a good way to detect large data transfers or transfers between a database server and a system with which the server doesn’t usually communicate.
For example, assume an attacker gains control of a database administrator’s (DBA) desktop computer. All access by the DBA’s system will likely look normal: until a NetFlow analysis alert reports large amounts of data passing from a database production server, through the DBA system, and to the Internet. (Granted, other controls might prevent this altogether… humor me.) The alert allows us to react quickly to mitigate business impact by simply shutting down the DBA computer.
It isn’t just external attackers NetFlow helps detect. The infamous disgruntled employee is also detectable when large numbers of intellectual property documents begin making their way from the storage area network to an engineer’s laptop located in his or her home office. NetFlow analysis can be particularly useful when two or more employees collude to steal company information.
NetFlow analysis is a good detection tool. It helps support prevention controls we rely on to prevent connections to unknown external systems. In addition, NetFlow alerting can call our attention to an employee defecting from policy compliance and violating management trust.
Next week, I conclude this series by examining incident response in support of SIEM and NetFlow analysis.