Written By Andy Wilson And Presented By Chuck Leaver CEO Ziften
Over the past number of years, numerous IT organizations have adopted making use of NetFlow telemetry (network connection metadata) to enhance their security position. There are numerous factors behind this: NetFlow is relatively economical (vs. complete packet capture); it’s fairly simple to collect as many Layer 3 network devices support NetFlow or the IANA requirement called IPFIX; and it’s simple to evaluate using freeware or commercially offered software applications. NetFlow can help overcome blind spots in the architecture and can provide much required visibility into exactly what is really going on in the network (both internal and external). Flow data can also help in early detection of attacks (DoS and APT/malware) and can be used in baselining and anomaly detection strategies.
NetFlow can offer insight where little or no visibility exists. Many organizations are collecting flows at the core, WAN and Internet layers of their networks. Depending on routing schemas, localized traffic might not be represented – LAN-to-LAN activity, local broadcast traffic, and even east-west traffic inside the datacenter. A lot of companies are not routing all the way down to the access layer and are thus typically blind to some extent in this segment of the network.
Carrying out complete packet capture in this area is still not 100% possible due to a number of reasons. The answer is to carry out endpoint-based NetFlow to bring back visibility and supply very important extra context to the other flows being collected in the network. Ziften ZFlow telemetry originates from the endpoint (desktop, laptop, or server), so it’s not dependent on the network infrastructure to produce. ZFlow offers standard ISO layer 3/4 data such as source and destination IP addresses and ports, however also supplies extra valuable Layer 4-7 info such as the executable responsible for the network socket, the MD5 Hash, PID and file path of the executable, the user responsible for kicking off the executable, and whether it remained in the foreground or background. The latter are crucial details that network-based flows just can not supply.
This essential additional contextual data can help considerably minimize occurrences of false positives and provide abundant data to experts, SOC workers and incident handlers to permit them to rapidly examine the nature of the network traffic and determine if it’s malicious or benign. Used in conjunction with network-based notifications (firewall, IDS/IPS, web proxies and gateways), ZFlow can drastically reduce the amount of time it requires to work through a security event. And we know that time to find harmful behavior is a key factor to how effective an attack becomes. Dwell times have lowered in recent history however are still at undesirable levels – currently over 230 days that an enemy can wander unnoticed through your network harvesting your most important data.
Below is a screenshot that reveals a port 80 connection to an Internet destination of 220.127.116.11. Intriguing realities about this connection that network-based tools might miss is that this connection was not started by an Internet browser, but rather by Windows Powershell. Another fascinating data point is that this connection was started by the ‘System’ account and not the logged-in user. These are both very attention-grabbing to a security analyst as it’s not a false positive and likely would require much deeper investigation (at which point, the expert could pivot into the Ziften console and see deeper into that system’s habits – exactly what actions or binaries were initiated before and after the connection, procedure history, network activity and more).
Ziften’s ZFlow shines a light on security blindspots and can offer the additional endpoint context of procedures, application and user attribution to assist security workers better understand what is really taking place in their environment. Integrated with network-based occasions, ZFlow can assist dramatically decrease the time it takes to investigate and react to security alerts and significantly improve an organization’s security posture.