Every enterprise, irrespective of its size, have multiple security mechanisms in place to protect themselves from anomalies, virus attacks and (Distributed) DoS attacks. The network is usually secured with firewall rules, access lists, content filters, anti-virus software, AAA servers and etc which combines to block unwanted traffic and protect from known attacks. You still read about big enterprises being the target of attacks resulting in major data and operational losses caused due to downtime and brand damage.
The fact that a network succumbed to an attack does not mean that the security measures mentioned were a failure or was futile. A traditional IDS can identify known attacks or block pre-defined traffic. There is very little these systems can do against a DDoS attack or virus outbreaks which happens over the Internet. SQL Slammer Worm is the best example. The worm spread over thousands of secure computer networks in under 10 minutes !
Those enterprises which had a robust NetFlow accounting in place were able to identify the sudden change in traffic pattern and avoid business losses due to the SQL Slammer. If your argument is that this was years back, when IDS systems were not as capable as today, then think the recent ‘Twitter’ or check here. You will definitely be able to find more from searches. These enterprises definitely had high end firewall and network security systems in place.
This is why you need a system capable of analyzing the IP packets that passes your existing security setup for possible anomalies. NetFlow is not only the best bandwidth monitoring technology but also the most suitable for security analytics. NetFlow, which captures the important header information from the network traffic allows the user to identify anomalies by producing detailed accounting of traffic flows. And this, with no strain on your routing or switching device’s processing power nor on the bandwidth.
Advanced Security Analytics Module (ASAM) uses the exported NetFlow packets, analyses them and generates reports for network anomalies. The module, which uses ‘Continuous Stream Mining Engine” technology, analyzes NetFlow data in real time and matches multiple events without duplication. Thus, you get to see the network anomalies in real time.
ASAM analyzes the information in the flow and classifies them as various security events/anomaly. Each identified events are classified as problems and the problems are further classified under three major classes. This helps a user to easily drill down to an anomaly based on its type instead of having to search through all the data. The problem classes available in ASAM are:
1. Bad Src – Dst
2. Suspect Flows
3. DDoS
Bad Src – Dst covers any flows whose source or destination IP Address is suspicious. Here, the problems covered are traffic with suspect IP Address to excessive network broadcasts by an IP Address.
A flow cannot be classified as an anomaly based on bad IP Addresses alone because an attack can always occur from any legitimate IP Address too. A conversation has many attributes in it and many attacks can be identified based on the character of such attributes. Suspect Flows captures all problems which fall under this category, ie. any problem whose attribute other than source or destination IP Address is suspicious.
The third problem class we have is DDoS. (Distributed) Denial of Service Attack involves the flooding of a host with continuous communication requests by numerous distributed computers which leads to a bandwidth choke for the hosted service, denying legitimate users the access to a service. This causes downtime to business applications and services further damaging reputation and again. Any such possible attack on your network is classified under the problem class DDoS.
Feel free to try the 30 day ASAM trial with NetFlow Analyzer. Visit this post in our forum to download the installers and our technical team will be glad to extend free support during your evaluation of ASAM and NetFlow Analyzer.
Interactive Demo | Product overview video | Twitter | Customers
Regards,
Don Thomas Jacob
