Check out all of our upcoming events


Latest cybersecurity news, insights and commentary by Telesoft engineers and specialists

Discover More: Maximising the value of Flow Data for the SOC

Written by Sarah Chandley on Friday, 22 March 2019. Posted in Cyber

Security analytics and network visibility tools used by defenders collect as much useful data as possible to improve anomaly detection accuracy. This gives defenders proactive network security monitoring and alerting for attempted cyber-attacks or incidents that are in progress.

To achieve the level of granularity needed at carrier scale where the network is more complex and distributed than ever before is difficult. Some of that complexity and resulting overhead can be removed by pre-processing the massive volume of collected data, unifying information from different sources, normalising formatting to simplify the next stage of collection, processing and analysis. It’s important to point out that doesn’t mean removing any data or dropping anything that may be of value but rather streamlining the dataset in to more manageable and easily digestible chunks.

Bringing together data from disparate network infrastructure is key to building a complete picture of network activity, this should include syslog, firewall logs and metrics from NetFlow, IPFIX and other infrastructure and application platforms, often collected via probes and sensors. Once consolidated the data can be enriched and tagged with meta-data based on infrastructure type, end point classification, service type, application type, threat intelligence, IoT classification, Geo IP and ASN.

Data tagging allows downstream analysis tools to rapidly operate on managed objects such as logical subnets, application type or other classification, reducing processing overhead and giving users  enhanced rapid navigation by, for example, geographical location, region, or other useful location information such as organisation or ISP based on IP addresses. Enrichment is an important part of the pre-processing process as this data can be used for both immediate threat response and forensic investigations.

Example flow data enrichment process

Once unified and enriched, the data is ready to be exported to one or more collection and analysis tools. Outputs are designated, streams aggregated to ease bottlenecks and congestion, and data routed to where and when you want.

A common point of normalisation, aggregation and enrichment can reduce costs and pressure on downstream tools like SIEM’s, data lakes and analysis. Enrichment improves network visibility, security, and response across all tools and helps security operations teams gain real-time situational awareness of all traffic on the network, in the data centre, and in the cloud, so they can quickly and effectively respond to anomalies and threats.

Why is this important? It’s because attackers are more sophisticated, agile, and organised than ever before, so maximising the value of the data you already own across all tools increases visibility into any hallmark of suspicious behaviour on the network. It’s critical for defence against attacks.

Talk to us about Telesoft FlowStash and TDAC - Discover more from data you already own.

About the Author

Sarah Chandley

Sarah Chandley

Sarah is an experienced B2B technology marketing professional, creating content for the Cyber Security, Telco and Government Infrastructure sectors. 

Information cookies

Cookies are short reports that are sent and stored on the hard drive of the user's computer through your browser when it connects to a web. Cookies can be used to collect and store user data while connected to provide you the requested services and sometimes tend not to keep. Cookies can be themselves or others.

There are several types of cookies:

  • Technical cookies that facilitate user navigation and use of the various options or services offered by the web as identify the session, allow access to certain areas, facilitate orders, purchases, filling out forms, registration, security, facilitating functionalities (videos, social networks, etc..).
  • Customization cookies that allow users to access services according to their preferences (language, browser, configuration, etc..).
  • Analytical cookies which allow anonymous analysis of the behavior of web users and allow to measure user activity and develop navigation profiles in order to improve the websites.

So when you access our website, in compliance with Article 22 of Law 34/2002 of the Information Society Services, in the analytical cookies treatment, we have requested your consent to their use. All of this is to improve our services. We use Google Analytics to collect anonymous statistical information such as the number of visitors to our site. Cookies added by Google Analytics are governed by the privacy policies of Google Analytics. If you want you can disable cookies from Google Analytics.

However, please note that you can enable or disable cookies by following the instructions of your browser.