The year 2011 came to be known as the “Year of the Hack”, a time when we saw small and big enterprises falling victim to network security breaches, advent of industrial malwares like Duqu (Based on Stuxnet) which can lay dormant for months and attack when needed (That was not the outline of an alien invasion movie), zero day malwares, increased DDoS attacks and more.
As per some reports, it is estimated that around One Thousand DoS attacks occur2 every single day and there are around Three Thousand active Command and Control (C&C) centers3 which can carry out DoS attacks. Considering that many more possible network attack options other than DoS attack exists, the probability of an enterprise including yours falling victim to an attack or malware is high.
So, here is an interesting slide show which captures the best practices on what to do in the event of a network security breach in your network:
The important points the article highlights to mitigate the effect of a security breach are thinking beyond your IDS/IPS systems, traffic profiling, network forensics, knowing the Who, What, When and Where of traffic and compliance. So, the next question is how to achieve this.
One answer to this question is NetFlow. Cisco ‘NetFlow’ is now the primary traffic accounting technology for any enterprise type – be it small, medium or large. NetFlow captures relevant header information from the traffic passing through the interfaces of your routing and switching devices which can then be used for traffic analytics and network forensics. Non-Cisco enterprise device vendors like Juniper, HP, Alcatel, Enterasys, Huawei, Dell, Force10, etc., exports NetFlow or similar flows like IPFIX, J-Flow, sFlow, NetStream, Appflow and so on.
But having NetFlow alone will not help. You also need a tool that is capable of leveraging on NetFlow to the maximum and help in bandwidth monitoring, network forensics and network behavior anomaly detection. ManageEngine NetFlow Analyzer is such a tool.
ManageEngine NetFlow Analyzer has Advanced Security Analytics Module (ASAM) which leverages on NetFlow data to report on possible network behavior anomalies like possible DoS attacks, traffic from invalid source and destination IP’s, excess broadcast or multicast traffic, TCP and UDP packet violations, network scans, etc. ASAM is based not on signature detection, but on behavior anomalies and thus any zero-day malwares bypassing the IDS / IPS system will be captured.
To be prepared and to know what is happening, continuous monitoring is a necessity. NetFlow being a low impact technology is exactly the solution for this. By not taking up too much bandwidth or device resources, you can have NetFlow export and collection running at all times. Store NetFlow data for as long as possible and profile your network traffic behavior using a proper graphing tool. ManageEngine NetFlow Analyzer has the capability to store raw NetFlow data for a month and aggregated flows based on top N to be stored forever. With information about all the traffic that passed through your network in hand, when an issue comes up, simply go back in time and know all that happened.
Once you are prepared and have recorded everything, you can use the information for network forensics which requires detailed information about your network traffic, both from the WAN and the LAN and also within the LAN. ManageEngine NetFlow Analyzer collects and reports on information like source and destination IP, source and destination ports, protocol, source and destination interfaces, ToS and DSCP fields, next hop, TCP flags and a lot more. And this is exactly what you need for network forensics and to answer the Who, What, When and Where of IP traffic.
The information availed from NetFlow helps in compliance reporting too. As per PCI DSS compliance4, “Track and monitor all access to network resources and cardholder data” is a requirement and this is exactly what NetFlow can provide because it tracks each transaction on a per IP, IP network or IP range basis thereby informing you about access to any data storage system.
Don Thomas Jacob
If you are someone who loves reading spy novels, read the article in wired.com about Stuxnet discovery. The article also gives you a good idea on how complex malwares are getting to be. The link to the article is:
Check the ManageEngine webinar recording on Plugging Network Security Holes:
1. Online DoS attack cost calculator:
3. Number of active C&C centers:
4. PCI DSS Compliance:
The original article/video can be found at Network Security Breaches – What to do after?