Why Companies Turn to MSSPs
With 50% of Internet thefts occurring at companies with less than 2500 employees and the cost of hiring a security expert increasing, many organizations are turning to MSSPs in hopes of gaining access to a team of security experts. In turn, MSSPs provide their customers with services in areas such as virus blocking, IDS, VPN and firewall maintenance. Monthly fees generally include a block of hours for system changes, modifications and upgrades. When they aren’t working on specific customer issues, they collaborate with other experts to identify the latest threats and the best security countermeasures. Because these experts can’t wait for the next software update to fight the latest cyber battle, security teams often turn to flow technologies to monitor for the latest malware.
“IPS (or deep packet inspection) is our #1 security defense; Netflow is a very close #2 – Gavin Reid, Manager of Cisco CSIRT.
Threat Detection with NetFlow
Traditionally, NetFlow and IPFIX have been used by MSSPs to perform Network Behavior Analysis by running dozens of algorithms against the flows collected. Examples include:
The above algorithms are an excellent step toward the automation of detecting malware that could be trying to penetrate and compromise hosts on the network. Notice that these algorithms focus on network behavior analysis as deep packet inspection to match packets to signatures isn’t generally possible with NetFlow. Much like a flu virus, malware can use a polymorphic technique which means it can constantly vary its structure and content in order to avoid detection. Solutions which perform deep packet inspection in an attempt to pattern match through the use of constantly updated signatures can easily be evaded by this dynamic technique. Even with all the above, more needs to be done to detect the latest forms of malware and this means thinking outside the proverbial threat detection box.
“I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2,000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.”Dmitri Alperovitch, former VP of Threat Research, McAfee®
Read Part 2 on IP host reputation.
With VoIP, BitTorrent, Skype, iCloud and the like now on the network, administrators are dealing with even more flows. On the NetFlow and IPFIX reporting side of things, vendors often find that 2-3 issues come into play when scaling NetFlow tools:
High speed NetFlow collection can lead to very large database tables. Large tables, if not indexed or queried correctly can lead to poor performance in traffic analysis reporting. As a consumer, how a vendor deals with enormous amounts of flow data can and should be part of the vendor selection process.
High NetFlow volumes does not necessarily mean you have to use multiple distributed NetFlow collectors. Many NetFlow and IPFIX collectors can handle tens of thousands or even over one hundred thousand flows per second with a single appliance (e.g. Scrutinizer). Distributed NetFlow collection should be configured when sending all of the flows over a wide area link doesn’t make sense. Enterprise NetFlow analysis requires a careful understanding of the IT managers goal, the budget constraints and the potential bottle neck areas on the network.
Work with your vendor to determine if a single flow collector or if distributed NetFlow collection is in your companies best interest. Beware of the necessary add-on modules and remember to ask about the yearly maintenance cost.
Join NetFlow Developments on Linkedin.
]]>