Network Aware, Business Secure

Michael Patterson

Subscribe to Michael Patterson: eMailAlertsEmail Alerts
Get Michael Patterson via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Related Topics: PC Security Journal, Cisco Virtualization Journal, Security Journal

Blog Feed Post

Detecting Worms and Malware with NetFlow: Network Threat Detection

Since 2005, Plixer and Cisco have been touting NetFlow (not Net Flow) as an IT Security and threat detection solution. Cisco calls NetFlow the “primary network anomaly-detection technology (pp4) and that “NetFlow allows the user to identify anomalies by producing detailed accounting of traffic flows”.  We are not the only ones with this belief. Even Symantec calls NetFlow a “valuable enhancement” to IDS (intrusion detection) and IPS (intrusion prevention).

For years, Scrutinizer’s Flow Analytics has been painstakingly saving every flow for Network Behavior Analysis to catch APTs (Advanced Persistent Threats), policy violations, p2p (BitTorrent), BotNets, DoS

Flow Expert Tab : Business Aware, Network Secure

attacks and many other types of threats that run-of-the-mill signature-based protection systems are built to detect. We take threat detection a step further with IP Host Reputation lookups on all addresses.

In Part One, I demonstrated how Flow Analytics alarms on network vulnerability exploits or unwanted bandwidth utilization. Today I want to point out that you can also save any of the algorithms to a dashboard;

providing one-click access to a Bulletin-Board of host violations, time-stamped with a description.

The drop-down here illustrates why Structured Relational Data is so important:

  • Default Flow Report: unless changed, this is the Conversation WKP (Well Known Port) Report for the last five minutes
  • Flow View: breaks down the flows saved for that conversation, with the option to run a Flow Hopper report on any particular Flow
  • Exclude Exporter/Violator: Prevent further alarms on Device(Router, Switch, Firewall)/Host (workstation)
  • ‘xxxx’ : What is This? : External link to the Scrutinizer Manual for Alarms
  • HTTP, Telnet, FTP, SSH: various utilities used to connect to the Source IP
  • Search: this option will bring up a report with all conversations the violating IP Address is involved in (Source or Destination)
  • Alarms: view & configure the active alarms in Scrutinizer
  • WMIUsers: View all users connected to the Violator (if WMI is accessible)
Flow Analytics : Bulletin Board Alarms

Structured Relational Data at its best. Scrutinizer: Business Aware, Network Secure. Our NetFlow collector is a proven solution for reducing your Mean Time to Know and Mean Time to Resolution (MTTK & MTTR). If you’re still not convinced of Scrutinizer’s ‘Best Of’ title, check out any ONE Case Study.

If you need EVEN MORE proof, give us a call at 207-324-8805. I’d be happy to schedule a live demonstration for you – reach me at x240.


For a 30 day trial of Scrutinizer, Download Now

Sign up for Advanced NetFlow Training coming to a city near you!

Read the original blog entry...

More Stories By Michael Patterson

Michael Patterson, is the founder & CEO of Plixer and the product manager for Scrutinizer NetFlow and sFlow Analyzer. Prior to starting Somix and Plixer, Mike worked in a technical support role at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix and Plixer.