Problem solve Get help with specific problems with your technologies, process and projects.

Using network flow analysis to improve network security visibility

To overcome network security issues from advanced attackers and BYOD, security professionals are turning to network flow analysis to gain improved network security visibility.

For years, security professionals have debated whether outsiders or insiders pose the bigger risk. Today, this...

argument is moot: The threat is all around us because the network demarcation line has blurred.

For instance, insiders may work from home and telecommute; employees may take advantage of BYOD, while business partners and sales staff often have access to mission-critical cloud-based services. It's getting harder than ever to know who is on the network at any given time, using any number of devices to access services, systems and data. All this is occurring while attackers are adapting to these new technologies while using them to bypass traditional defenses.

In order to overcome these security risks and gain better insight into who is on the network, security professionals have turned to network flow analysis to improve network security visibility.

Network security visibility moves beyond traditional defenses

The above-mentioned use cases underscore the need to move beyond traditional security techniques and examine the bigger picture in real time. Instead of blocking attacks after they occur, the observation of network traffic flow offers better network visibility and faster detection of malicious events. Network flow is the analysis of IP, TCP, UDP and other header information examined along with the source, target ports and IP addresses. This represents a strategic change for network security managers in that it calls for migration to an in-line comprehensive view of the entire network infrastructure.

However, this change is being held back by both people and technology. On the people side, most companies have been forced to do more with less. The complexity involved with designing secure system architectures, defending against advanced attacks and identifying and mitigating intrusions demands skilled security practitioners that many enterprises can't find or afford. At the same time, security organizations often rely heavily on products like data leakage prevention (DLP) and enterprise rights management (ERM) products to detect security violations. While they are fine technologies in their own right, neither is a panacea. A new approach is needed.

Network flow analysis: A three-pronged approach

This new plan emphasizing network flow analysis is best described as a three-pronged approach of detecting, distilling and analyzing data flows. It utilizes multiple sources of internal and external information and processes it in real time to detect threats. The key is to use existing network infrastructure that's already in-line and available.

Flow analysis provides a different perspective on traffic movement in networks. It provides visibility into how often an event occurred per a given metric. For example, how often was traffic containing encrypted .zip files leaving the network and destined for Asia between midnight and 2 a.m. on weekends? With flow-analysis tools, security professionals can view this type of user activity in near-real time.

Distilling the massive amount of data that flows through modern networks requires tools that allow for the aggregation and correlation of data. Cisco Systems was one of the first vendors to market this technology. Many other vendors followed in this field, including Vitria, Riverbed Technology and Arbor Networks. For those on a tight budget, there are also options such as Softflowd and FlowScan that are available as open source tools. You can find those tools and others at the networkuptime website.

Analysis of all this real-time data is made easier with the use of standards. NetFlow was developed by Cisco but has become an industry standard. With standards, common formats are adopted that allow customers to pick and choose which analysis tools to use. Standards for flow aggregation and data export are handled by the IETF. Some examples of log analysis tools include LogRhythm, Nagios and Splunk. The large amounts of data that must be managed pose a reasonable concern, but the elasticity of cloud computing can help. Cloud computing allows users to scale up as demand increases so that they can almost instantly bring virtual servers on line to complete needed tasks.

Network flow analysis: Not an overnight solution

It is clear that traditional defenses such as antivirus are failing against zero-day attacks and advanced persistent threats. Network flow analysis offers a compelling conceptual alternative, but an industry-wide migration to this paradigm will require time. 

More on network flow analysis

Network flow analysis for cloud flow

OpenFlow SDN for network monitoring and analysis

Uncovering digital crimes with network forensic analysis

Analysis takes work and training, especially when first deployed; security professionals may not know what they are looking for, so there is a natural learning curve in developing an eye for anomalies. There is also the need for specialized network analysis tools that require funding and deployment. Additionally, paradigm shifts are not easy, as they are driven not by ways of thinking, but by agents of change.

Making the move to network flow analysis requires laying some groundwork. Start by working with senior management to make a case for the technology. Explain how deployment of NetFlow is a "win-win" in that it supports a wide range of enterprise uses. If you are on the security side of the table, engage the networking group; they have direct control over routers and switches, so getting them on your side is important. You will need to verify that current equipment supports network flow and that future purchases meet your projected needs.  

Strategically, the majority of enterprises have fallen behind the capabilities of advanced attackers. Network flow analysis represents an important step toward restoring the balance.

About the author
Michael Gregg is chief operating officer of Superior Solutions Inc., a Houston-based information security assessment, penetration testing and IT security training firm. Gregg is responsible for helping corporations establish and validate enterprise-wide information security programs and controls. He is an expert on cybersecurity, networking and Internet technologies.

This was last published in May 2013

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)