Network Security Analytics TodayReturn to TOC presented at FIRST 2014

by Aubrey Merchant-dest,

Summary : This presentation/discussion will focus on the use of ‘rich flow-data’ to expose potentially malicious activity on your network which may not be caught with current perimeter defense platforms. The objective is to get the audience thinking about what questions they can ask of the ‘network’ to gain intelligence and mitigate gaps in current defenses.
The 2013 Verizon breach report uncovered that 84% of attacks happen within hours, however 62% take months to discover. These are targeted attacks that skate traditional perimeter security defenses because they are novel. By exposing the full visibility and context of network flows, these advanced attacks can be detected and mitigated faster. Richer session flow attributes and metadata as a source for analytics can help expose malicious activity that would otherwise go undetected.
Netflow has been available from routers and switches for well over a decade and is generally used by network operations personnel to detect protocol anomalies and denial of service attacks. Security operations personnel can benefit form Netflow as well by correlating alarms and alerts to flow records. The information available from Netflow is however limited when you consider the implementation of protocol parsers in modern network forensic tools (NFTs). By passively tapping key network segments (gateways, server farms, partners) you can gain full visibility and context into traffic flows, allowing correlation of flow attributes from layer 2 to layer 7 (Ethernet, VLAN, application, filenames, sessions, packets, etc.) providing attribution of hosts, users and applications. This is accomplished using protocol parsing and indexing attribute containers. By using host attributes (IP addresses, users, country) you can perform frequency analysis to discover traffic patterns of interest. Adding additional attributes such as filenames, session and/or byte counts can expose additional activity, which may initially seem unrelated.