top of page

Five Critical Uses Of Netflow Data For Security

There has always been sufficient justification to collect and look at flow data if only to get a picture of what your network is being used for. Now, as attacks become more and more common, using Netflow data for security is easy to do and often much less expensive to deploy and operate because your existing network devices can be easily configured to provide Netflow to an application like Koiossian’s sýnesis™.


Application Discovery

There has been a recent surge in interest in application discovery, thanks mainly to the explosion of cloud-based apps. Learning what your users are doing on your network and enforcing an acceptable use policy are the drivers behind the inclusion of application control into Unified Threat Management (UTM) devices. Netflow analysis is a way to get there quickly without swapping out your gateway security products.


Anomalous network behavior

With Netflow it is possible to profile “normal” network traffic and alert network administrators when something changes. Koiossian’s sýnesis™ can be configured to leverage our library of Advanced Machine Learning Jobs and Alert definitions for anomaly detection at a very granular level for network and system trouble shooting.


Identification of compromised hosts

Doing nothing can risk everything. There are many examples of networks and systems being hacked. Some of the notable are, Equifax, Voter Records Exposed, Ebay and Uber, just to name a few. 


Failure to quickly identify and respond to compromises can result in:

  • The relative inexpensive replacement of a host, to

  • Loss in consumer confidence, to

  • Regulatory or Governmental Fines, to

  • Loss of confidence in Election Results, to

  • Loss of an Election


To understand how Netflow monitoring can help quickly identify compromises, Read: Identifying Compromised Hosts With Netflow


Insiders engaged in nefarious actions

More and more companies are building network, application, and user context into their Netflow analytics. This makes it possible to identify anomalous user behavior.   


For example, if an employee or contractor is downloading large amounts of data to his or her laptop, or using network scanning tools, or hacking in general, Netflow can be used to identify the behavior and the perpetrator engaged in the suspicious activity.


Policy enforcement

Even access attempts that violate policies can be identified using Netflow.  This could be as simple as visiting inappropriate websites or as dangerous as repeated login attempts to a database server.


For example: 

  • An off shore contractor is seen making a large number of connections to a database that contains customer information, could be construed as suspicious activity.

  • A connection to a mail server that exceed normal connection time, could be construed as suspicious activity.

  • Any direct connection to your mail server from a system that is not a mail server could be construed as suspicious activity.

I'm a paragraph. Click here to add your o

bottom of page