Every day we see more and more stories about security breaches across the globe. With there being so many new cyber security threats coming out the need for traffic analysis and a strong CyberIncident Response plan has never been so high. In part one and part two of this series, we demonstrated that by combining NetFlow/IPFIX technology with Scrutinizer you are getting 100% network visibility. Here in part three of this series, we are going to talk about the importance of adding Scrutinizers Flow Analytic’s Intelligence into your cyber incident response plan to detect network traffic anomalies.
What is Flow Analytics™?
Flow Analytics™ is a built-in module that Scrutinizer uses to perform network behavior analysis. By implementingNetwork Behavior Anomaly Detection (NBAD) intelligence on your network, you can detect and trigger alarms for behaviors such as worms, network scanning, and known compromised internet hosts. It can also alarm you if any DoS attacks are happening. Once that happens it can identify repeat offenders and create a Unique Identifier (UI) to manage traffic counts. Flow Analytics™ can also identify your top applications, conversations, protocols, etc across dozens of routers and switches.
Why use Flow Analytics™?
It’s simple, using NetFlow for security allows you to monitoring internal traffic and watch for odd traffic patterns that could indicate malware. By flagging nefarious traffic patterns or even end systems communicating with hosts or domains that have poor Internet reputations can lead to the first symptom that is often indicative of a Command and Control infection or worse, an Advanced Persistent Threat. In the end, this automated surveillance is helping you meet a major requirement of your Cyber Incident Response Plan.
“while many organizations are intensifying their defenses against external attack, these widely used safeguards are often ineffective against attacks involving insiders. Such attacks from insiders, be they from employees, suppliers, or other companies legitimately connected to a company’s computer system, pose a more pernicious threat than external attacks.” – David Upton American Standard Companies Professor of Operations Management Saïd Business School at Oxford University
Remember, although the additional security provided by NetFlow and IPFIX is significant, it should only be part of a company’s complete Unified Threat Management solution. For example, NetFlow algorithms can be used to accurately detect SYN scans, ICMP redirect issues, DDoS attacks, XMAS scans, etc. In some cases, this same mathematical searching through the flows can trigger alarms for legitimate traffic. This is why it is important to use indexes and remember: analyzing NetFlow and IPFIX is meant to be another effective security layer.
How do you configure Flow Analytics™?
Configuring Flow Analytics™ is easy and something you should start today. Check out Cisco NetFlow | Part 1 – What is Flow Analytics™? and
Cisco NetFlow | Part 2 – What is Flow Analytics™? to learn more about configuring the system.
As we have learned through this series, multiple levels of security, along with a tactical plan to resolve an incident is the key to your Cyber Incident Response Plan’s success. If you would like to learn more about how Scrutinizer can help you stay vigilant and be a valuable asset in your Cyber Incident Response Plan, give us a call and we will be more than happy to help you.