Feature Article
pensive probes can be deployed, which provide the necessary insight. By
collecting metrics in every corner of the network, MSSPs claim to increase
situational awareness that empowers them to make faster, more informed
decisions. Some MSSPs are deploying a distributed NetFlow collection
solution that can be compared to tapping sugar maples in early spring. By
running the sap back to a sugar house and boiling down huge volumes of
sap to a manageable
size they can utilize
the reduction to enhance their visibility
into the collective
security landscape.
The leaders in
MSSP claim that by
using flow technologies and implementing best practices
they can improve
NetFlow Dashboard
security posture for
customers. By leveraging NetFlow for threat detection, the benefits often include:
• Faster detection times: Mean Time To Awareness (MTTA)
• Improved response times - improving internal support
• Quicker Mean Time To Mitigation (MTTM)
NetFlow in Forensic Investigations
All companies are under attack every day. Just as a retail store can’t
stop all shop lifters, neither can the best IT security teams stop all forms
of malware from getting into a company. When an exfiltration does occur,
flow analysis is often either directly involved with the detection or certainly
a significant part of the investigation and reconnaissance effort.
NetFlow Analysis after the infection is also an important function per-
formed by MSSPs. Because most NetFlow collection systems archive data,
they prove extremely useful during forensic investigations to answer tough
questions such as:
• What was the machine’s behavior leading up to the problem?
• Who else did they communicate with?
• Are there other machines on the network exhibiting the same behavior?
Summary
Although deep packet inspection continues to be a primary APT detection method, flow technology is without a doubt an ideal additional layer of
protection. Packet capture provides greater detail. However, it often can’t
be done on every Internet connection in every remote office. Flow Analysis
allows security teams to cover and record all traffic, to every location, at
each customer network -- and at all times, similar to the security cameras
deployed in a financial institution. If the traffic entered the company then it
was almost always captured and recorded with NetFlow or IPFIX.
Although NetFlow and IPFIX add a great additional layer of protection,
MSSPs understand that one of the best proactive counter threat measures
is education. This is why some MSSPs make great efforts to educate the
customer’s employees on such topics as:
• Best practices for bringing files in and out of the IT infrastructure.
• Definition of spear phishing
• Best Practices for social networking sites.
Although MSSPs can be an attractive alternative to hiring a security
expert, when considering vendors, make sure you ask about the mechanisms
they use to detect and investigate threats. Make sure they explain how they
work with a customer to mitigate a confirmed intrusion, and the processes
they go through to determine if the problem has spread. Your MSSP should
be able to provide detailed answers and stories from the field.
For more information visit www.plixer.com.
Remote Site & Equipment Management \ Summer 2013
17
http://www.plixer.comhttp://www.ZigBeeResourceGuide.comhttp://www.ZigBeeResourceGuide.comhttp://www.ZigBeeResourceGuide.com
Table of Contents for the Digital Edition of Remote - Summer 2013