Security Analytics in NetFlow Analyzer
With Advanced Security Analytics module(ASAM) in NetFlow Analyzer, Security Analyst job on a network would be very easy. This blog helps you to understand the requirements for security Analytics in a network and how ASAM help you to identify network security loop holes.What is ASAM?This is a flow based security analytics and anomaly detection tool that helps in detecting zero-day network intrusions, using Continuous Stream Mining Engine technology.
It classifies intrusions to tackle network security threats in real time and has intelligence to detect a broad spectrum of external and internal security threats.Benefits of using ASAM:-
- Uses the same NetFlow, sFlow packets exported from the devices.
- Centralized agent less traffic data collection, analysis and management
- Deeper visibility into both external and internal security threats
- Zero-day intrusion / anomaly detection capabilities
- Continuous overall security assessment on a network
- Real time analysis of Security threats.
- Non-Signature based security analytics tool.
- Capable of detecting threats which can surpass the IDS or Firewall
- No extra hardware required for implementing and it is integrated with existing traffic monitoring tool.
- How ASAM helps in this situation?Assume that the PCs or infected network segments(Group of PCs) are connected to a Core layer 3 switch which is currently being monitored in NetFlow Analyzer using NetFlow export, Administrator notices that there is a sudden huge spike on their traffic graphs on a particular port, he suspects that it might be a some security threat.
He now uses the ASAM module to check is there any threat on this particular device.
For easier analysis he is using resource based security threat analysis. The Resource based analysis snapshot tells which particular Router, Source Network, Source IP, Destination Network and Destination IP is having more number of events.
This snapshot helps administrator to easy drill down to problematic Network Segment to find out the offenders, once the list offender IP's extracted, network administrator can now identify the PCs and remove the malwares using some Anti Virus tool or disconnect those infect PCs from network.
Comments