Behavior monitoring carefully watches flows to and from every host on the network and a NetFlow analyzer with threat detection provides security administrators with an additional mechanism (i.e. the index) for identifying hosts infected with malware.
Example threat detection with NetFlow methods include:" Host reputation lookups" Observation of TCP flags to uncover various types of network scans" Comparing current behaviors to baselines" Calculating flow ratios as well as byte/packet counts to unique destinations
The above algorithms can carry different weights when it comes to severity. A host found to be violating one or more algorithms will end up with a higher index.
Since NetFlow and IPFIX are readily available on most enterprise networks, visibility into all corners of the network is easily attainable. Gaining the same visibility and awareness using packet probes is simply cost prohibitive in most environments. This is true both because of the initial cost of the probe and the man hours necessary to maintain the deployed hardware. In comparison, flow technologies provide a tremendous value in threat detection, and provide huge benefits as the "go to" solution when a potential threat needs to be investigated.
Imagine every flow-exporting device to be a network security camera much like a department store with security cameras mounted on the ceiling in dozens of locations scattered around the store. If the store's security team is suspicious of a patron, they will turn to the cameras first to monitor the individual real-time as they move around the aisles. They may also look at past video footage to observe the individual prior to becoming a suspect.
So even if the shop lifter was caught by an observing employee rather than someone watching the security cameras, the past footage is almost always part of the investigation. The same holds true when archiving NetFlow and IPFIX data for future reference. Flow technology is the number one solution for most organizations that investigate application performance and potential security issues. Every router, switch, server and firewall that is flow capable is considered a security camera and evidence.
The need for capturing packets isn't going away however, with the improved insight provided by flow technologies the demand is certainly shrinking. Flow technologies not only cover more areas of the network, they are also easier for collectors to aggregate in order to display top reports on hosts, applications, protocols, interfaces, and more. Capturing packets is largely an engineering practice that is best left to the developers of the application who need to fine-tune specific areas of the code. To be clear, packet capture isn't going away rather, in most cases the problem can be determined with flow data eliminating the need to be at the physical location to plug in a probe.
Sign up for CIO Asia eNewsletters.