Network Behavior Anomaly Detection (NBAD)
Combining NetFlow analysis with security information management systems
From humble beginnings, NetFlow has today become a commonly used network monitoring tool. Alone, NetFlow analysis provides powerful management capabilities. When combined with security information and event management systems (SIMs) and correlated with data from other devices and layers, NetFlow becomes indispensable. In this article, we'll discuss NetFlow analysis and what it offers to SIM systems that use it. We will then review the advantages gained in combining these two powerful technologies together.
What is NetFlow?
Initially, network monitoring was performed with the Simple Network Monitoring Protocol (SNMP). Although SNMP eases capacity planning, it does little to characterize traffic applications, which are essential for understanding how well the network supports the business. Port flows were monitored, but newer applications dynamically select new ports for each session and thus were inadequate. What was needed was a more granular picture of bandwidth usage. The arrival of NetFlow allowed network administrators to characterize and analyze network traffic flows via UDP.
NetFlow analysis is now built into most enterprise-class switches and routers, and has become a primary network accounting and anomaly-detection technology in the industry. NetFlow essentially answers the following questions about network traffic: Who, what, when, where, and how? Each flow is a collection of packets characterized by flow-specific information, such as the source and destination IP addresses, as well as port information. The packets in a particular flow are counted and reported via a collector. The collector classifies all the traffic collected on a network, based on its source, destination and application. The resultant reports allow an administrator to view the flows as prioritized by bandwidth utilization. Bandwidth may be broken down even further into smaller subclassifications such as applications, users and servers.
Network behavior anomaly detection
NetFlow creates a behavior-based system that profiles the typical connections made between devices. This creates a baseline that may be as granular as hourly or daily. After the network is "learned," any variation that is considered anomalous may be acted on.
How SIM uses NetFlow data
NetFlow data is aggregated with data from other sources. such as IPSes, firewalls, VPNs, the application layer and, in some systems, identity data. This data is then correlated using several techniques including:
These correlations are conducted per monitoring site and across sites as well.
This correlated data is prioritized based on traffic flows, attacks within a site or attacks across sites. A risk analysis is then performed to discover which attack has the greatest potential for harm to the enterprise. Ideally this risk assessment will include attacks on at least:
- Business processes
- Network processes
- Site versus enterprise
This has been a differentiator in the SIM space however. Some are better at network-based attacks, while others allow for reviewing business processes as well.
Finally, this data is provided to a reporting engine. Graphs and charts are provided by a series of dashboards and text-based reports. The newest generation of security information management systems allows for visualization techniques with drill-down capability.
Advantages of SIM/NetFlow together
One of the clearest gains in combining NetFlow with SIMs is the improvement in security insight and response. With real-time NetFlow views, priority-based alerts can be created. Threats can also be correlated with other attack vectors, so that the highest-priority problems are seen first and administrators can respond accordingly.
This combination now allows us to view threats across an enterprise to spot things like salami attacks, or a series of small attacks with a larger purpose, which are still used in the hacker community today. Automated vulnerability assessment tools use this technique to evade IPS devices. When you collect NetFlow data from across the enterprise and correlate it, you can spot this type of stealth attack more readily.
From the editors:
Read why application
logging is critical in detecting hack attacks.
Learn more about understanding network traffic flow analysis.
See resources on network behavioral anomaly detection (NBAD)
One of the most interesting advantages gained is the ability to see adverse events in one flow with its associated flows. This is possible because the security information management system correlates NetFlow data from across the enterprise, allowing an administrator to view both the attack flow and those flows supporting the attack.
If you do not have an SIM installed and you would like to "see" NetFlow in action, there are several tools available to gain added insight. Sourceforge.net is an open source community with some outstanding open source (freeware) security tools available. Sourceforge.net's NetFlow listings currently offer 44 tools to view, manipulate and use NetFlow data. Two of the most popular are:
- Extreme Happy NetFlow Tool
- NFDUMP - NetFlow processing tool
NetFlow has become an indispensable tool in both the network and security markets. It provides real-time views of bandwidth use and application and user priorities, and thus business process flows. The faster this data can be turned into useful information, the faster security pros can respond to incidents and minimize the impact on an organization's business. Additionally, when combined with security information and event management systems, NetFlow can reveal previously hidden threats happening across an enterprise. NetFlow and SIM is like peanut butter and jelly: they simply belong together.
About the author:
Tom Bowers, managing director of security think tank and industry analyst firm Security Constructs, holds the CISSP, PMP and Certified Ethical Hacker certifications, and is a well-known expert on the topics of data leakage prevention, global enterprise information security architecture and ethical hacking. His areas of expertise include aligning business needs with security architecture, risk assessment and project management on a global scale. Bowers serves as the president of the 600-member Philadelphia chapter of Infragard, is a technical editor of Information Security magazine, and speaks regularly at events like Information Security Decisions.
26 Mar 2007
Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.