This year has been another brutal one for breaches and data loss, with 400 new threats emerging every minute by some reports. Most security administrators and architects have been shoring up defenses inside networks in order to better detect places of compromise and attacker movement. Many organizations recognize that one of the fastest ways to beef up detection capabilities is to add context-based network analytics like those provided by Security Information and Event Management (SIEM) systems and NetFlow security analyzers.
Adoption has been brisk, the SIEM market is one of the strongest with a forecasted growth of 12 percent annually reaching $4.54 billion by 2019. And recently, Cisco further highlighted the importance of network telemetry to security with the acquisition of NetFlow analysis veteran Lancope for $453 million.
NetFlow and IPFIX have long been understood to offer critical insight to insider threat detection in that they provide contextual information about network traffic. In order to surface anomalous patterns on the network, NetFlow/IPFIX analyzers look at the packet metadata and group similar information into the bigger picture of attacker operations inside networks.
NetFlow/IPFIX records from some sources may contain additional metadata including URL, CDP and SIP user information. For instance, a DDoS attack that hits a web resource one too many times is sure to be flagged by analyzing the record for every packet hitting that resource.
Another rich source of security intelligence is contained in HTTP response codes. These may be appended to NetFlow records in order to centralize metadata intelligence. HTTP response codes are divided into five categories:
- 100 - 199 are informational
- 200 - 299 are success related
- 300 - 399 denote redirection
- 400 - 499 are generally associated with client requests
- 500 - 599 are generally server related
For the casual web user, an encounter with a 404 error code means trying a couple more times and then moving on after unsuccessfully accessing the page. But amass all of these codes over time, and through the power of analytics tools, a picture of suspicious and nefarious activity can come into view.
For instance an analysis of 2XX codes, which denote successful access to resources that require special authorization, might surface an atypical or unauthorized user getting through. A flurry of unusual HTTP 2XX codes from your servers that is well above what has been benchmarked as normal for the network could mean an attacker has found a way to send malicious requests successfully that are being answered by the target servers.
3XX codes can be analyzed for indication of redirections that are anomalous and may lead to security sensitive URIs inside target networks. Finally, too many 4XX codes in a short time span can signal that an infected machine is searching to make contact with a command and control server.
The bottom line is that these codes are a trove of network intelligence and the key to unlocking it is having access to this data and being able to analyze it. The value of NetFlow and network metadata to security analytics is undeniable. The challenge for security teams is to understand how NetFlow is being generated in their environment.
For instance, if teams are relying on routers to generate NetFlow, they may get sampled records which give an incomplete picture from a security perspective. The other item to consider is which tools and utilities the organization has for collecting and analyzing NetFlow, IPFIX and network metadata.
To have the most effective metadata analytics framework organizations should aim to centralize NetFlow generation to a security delivery platform that can offload routers and switches and provide full un-sampled NetFlow records. Security stakeholders should ensure that their NetFlow generation capabilities offer additional network information like URL/URI, CDP, SIP, as well as HTTP response codes.
Finally ensure that you have analytics tools that can consume unsampled NetFlow and metadata to provide security analytics at scale. This will give organizations the best chance of surfacing threats and malicious actors, even if they are operating "low and slow".
Johnnie Konstantas is a senior technology marketing executive at Gigamon.
Photo Credit: honglouwawa/Shutterstock