Written By Andy Wilson And Presented By Chuck Leaver CEO Ziften
Over the past number of years, lots of IT organizations have actually embraced the use of NetFlow telemetry (network connection metadata) to enhance their security position. There are lots of factors behind this: NetFlow is relatively economical (vs. full packet capture); it’s reasonably easy to gather as most Layer 3 network devices support NetFlow or the IANA standard called IPFIX; and it’s easy to analyze using freeware or commercially supplied software applications. NetFlow can assist overcome blind spots in the architecture and can provide much needed visibility into exactly what is truly going on in the network (both internal and external). Flow data can also assist in early detection of attacks (DoS and APT/malware) and can be used in baselining and anomaly detection techniques.
NetFlow can supply insight where little or no visibility exists. The majority of companies are gathering flows at the core, WAN and Internet layers of their networks. Depending upon routing schemas, localized traffic might not be accounted for – LAN-to-LAN activity, local broadcast traffic, and even east-west traffic inside the datacenter. The majority of companies are not routing all the way to the access layer and are therefore normally blind to some extent in this segment of the network.
Performing full packet capturing in this area is still not 100% practical due to a variety of factors. The answer is to carry out endpoint-based NetFlow to restore visibility and offer extremely important extra context to the other flows being gathered in the network. Ziften ZFlow telemetry originates from the endpoint (desktop, laptop computer, or server), so it’s not reliant on the network infrastructure to produce. ZFlow offers standard ISO layer 3/4 data such as source and destination IP addresses and ports, but also provides additional important Layer 4-7 details such as the executable responsible for the network socket, the MD5 Hash, PID and filepath of the executable, the user responsible for launching the executable, and whether it was in the foreground or background. The latter are very important details that network-based flows merely can not provide.
This important additional contextual data can help dramatically reduce occurrences of false positives and supply abundant data to analysts, SOC personnel and incident handlers to enable them to rapidly examine the nature of the network traffic and determine if it’s malicious or benign. Utilized in conjunction with network-based notifications (firewall, IDS/IPS, web proxies and gateways), ZFlow can significantly decrease the amount of time it requires to work through a security event. And we understand that time to spot malicious behavior is an essential determinant to how successful an attack ends up being. Dwell times have actually reduced in recent history however are still at unacceptable levels – currently over 230 days that an assailant can stroll undetected through your network collecting your crucial data.
Below is a screenshot that reveals a port 80 connection to an Internet destination of 126.96.36.199. Intriguing facts about this connection that network-based tools may miss is that this connection was not initiated by a web browser, however rather by Windows Powershell. Another fascinating data point is that this connection was initiated by the ‘System’ account and not the logged-in user. These are both really eye-catching to a security analyst as it’s not a false positive and most likely would require deeper investigation (at which point, the expert might pivot into the Ziften console and see much deeper into that system’s behavior – exactly what actions or binaries were initiated before and after the connection, process history, network activity and more).
Ziften’s ZFlow shines a light on security blindspots and can supply the extra endpoint context of procedures, application and user attribution to help security personnel better understand what is really occurring in their environment. Combined with network-based occasions, ZFlow can assist significantly lower the time it requires to investigate and respond to security alerts and significantly enhance a company’s security posture.