Intrusion Detection: Event Correlation

https://i2.wp.com/www.plixer.com/images/logo.pngNetwork Intrusion Detection, Cyber Threats, Advanced Persistent Threats (APTs), Polymorphic Malware, Event Correlation – today all of these terms are foremost on many IT Security Professionals minds. What cyber security layer can we add to our existing protection efforts that will bring us greater peace of mind?

Our company cut its teeth in network performance monitoring and threat investigation reports. Today however, displaying the top N conversations is just the beginning of the functionality we have engineered into our network monitoring solution.

Network Situational Awareness

The worst types of malware and the most advanced threats are flying in right under the radar, but, with NetFlow we have one more piece of the puzzle to make finding that problematic host easier. Let’s say for example that an email phishing attack penetrated the IDS, the Anti-Spam Filter, and the Anti-Virus Software, click-jacked a user and installed polymorphic malware on a trusted machine. Now that Advanced Threat takes action, moves laterally, infects others, mining as much data as possible. It’s unlikely that APT will be caught by the inline security appliances looking for failed login attempts – the host is already trusted!

The Limitation of Signature-based Intrusion Detection

IPFIX or NetFlow are great for Network Threat Detection as both allow us to monitor outbound connections which generally pass right on by even the best deep packet inspection security appliances such as an IPS or firewall. Up to date Anti-Virus solutions won’t question most connections initiated by a locally hosted APT. Even if Security Appliances did monitor outbound connections, the most insidious advanced threats utilize SSL connections, which means “Sorry Charlie” to signature-based threat detection solutions.

Correlating NetFlow with Text-based Logs

Correlating logs with NetFlow to detect network threats will ideally take these aforementioned issues into consideration. What other machines did an infected host try to connect to (i.e. NetFlow)? Do these machines contain successful or unsuccessful logins at or around the exact same time (i.e. syslog)? This is one example of log correlation with NetFlow. If we mix in IP host reputation checking, we achieve another layer of network threat detection.

I’m not saying that the days of proprietary signature-based security are coming to an end. Rather, I’m promoting the use of flow data to add another layer of security. How else could our solution earn customers an average of 2500% ROI in cost-savings.

Try Scrutinzer Free for 30-days

Download NetFlow Analysis Tools

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of the author. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided "as-is". The author shall not be liable for any damages whatsoever arising out of the content or use of this blog.
%d bloggers like this: