Flowmon Anomaly Detection System

Traditional security tools, often signature based, can be very effective in defending against specific threats, but many focus exclusively on North/South network traffic

Thoughtfully deployed they can reduce, even eradicate, a threat vector and reduce the attack surface. However small, the residual attack surface - in particular the zero-day element - remains a significant risk, and successful attackers will use it, relying on East/West movement. With time on their side they will exfiltrate data in small, slow, undetectable stages.

NetOps have long since used monitoring tools to examine network traffic, while in another silo far away, SecOps rely upon specialist security tools. But network data has been a problem for SecOps as there is so much of it, despite the fact that every compromise is guaranteed to be detectable from analysing network flow - if you can only find the offending needle in that giant haystack. This challenge has been ratcheted up as networks become hybridised, on- and off-premise, and at the network edge.

Flowmon Anomaly Detection System (ADS) tackles this head on. With strategically sited network probes collecting data and the Flowmon Monitoring Centre analysing it, ADS uses a range of techniques, including signatures, AI and ML, to identify and rank information of interest. The most effective and scalable way of monitoring traffic relies on NetFlow (layer 3) but Flowmon use enhanced NetFlow in the shape of IPFIX (NetFlow v10) providing visibility up to layer 7.

IPFIX is central to this solutions scalability and avoids the problems associated with Packet Analysis and SNMP. Flowmon are confident that 100 per cent of flow will be captured on a 100GbE network when using a TAP/SPAN connection.

Access to ADS functionality is browser based and a configuration wizard gets it up and running in about 30 minutes. Clearly it takes time for flows to be gathered and analysed, but we could soon see events over time with a ranking of severity (critical, high, medium, low) which helps analysts to prioritise their valuable time.

The dashboard can be customised using standard (e.g. top ten events) and customised widgets to create a view to suit a role and its objectives. A combination of tabs displaying graphical and tabular data, filters and drill down allow rapid navigation to important flow data, meaning that event visualisation and evidence are never far away.

Some organisations will worry about encrypted traffic and Flowmon suggest this can be as high as 85 per cent. Because ADS is observing network behaviour, an unusual event relating to encrypted traffic can be alerted without examining the content: exfiltration is exfiltration.

Use of the Flowmon suite and ADS specifically can be tailored to suit team structure, network and security focus, and operational objectives to enable more relevant alerting to traffic of interest. NetOps and SecOps can carry out their work from a consolidated tool and common data: it might just break down another unhelpful silo.

Flowmon does not claim to replace traditional security measures such as NAC, Firewall or SIEM. In fact, for those with a SIEM investment, the open API can help it to work more efficiently, as Flowmon can pass it processed data to work on. It is in this way that ADS is able to focus on narrowing and restricting the attack surface and, critically, to reduce threat actor dwell time in the network.

The contemporary, constantly changing, mission critical network cannot exist without effective network monitoring and security that offers 100 per cent visibility of every connection, at any time, along with continual benchmarking. ADS enables organisations to regain real-time control of their network and identify information of interest using behavioural patterns, while they travel through the constant and challenging process of digital transformation. NC

Product: Kemp Flowmon NDR
Supplier: Kemp
Web site: www.kemptechnologies.com
Email: uksales@kemptechnologies.com
Telephone: 0203 858 6868
Price: Starting from £10K