This article can also be found in the Premium Editorial Download "Information Security magazine: How to stop data leakage."
Download it now to read this article plus other related content.
Striking It Rich
For a security analyst, finding and using NetFlow data will aid in the discovery and prevention of network compromises. Here are some real-world examples of the power and flexibility of NetFlow analysis:
It's in the mail: When a PC is sending unsolicited e-mail, NetFlow analysis can identify the compromised machine. The daily routine of SMTP analysis leads to scheduled reports, removing the manual work. The net result is a significant reduction of spam being generated, which will help to keep the organization off e-mail blacklists.
It's easy to identify problems by selecting SMTP traffic and sorting it by the number of flows. For example, an unregistered server causing thousands of e-mail flows in a relatively short time interval has a compromised system and will be contacted. Failure to fix problems results in subsequent notifications and could lead to account suspension.
Even registered mail servers with excessive flows can be worth further investigation. For example, thousands of e-mail flows out of a small business or a school in the middle of the night raises a red flag, and checking IPs against Internet registries often turns up large numbers of suspicious foreign destinations. Detailed flow analysis of a specific machine generating spam usually shows activity on ports indicating a specific mail Trojan.
On the trail of malware: When a new virus or worm hits, NetFlow analysis can
Symantec, McAfee, the Internet Storm Center and others are ready sources of information on the activity patterns of viruses, worms and spyware.
This was first published in January 2006