Written By Andy Wilson And Presented By Charles Leaver CEO Ziften
Over the past number of years, lots of IT organizations have adopted using NetFlow telemetry (network connection metadata) to enhance their security position. There are lots of reasons behind this: NetFlow is reasonably low-cost (vs. complete packet capture); it’s relatively simple to gather as the majority of Layer 3 network devices support NetFlow or the IANA standard called IPFIX; and it’s simple to analyze using freeware or commercially available software applications. NetFlow can assist get rid of blind spots in the architecture and can offer much required visibility into exactly what is actually going on in the network (both internal and external). Flow data can likewise assist in early detection of attacks (DoS and APT/malware) and can be utilized in baselining and anomaly detection techniques.
NetFlow can supply insight where little or no visibility exists. The majority of organizations are collecting flows at the core, WAN and Web layers of their networks. Depending upon routing schemas, localized traffic may not be represented – LAN-to-LAN activity, local broadcast traffic, as well as east-west traffic inside the datacenter. A lot of organizations are not routing all the way down to the access layer and are therefore normally blind to some extent in this segment of the network.
Performing complete packet capture in this area is still not 100% possible due to a variety of reasons. The answer is to execute endpoint-based NetFlow to bring back visibility and supply very important extra context to the other flows being gathered in the network. Ziften ZFlow telemetry originates from the endpoint (desktop, laptop, or server), so it’s not reliant on the network infrastructure to create. ZFlow supplies traditional ISO layer 3/4 data such as source and destination IP addresses and ports, however also supplies extra valuable Layer 4-7 info such as the executable responsible for the network socket, the MD5 Hash, PID and file path of the executable, the user responsible for kicking off the executable, and whether it remained in the foreground or background. The latter are essential details that network-based flows merely can not offer.
This important additional contextual data can help dramatically reduce incidents of false positives and offer rich data to analysts, SOC workers and incident handlers to enable them to rapidly examine the nature of the network traffic and figure out if it’s malicious or benign. Used in conjunction with network-based notifications (firewall, IDS/IPS, web proxies and gateways), ZFlow can dramatically reduce the amount of time it requires to overcome a security event. And we know that time to detect harmful habits is an essential factor to how successful an attack ends up being. Dwell times have actually reduced in current history however are still at undesirable levels – currently over 230 days that an enemy can stroll unnoticed through your network harvesting your essential data.
Below is a screenshot that reveals a port 80 connection to an Internet location of 188.8.131.52. Intriguing realities about this connection that network-based tools might miss is that this connection was not started by a web browser, however rather by Windows Powershell. Another interesting data point is that this connection was started by the ‘System’ account and not the logged-in user. These are both really attention-grabbing to a security expert as it’s not a false positive and most likely would need deeper examination (at which point, the expert might pivot into the Ziften console and see deeper into that system’s behavior – what actions or binaries were executed prior to and after the connection, process history, network activity and more).
Ziften’s ZFlow shines a light on security blindspots and can supply the extra endpoint context of processes, application and user attribution to help security personnel much better comprehend what is truly taking place in their environment. Combined with network-based events, ZFlow can help considerably minimize the time it requires to examine and react to security alerts and dramatically enhance a company’s security posture.