Balancing Granularity Against Network Security Forensics

With the pace at which the social, mobile, analytics and cloud (SMAC) stack is evolving, IT departments must quickly adopt their security monitoring and prevention strategies to match the ever-changing networking landscape. By the same token, network monitoring solutions (NMS) developers must balance a tightrope of their own in terms of providing the detail and visibility their users need, without a cost to network performance. But much of security forensics depends on the ability to drill down into both live and historic data to identify how intrusions and attacks occur. This leads to the question: what is the right balance between collecting enough data to gain the front foot in network security management, and ensuring performance isn’t compromised in the process?

Effectively identifying trends will largely depend on the data you collect

Trend and pattern data tell Network Operations Center (NOC) staff much about their environments by allowing them to connect the dots in terms of how systems may have become compromised. However collecting large portions of historic data requires the capacity to house it – something that can quickly become problematic for IT Departments. NetFlow data analysis acts as a powerful counterweight to the problem of processing and storing chunks of data, since it collects compressed header information that is far less resource-intensive than entire packets or investigating entire device log files, for example. Also, log files are often hackers’ first victims by way of deletion or corruption as a means to disguise attacks or intrusions. With NetFlow’s ability to collect vast quantities of uncompromised transaction data without exhausting device resources, NOCs are able to perform detailed analyses on flow information that could reveal security issues such as data leaks that occur over time. Taking into account that NetFlow security monitoring can easily be configured on most devices, and pervasive security monitoring becomes relatively easy to configure in large environments.

NetFlow security monitoring gives NOCs real-time security metrics

NetFlow facilitates seamless detection of traffic anomalies as they occur and alerts engineers when data traverses the wire in an abnormal way – allowing for both quick detection and containment of compromised devices or entire segments. Network intrusions are typically detected when data traverses the environment in an unusual way as compromised devices experience a spike in network activity. As malicious software attempt to siphon information from systems, the resultant increase in out-of-the-norm activity will trigger warnings that bring NOC teams in the loop of what is happening. NOCs are also able to continuously compare performance baselines against current network activity and more quickly pick up on anomalies even before they constitute a system-wide threat. This type of behavioral analysis of network traffic places security teams on the front foot in the ongoing battle against malicious attacks on their systems.

Network metrics are being generated on a big data scale

Few things can undermine a network’s performance more than a monitoring solution that strains hardware. But, considering the way in which people are plugging into networks today, pervasive monitoring is absolutely crucial. Take the bring your own device (BYOD) phenomenon, for example. Networking teams need visibility into where, when and how mobile phones, tablets – and now even phablets – are going on and offline and how to better manage the flow of data to and from user devices. NetFlow is capable of informing IT teams on how IP traffic flows between devices, usage statistics on a device or segment level, and traffic anomalies that may require investigation. Keeping in mind that mobile devices increasingly run their own versions of business applications, the need to monitor traffic flow from such devices – from both a security and a performance perspective – becomes clear. Also, with BYOD cultures somewhat undermining IT’s ability to dictate the type of software allowed to run on personal devices, detecting traffic such as peer-to-peer (P2P) or other bandwidth and security compromising applications becomes less complex with NetFlow’s ability to easily provide information on the type of traffic that traverses the environment.

NetFlow security monitoring evolves alongside technology organically

Thanks to NetFlow, as systems evolve at an increasing rate, it doesn’t mean you need to re-invent your security apparatus every six months or so. NetFlow’s ubiquity and reliability gives NOC teams deep visibility minus the administrative overheads in getting it up and running and collecting data. On the other end of the scale, NetFlow analyzers – in their varying feature sets – give NOCs ample flexibility in collecting and analyzing the metrics most pertinent to their needs. This results in less network blind spots that often act as the Achilles Heel of the modern security expert. Once you’ve decided on the data you need and the collector that does the job best, you can fine-tune your monitoring to give you the granularity you need to keep your systems safe, secure and predictable.

8 Keys to Understanding NetFlow for Network Security, Performance & Overall IT Health