BreachBytes

NetFlow data remains a largely untapped resource for network security professionals. All modern routers support it yet in most cases, NetFlow is used for network operations management and QOS and then discarded. This is very unfortunate for security analysts who need flow data for a variety of security and compliance reasons. Good flow data is a fundamental aspect of any network forensics investigation. NetFlow data is appealing in that — for networks with routers that support it — it is free and easy to collect.

Luckily, there are several free NetFlow tools available to collect and store NetFlow data, often in a highly efficient compressed binary format. These tools vary greatly in terms of quality and support. The table below summarizes the free NetFlow tools available to network security analysts.

From personal experience, I have found SiLK, flow-tools and nfdump to be excellent solutions to capturing flow data. It is interesting to note that only two of the eight tools above have been updated in the last year. Future posts in BreachBytes will cover some of these tools in depth as well as look into performance comparisons of the tools.

Don’t believe me? Just ask TJX or Monster.com or The Department of Homeland Security or Salesforce or TD Ameritrade or…..still don’t believe me? Well, check out what Sal Iannuzzi, CEO of Monster.com had to say (he agrees with me):

“I wish I could say…there will be absolutely no way that the Monster site can be compromised. I cannot ever make that promise, and no Internet company can.” 08/29/07, Reuters

If you still don’t believe me then feel free to move on. If you do, then read on.

Let’s reflect back on the past 12 months to perform that so-called “rocking chair test.” It certainly was a busy year! In fact, the Threats Watch Blog even went as far as to call 2007 “The Year of the Data Breaches.” Additionally, CSO magazine has a excellent summation of the past year in their article: The Top 10 Data Breaches of 2007.”

So, what can we learn from this past year? Three things:

1. Breaches are Inevitable.
2. Organization can no longer rely solely on Protection (Firewalls, IPS, etc) & Detection (IDS, Event correlation, Alerting) for security.
3. Organizations must have a comprehensive breach recovery plan in place.

(more…)

NetFlow data is critical for network operations and security. The primary use of NetFlow these days is on the operations side but security professionals are catching on too. For insider threat detection, network forensics and network behavior analysis (NBA) there’s no better data source available. Any given enterprise falls into one of the following four scenarios:

1. NetFlow is already being collected for network operations but not being shared with security analysts.
2. NetFlow is not being collected but is supported by routers (or switches).
3. NetFlow data is already being collected for network security purposes.
4. NetFlow cannot be collected because the hardware doesn’t support it.

(more…)

NetFlow data is ubiquitous and people other than network engineers are taking notice. Security analysts need to be aware that NetFlow data can be easily collected (odds are that your routers support some form of NetFlow) and analyzed for network security operations given the right tools. This CISCO-centric blog post has a good list of useful software solutions for NetFlow analysis relevant to security analysts. At their core, all the tools listed but one—Net/FSE by Packet Analytics—are not network security specific but can certainly be leveraged for this purpose.

(more…)

Oak Ridge National Laboratory admitted that they had suffered a breach on October 29th, 2007. Luckily, it appears from this Information Week article that no classified information was compromised. This breach underscores the fact that breaches are inevitable and all organizations whether they are government, non-profit or for-profit must have a comprehensive response and recovery plan.

There are so many situations, reports and news articles where vague statements are used such as the one in the Information Week article: “ORNL said that no classified information was lost but that the personal information of visitors may have been stolen.” “…may have been stolen,” that makes me feel comfortable and secure. When responding to an incident it is necessary to be able to definitively state what actually happened and report a conclusive response. That’s what “incident response” is all about.

A comprehensive recovery plan that includes the ability to perform “deep dives” into all of an organizations network data particularly using NetFlow lets security analysts provide that definitive answer we are all looking for.