You Can Shine A Light On Security Blindspots With Ziften ZFlow – Chuck Leaver

Written By Andy Wilson And Presented By Chuck Leaver CEO Ziften

Over the past few years, lots of IT organizations have embraced the use of NetFlow telemetry (network connection metadata) to improve their security posture. There are many factors behind this: NetFlow is reasonably inexpensive (vs. full packet capture); it’s relatively easy to collect as most Layer 3 network devices support NetFlow or the IANA standard called IPFIX; and it’s simple to evaluate utilizing freeware or commercially available software applications. NetFlow can assist conquer blind spots in the architecture and can supply much required visibility into what is really going on in the network (both internal and external). Flow data can likewise help in early detection of attacks (DoS and APT/malware) and can be utilized in baselining and anomaly detection techniques.

NetFlow can offer insight where little or no visibility exists. The majority of organizations are gathering flows at the core, WAN and Web layers of their networks. Depending on routing schemas, localized traffic might not be accounted for – LAN-to-LAN activity, local broadcast traffic, and even east-west traffic inside the data center. A lot of organizations are not routing all the way down to the access layer and are hence generally blind to some degree in this segment of the network.

zflow1

Carrying out full packet capturing in this area is still not 100% possible due to a number of reasons. The solution is to implement endpoint-based NetFlow to bring back visibility and offer essential extra context to the other flows being collected in the network. Ziften ZFlow telemetry stems from the endpoint (desktop, laptop, or server), so it’s not reliant on the network infrastructure to create. ZFlow supplies standard ISO layer 3/4 data such as source and destination IP addresses and ports, but likewise offers additional important Layer 4-7 details such as the executable responsible for the network socket, the MD5 Hash, PID and file path of the executable, the user responsible for kicking off the executable, and whether it remained in the foreground or background. The latter are crucial details that network-based flows just can not supply.
zflow2

This essential additional contextual data can help considerably minimize events of false positives and supply rich data to analysts, SOC personnel and incident handlers to allow them to quickly investigate the nature of the network traffic and determine if it’s harmful or benign. Used in conjunction with network-based alerts (firewall software, IDS/IPS, web proxies and gateways), ZFlow can significantly reduce the quantity of time it requires to work through a security event. And we know that time to detect harmful behavior is a key factor to how successful an attack ends up being. Dwell times have reduced in recent history however are still at unacceptable levels – presently over 230 days that an attacker can roam undetected through your network harvesting your essential data.

Below is a screenshot that shows a port 80 connection to an Internet destination of 23.64.171.27. Fascinating truths about this connection that network-based tools might miss out on is that this connection was not initiated by a web browser, however rather by Windows Powershell. Another fascinating data point is that this connection was initiated by the ‘System’ account and not the logged-in user. These are both very eye-catching to a security expert as it’s not a false positive and likely would need much deeper examination (at which point, the analyst might pivot into the Ziften console and see deeper into that system’s habits – exactly what actions or binaries were executed prior to and after the connection, procedure history, network activity and more).
zflow3

Ziften’s ZFlow shines a light on security blindspots and can provide the extra endpoint context of processes, application and user attribution to assist security personnel much better comprehend exactly what is actually occurring in their environment. Integrated with network-based events, ZFlow can assist considerably minimize the time it takes to examine and respond to security alerts and dramatically enhance a company’s security posture.

~leaverchuck1


No Responses Yet to “You Can Shine A Light On Security Blindspots With Ziften ZFlow – Chuck Leaver”

Leave a Reply