Written By Andy Wilson And Presented By Charles Leaver CEO Ziften
Over the past number of years, numerous IT companies have embraced the use of NetFlow telemetry (network connection metadata) to improve their security position. There are numerous factors behind this: NetFlow is reasonably affordable (vs. full packet capture); it’s relatively simple to gather as many Layer 3 network devices support NetFlow or the IANA requirement called IPFIX; and it’s easy to examine using freeware or commercially supplied software. NetFlow can help conquer blind spots in the architecture and can offer much required visibility into exactly what is actually going on in the network (both internal and external). Flow data can also help in early detection of attacks (DoS and APT/malware) and can be used in baselining and anomaly detection methods.
NetFlow can supply insight where little or no visibility exists. A lot of organizations are collecting flows at the core, WAN and Web layers of their networks. Depending on routing schemas, localized traffic might not be represented – LAN-to-LAN activity, local broadcast traffic, as well as east-west traffic inside the datacenter. The majority of organizations are not routing all the way to the access layer and are hence generally blind to some degree in this part of the network.
Performing complete packet capturing in this area is still not 100% practical due to a variety of reasons. The solution is to execute endpoint-based NetFlow to restore visibility and provide crucial extra context to the other flows being gathered in the network. Ziften ZFlow telemetry originates from the endpoint (desktop, laptop computer, or server), so it’s not reliant on the network infrastructure to produce. ZFlow supplies standard ISO layer 3/4 data such as source and destination IP addresses and ports, however also offers additional important Layer 4-7 info such as the executable responsible for the network socket, the MD5 Hash, PID and file path of the executable, the user responsible for launching the executable, and whether it was in the foreground or background. The latter are crucial information that network-based flows just can not offer.
This essential additional contextual data can help significantly minimize events of false positives and supply abundant data to experts, SOC workers and incident handlers to enable them to quickly examine the nature of the network traffic and determine if it’s harmful or benign. Used in conjunction with network-based notifications (firewall software, IDS/IPS, web proxies and gateways), ZFlow can dramatically decrease the quantity of time it requires to resolve a security event. And we know that time to detect destructive behavior is a crucial determinant to how effective an attack becomes. Dwell times have actually decreased in recent history but are still at unacceptable levels – currently over 230 days that an assailant can roam unnoticed through your network collecting your most important data.
Below is a screenshot that reveals a port 80 connection to a Web location of 220.127.116.11. Interesting realities about this connection that network-based tools may miss is that this connection was not initiated by a web browser, however rather by Windows Powershell. Another intriguing data point is that this connection was started by the ‘System’ account and not the logged-in user. These are both very attention-grabbing to a security expert as it’s not a false positive and likely would need much deeper examination (at which point, the expert could pivot into the Ziften console and see much deeper into that system’s behavior – exactly what actions or binaries were initiated before and after the connection, procedure history, network activity and more).
Ziften’s ZFlow shines a light on security blindspots and can supply the additional endpoint context of procedures, application and user attribution to help security workers much better comprehend what is truly happening in their environment. Combined with network-based occasions, ZFlow can help significantly lower the time it takes to examine and react to security notifications and considerably enhance a company’s security posture.