Combining NetFlow analysis with security information management systems

From humble beginnings, NetFlow has today become a commonly used network monitoring tool. Alone, NetFlow analysis provides powerful management capabilities. When combined with security information and event management systems (SIMs) and correlated with data from other devices and layers, NetFlow becomes indispensable. In this article, we'll discuss NetFlow analysis and what it offers to SIM systems that use it. We will then review the advantages gained in combining these two powerful technologies together.

What is NetFlow?
Initially, network monitoring was performed with the Simple Network Monitoring Protocol (SNMP). Although SNMP eases capacity planning, it does little to characterize traffic applications, which are essential for understanding how well the network supports the business. Port flows were monitored, but newer applications dynamically select new ports for each session and thus were inadequate. What was needed was a more granular picture of bandwidth usage. The arrival of NetFlow allowed network administrators to characterize and analyze network traffic flows via UDP.

NetFlow analysis is now built into most enterprise-class switches and routers, and has become a primary network accounting and anomaly-detection technology in the industry. NetFlow essentially answers the following questions about network traffic: Who, what, when, where, and how? Each flow is a collection of packets characterized by flow-specific information, such as the source and destination IP addresses, as well as port information. The packets in a particular flow are counted and reported via a collector. The collector classifies all the traffic collected on a network, based on its source, destination and application. The resultant reports allow an administrator to view the flows as prioritized by bandwidth utilization. Bandwidth may be broken down even further into smaller subclassifications such as applications, users and servers.

Network behavior anomaly detection
NetFlow creates a behavior-based system that profiles the typical connections made between devices. This creates a baseline that may be as granular as hourly or daily. After the network is "learned," any variation that is considered anomalous may be acted on.

How SIM uses NetFlow data
NetFlow data is aggregated with data from other sources. such as IPSes, firewalls, VPNs, the application layer and, in some systems, identity data. This data is then correlated using several techniques including:

• Rules-based
• Statistical
• Historical
• Vulnerability

This correlated data is prioritized based on traffic flows, attacks within a site or attacks across sites. A risk analysis is then performed to discover which attack has the greatest potential for harm to the enterprise. Ideally this risk assessment will include attacks on at least:

• Business processes
• Network processes
• Site versus enterprise

For more information Read why application logging is critical in detecting hack attacks. Learn more about understanding network traffic flow analysis. See resources on network behavioral anomaly detection (NBAD)

Finally, this data is provided to a reporting engine. Graphs and charts are provided by a series of dashboards and text-based reports. The newest generation of security information management systems allows for visualization techniques with drill-down capability.

Advantages of SIM/NetFlow together
One of the clearest gains in combining NetFlow with SIMs is the improvement in security insight and response. With real-time NetFlow views, priority-based alerts can be created. Threats can also be correlated with other attack vectors, so that the highest-priority problems are seen first and administrators can respond accordingly.

This combination now allows us to view threats across an enterprise to spot things like salami attacks, or a series of small attacks with a larger purpose, which are still used in the hacker community today. Automated vulnerability assessment tools use this technique to evade IPS devices. When you collect NetFlow data from across the enterprise and correlate it, you can spot this type of stealth attack more readily.

One of the most interesting advantages gained is the ability to see adverse events in one flow with its associated flows. This is possible because the security information management system correlates NetFlow data from across the enterprise, allowing an administrator to view both the attack flow and those flows supporting the attack.

Freeware tools
If you do not have an SIM installed and you would like to "see" NetFlow in action, there are several tools available to gain added insight. Sourceforge.net is an open source community with some outstanding open source (freeware) security tools available. Sourceforge.net's NetFlow listings currently offer 44 tools to view, manipulate and use NetFlow data. Two of the most popular are:

• Extreme Happy NetFlow Tool
  http://sourceforge.net/projects/ehnt/
• NFDUMP - NetFlow processing tool
  http://sourceforge.net/projects/nfdump/

Conclusions
NetFlow has become an indispensable tool in both the network and security markets. It provides real-time views of bandwidth use and application and user priorities, and thus business process flows. The faster this data can be turned into useful information, the faster security pros can respond to incidents and minimize the impact on an organization's business. Additionally, when combined with security information and event management systems, NetFlow can reveal previously hidden threats happening across an enterprise. NetFlow and SIM is like peanut butter and jelly: they simply belong together.

About the author:
Tom Bowers, managing director of security think tank and industry analyst firm Security Constructs, holds the CISSP, PMP and Certified Ethical Hacker certifications, and is a well-known expert on the topics of data leakage prevention, global enterprise information security architecture and ethical hacking. His areas of expertise include aligning business needs with security architecture, risk assessment and project management on a global scale. Bowers serves as the president of the 600-member Philadelphia chapter of Infragard, is a technical editor of Information Security magazine, and speaks regularly at events like Information Security Decisions.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Security information management systems Quiz: Security information management systems Network Security Tactics Screencast: How to gather host-level data with Network Miner How to secure desktops as suites expand, network perimeters shrink Writing Wireshark network traffic filters Screencast: Collecting metadata with Metagoofil Video: Setting up a secure wireless network How to implement and enforce a social networking security policy New blacklists: Highly predictive or hardly worth it? Smartphone security: The growing threat of mobile malware Screencast: How Tor improves Web surfing privacy and security audits Workstation hard drive encryption: Overdue or overkill? Network Behavior Anomaly Detection (NBAD) Use BotHunter for botnet detection Host-based intrusion prevention evolves to address server, desktop security Is centralized logging worth all the effort? How will the centralized logging of network flow data benefit an enterprise? Can reputation services be applied to network security? SIM and NBA product combination is powerful How well can network behavior anomaly detection (NBAD) products detect rootkits and malware? Sourcefire, Nmap deal to open vulnerability scanning Sourcefire expands strategy in effort to leverage its network real estate Security information management finally arrives, thanks to enhanced features RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary network behavior analysis  (SearchSecurity.com) network behavior anomaly detection  (SearchSecurity.com) nonce  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.