How to counter-punch botnets, viruses, ToR and more with Netflow (Pt. 2)
Data Retention Compliance
Hosts that communicate with more than one known threat type should be designated a high risk and repeated threat breaches with that hosts or dependent hosts can be marked as repeat offenders and provide an early warning system to a breach or an attack.
It would be negligent of me not to mention that the same flow-based End-Point threat detection techniques can be used as part of Data Retention compliance. In my opinion this enables better individual privacy with the ability to focus on profiling known bad end-points and be used to qualify visitors to such known traffic end-points that are used in illicit p2p swap sessions or access to specific kinds of subversive or dangerous sites that have been known to host such traffic in the past.
Extreme examples of end-point profiling could be to identify a host who is frequently visiting known jihadist web sites or pedophiles using p2p to download from peers that have been identified by means of active agents to carry child abuse material. The individual connection could be considered a coincidence but multiple visitations to multiple end-points of a categorized suspicious nature can be proven to be more than mere coincidence and provide cause for investigation.
Like DDoS attack profiles there may be a prolific amount of end-points involved and an individual conversation is difficult to spot but analysis of the IP’s involved in multiple transactions based on the category of the end-point will allow you to uncover the “needles in the haystack” and to enable sufficient evidence to be uncovered.
Profiling Bad traffic
End-Point Threat detection on its own is insufficient to detecting threats and we can’t depend on blacklists when a threat morphs faster than a reputation list can be updated. It is therefore critical to concurrently analyze traffic using a flow behavior anomaly detection engine.
This approach should be able to learn the baselines of your network traffic and should have the flexibility to baseline any internal hosts that your risk management teams deem specifically important or related such as a specific group of servers or high-risk interfaces and so-forth enabling a means to quantify what is normal and to identify baseline breaches and to perform impact analysis.
This is where big-data machine learning comes into play as to fully automate the forensics process of analyzing a baseline breach automating baselines and automatically running diagnostics and serving up the analytics needed to quickly identify the IP’s that are impacting services to provide extreme visibility and if desired mitigation.
Automated Diagnostics enable security resources to be focused on the critical issues while machine learning processes continue to quantify the KPI’s of ongoing issues bringing them to the foreground quickly taking into account known blacklists, whitelists and repeat offenders.
As a trusted source of deep network insights built on big data analysis capabilities, Netflow provides NOCs with an end-to-end security and performance monitoring and management solution. For more information on Netflow as a performance and security solution for large-scale environments, download our free Guide to Understanding Netflow.
Cutting-edge and innovative technologies like NetFlow Auditor delivers the deep end-to-end network visibility and security context required assisting in speedily impeding harmful attacks.