The Best NetFlow Analyzer available in the industry really depends on the needs of the IT team that is supporting the company's critical business applications. They know the attributes specific to your software that require monitoring. Although the requirements are often the same across applications, generally there are a few specific metrics that, if monitored correctly, can bring benefits to the support team.

Network Threat Detection

More than ever, network threat detection is a primary concern at all levels of IT. It doesn't take a cyber-security expert to understand that electronic theft isn't prevented by just using good passwords, updating antivirus, and maintaining OS patches. Most infections are largely brought on by phishing attacks or click jacking.

Phishing Attacks

These occur when we receive emails from people who often claim to be someone else asking us to click on an attachment or a URL. If the user clicks on the intended file or link, the infection could occur.

Click Jacking

This occurs when we visit a web site and a script is run that, unbeknownst to the user, infects their machine with malware that will soon phone home to a server on the Internet for instructions on what to do next.

Most network intrusion detection efforts do not prevent these types of infections because the end user has already authenticated onto the network and often times the outbound SSL connection made by the malware passes right through even the best firewalls on the market. How can we stop this?

Network Threat Protection

One of the best ways to detect infections by one of these advanced attacks is to monitor outbound connections by using NetFlow. If your company has already made an investment in a NetFlow collector, a NetFlow replicator can be deployed which intercepts the flows before the collector and forwards the flows onto multiple destinations leaving the original source IP address intact. Both the current NetFlow solution and the new network threat protection system that also uses NetFlow will both believe they are receiving the flows directly from the original flow exporter.

With the existing network monitoring solution taken care of, the network security software, which is also receiving the same flows, can get to work analyzing the outbound connections. What behaviors is it looking for?

Within minutes, a network threat detection system that analyzes NetFlow or IPFIX can get to work performing multiple threat detection routines. Host reputation, for example, can be enabled whereby the network threat detection system routinely downloads a list of known compromised Internet hosts and verifies that internal systems are not communicating with them. A host with a poor reputation could be participating in C&C; routines. Additionally, TCP flags and flow ratios are checked and communication behaviors are constantly compared to baselines. Any behaviors outside of a calculated standard deviation could trigger an event.

Advanced NetFlow Training

To learn more about how NetFlow, IPFIX, J-Flow, NetStream, CascadeFlow and, even to some extent, sFlow can be used to improve the network threat protection efforts on your network, attend one of the Plixer advanced NetFlow training classes in a city near you.