Security Analytics - Network as a Sensor

Michael Patterson : Advanced NetFlow Traffic Analysis
Michael Patterson
Founder and Product manager for Plixer's Scrutinizer NetFlow and sFlow Analyzer as well as Flow Analytics.

Security Analytics - Network as a Sensor

Security is going through an evolution in IT. The new assumption is that some malware will make it onto the network. This forces the security team to consider the actions they will need to take when following up on an event.  What details will they want access to? What devices on the network gather this information? How will they want to display it?

Ideally, the information sought after is available in all areas of the network at all times. To gain this ‘everywhere’ visibility, nearly countless collection points need to be considered. Deploying probes is not a scalable solution but, what other options are there?

Network as a Sensor

Luckily, existing hardware on the network can be leveraged to gather information about the traffic the network is carrying. NetFlow and IPFIX are supported on most Extreme hardware. Gathering this data and storing it for future reference, gives IT confidence that when a breach occurs they will be able to look back in time to trace the event back to the source. This is what is meant by using the network as a sensor.  Beyond SNMP collected counters, NetFlow and IPFIX have been relied on for working out application performance issues for years.  Security professionals are also aware of the enormous value flows can bring to an investigation. In a sense, they become a traffic surveillance resource.


network as a sensor


Flow data delivers the insight the security team needs when they need to pin point an issue down to the root cause.  Who, what, when, where and how much are the answers that allow investigators to reduce the overall Mean Time To Know (MTTK).  No other inherently available technology can deliver the same historical traffic awareness.

Add Context

With the culprit confirmed, we can bring in context such as the username behind the end system, the mac address, the operating system and exact location.  These details can be gained by integrating with Microsoft Active Directory or other authentication systems.  Context can also be gained by integrating with systems such as Splunk which services up system messages related to the investigated event.  Easy to navigate integration when for example jumping from NetFlow to usernames to syslogs allows IT to reduce the Mean Time To Respond (MTTR) to critical events.  Vendors who can cooperate and get their solutions to work together allow for biggest win – win environments. 

NetFlow Augments the IDS and Firewalls

Beyond leveraging flow data to investigate threats, it can also be used to monitor traffic for irregular patterns.  Advanced data analytics empower customers with the ability to introduce filters and Boolean logic to set thresholds.  This aids in the detection of unwanted patterns that are outside of normal activities.  What’s more is that these individual events can be counted over defined periods of time which helps uncover low and slow – stealthy malware behaviors that are trying to “fly under the radar”. 

Security Analytics

NetFlow and IPFIX combined with algorithms that can be optimized to monitor the unique characteristics at each customer site have become one of the best forms of Security Analytics.  Taking advantage of the network as a sensor and harvesting NetFlow and IPFIX for monitoring and investigating security events has become a staple in IT security.

Feedback for Security Analytics - Network as a Sensor

Leave a comment

Featured Events