Written By Andy Wilson And Presented By Chuck Leaver CEO Ziften
Over the past number of years, many IT companies have actually embraced using NetFlow telemetry (network connection metadata) to enhance their security posture. There are numerous reasons behind this: NetFlow is relatively economical (vs. complete packet capture); it’s fairly easy to gather as most Layer 3 network devices support NetFlow or the IANA standard called IPFIX; and it’s easy to analyze using freeware or commercially available software applications. NetFlow can assist conquer blind spots in the architecture and can provide much needed visibility into what is truly going on in the network (both internal and external). Flow data can likewise help in early detection of attacks (DoS and APT/malware) and can be used in baselining and anomaly detection techniques.
NetFlow can supply insight where little or no visibility exists. Most companies are collecting flows at the core, WAN and Web layers of their networks. Depending on routing schemas, localized traffic might not be accounted for – LAN-to-LAN activity, local broadcast traffic, and even east-west traffic inside the data center. The majority of companies are not routing all the way to the access layer and are hence typically blind to some extent in this segment of the network.
Performing full packet capture in this area is still not 100% practical due to a variety of factors. The answer is to implement endpoint-based NetFlow to restore visibility and offer very important additional context to the other flows being gathered in the network. Ziften ZFlow telemetry originates from the endpoint (desktop, laptop, or server), so it’s not dependent on the network infrastructure to generate. ZFlow offers conventional ISO layer 3/4 data such as source and destination IP addresses and ports, however likewise offers extra valuable Layer 4-7 info such as the executable responsible for the network socket, the MD5 Hash, PID and file path of the executable, the user responsible for kicking off the executable, and whether it was in the foreground or background. The latter are very important information that network-based flows simply can not provide.
This essential additional contextual data can assist considerably lower occurrences of false positives and offer abundant data to analysts, SOC workers and incident handlers to allow them to rapidly examine the nature of the network traffic and identify if it’s harmful or benign. Used in conjunction with network-based notifications (firewall, IDS/IPS, web proxies and gateways), ZFlow can drastically reduce the quantity of time it requires to overcome a security incident. And we understand that time to spot destructive habits is a crucial factor to how effective an attack ends up being. Dwell times have reduced in recent history but are still at unacceptable levels – presently over 230 days that an assailant can stroll undiscovered through your network gathering your crucial data.
Below is a screenshot that shows a port 80 connection to a Web destination of 188.8.131.52. Fascinating realities about this connection that network-based tools might miss is that this connection was not initiated by an Internet browser, however rather by Windows Powershell. Another intriguing data point is that this connection was initiated by the ‘System’ account and not the logged-in user. These are both extremely attention-grabbing to a security expert as it’s not a false positive and most likely would require much deeper examination (at which point, the expert could pivot into the Ziften console and see deeper into that system’s habits – what actions or binaries were initiated prior to and after the connection, procedure history, network activity and more).
Ziften’s ZFlow shines a light on security blindspots and can offer the additional endpoint context of processes, application and user attribution to help security personnel better comprehend what is actually happening in their environment. Combined with network-based events, ZFlow can assist dramatically reduce the time it requires to investigate and respond to security notififications and significantly enhance an organization’s security posture.