Ideal cyber threat detection requires the monitoring of everything - everywhere on the network. All traffic from every appliance: server, desktop, router, switch and even printer ideally is monitored for abnormal traffic patterns because all of these devices have an operating system that can be hacked. But how do we monitor it all? How do we come up with the resources, the manpower and above all, the money?

Network Threat Detection

Network threat detection doesn’t have to mean a lot of expensive tools or even lots of human intervention. It does however require that we make smart choices when choosing the next enterprise network security solution. To do this, it’s sometimes good to make sure that we can answer the question: what is internet security?

Internet security as it applies to threat detection does not mean stopping threats before they get onto the network. This would be like asking a security guard at Walmart to stop any person posing as a customer from coming into the store who intends on stealing. For reasons like the above, threat detection generally goes hand and hand with threat investigation. What do network professionals have at their disposal that allows them to collect traffic details similar to a surveillance camera?

Threat Detection

NetFlow

Many agree that one of the best ways to obtain visibility into every corner of the network is through the use of a technology called NetFlow. By enabling NetFlow, IPFIX or even to some extent sFlow on every appliance plugged into the network we can gain visibility into everything that connects to the infrastructure. Flow technology is supported on just about every router, switch, server and firewall on the network. For example, the Cisco ASA NetFlow exports provide information on traffic passing through it as well as rich contextual details which include username, NAT’d IP addresses and even counts on the individual ACLs being matched.

NetFlow Training Seminars

Flow technology empowers our NetFlow Knights with the ability to guard the company assets with their symbolic NetFlow Sword from malware and even Advanced Persistent Threats that are working on the exfiltration of corporate intellectual property. Over the past few years it has become commonly accepted that Internal network threat detection often benefits by leveraging flow technology due to its ability to provide visibility into remote geographical areas that require significant resources to physically visit.

By comparing flows to threat detection algorithms and leveraging host reputation lists, many forms of threats can be successfully identified. And when NetFlow technology isn’t directly involved with detecting the threat, flow data is nearly always the turn to “big data” for investigating the malware. Threat investigation with NetFlow allows us to determine the breadth of the infection including the hosts involved, the host that introduced it, the ports and the applications involved. With some flow exports we can even learn which specific email or URL was clicked which instigated the entire incident.

Learn More about NetFlow

If you and your IT security team would like to learn more about threat detection with NetFlow. Please consider attending one the Plixer NetFlow Training classes in a city near you.