Check out all of our upcoming events

Blog

Get news about our products, which events we are attending plus industry insights and commentary

Threat Hunting and Network Monitoring with NetFlow at Scale

Written by Sarah Chandley on Friday, 14 June 2019. Posted in Cyber

As 5G is rolled out globally, mobile carriers will benefit from significant revenue opportunities driven by growth in the mobile market, from better customer service to new 5G-enabled business models. However, the industry also recognises that 5G will dramatically raise the stakes for those who are tasked with ensuring the security and reliability of these networks. A recent report by the Business Performance Innovation (BPI) Network highlighted that 5G is driving current security investment in core network security products and DDoS protection.

Carriers understand overwhelmingly the importance of upgrading and integrating scalable security solutions, as recent increases in traffic rates and connected devices has significantly expanded the scale of the attack landscape for cyber criminals. The foundation of an effective network security strategy at this scale is visibility, but the perspective from which defenders look at a network that is hauling petabytes of traffic is different to that of someone who has for example 1Gbps traffic to process. Adding another layer of complexity at carrier scale is that the network will typically be spilt over multiple global locations, be a combination of core and edge networks and contain both legacy and new equipment.

Network visibility at this level requires a hardware solution that can be deployed at multi-100Gbps and that can scale as the network expands. Universally, flow analysis tools like NetFlow probes and sensors are the most commonly deployed network security monitoring solutions, initially developed for enterprise level security they also sometimes find themselves in the infrastructure of telecommunication, ISP and carrier networks. However, they are simply not fit for purpose and cannot handle the sheer amount of traffic at that scale and provide accurate network flow monitoring.  

Talos/Cisco technical breakdown of a recent IoT botnet attack - VPNFilter

Alternatives include deep packet inspection, which can lead to bottlenecks and massive processing power requirements, and active monitoring, which as the name implies introduces an unnecessary load on the network. The biggest advantage to using flow analysis is that there is almost certainly NetFlow or IPFIX support on existing infrastructure in the carrier’s core network anyway — which makes configuration much easier.

Visibility attained via flow data which could include NetFlow, IPFIX monitoring, J-Flow, sFlow or NetStream is ideal for extracting key information that is critical to a Network Security Operations (NOC) and/or a Security Operations Centre (SOC) team’s daily functions and long term security strategy. Network visibility allows defenders to answer questions like:

  • Who or what is monopolising bandwidth and slowing down the network?
  • How can we spot botnets, APTs, zero-day malware and other threats if they bypass perimeter defences?
  • How can we identify and track which IP’s and countries the network is exchanging data with?
  • How can I detect tunnelled traffic and gain visibility in to encapsulated traffic that may be carrying threats?
  • The ability to troubleshoot in real-time to ensure availability and improve user experience.

This type of granularity and behavioural analysis provides the ability to hunt for threats, which at scale can be difficult not least because of the sheer amount of data to search but also the categorisation and identification of the types of threats that are a risk to your network security. Typically a carrier network defender will not be interested in ‘Credential Stuffing’ for instance because that threat is quite specific to website security, so that attack vector is likely more important to a SecOps team within a Content Delivery Network (CDN). For a Carrier, DDoS and state sponsored IoT botnets like the recent VPNFilter would constitute a major threat. Specific alarms or events provided by flow monitoring and meta-data security enrichment enables threat hunters to visualise, analyse, and investigate contextual data relating to every transaction and network conversation, which means that these types of attacks can be caught before they cause irrevocable damage.

Telesoft offers a number of cyber security products for network visibility and cyber threat hunting, talk to us to about  our 200G and 400G FlowProbes and our carrier scale NetFlow broker the FlowStash

About the Author

Sarah Chandley

Sarah Chandley

Sarah is an experienced B2B technology marketing professional, creating content for the Cyber Security, Telco and Government Infrastructure sectors. 

Information cookies

Cookies are short reports that are sent and stored on the hard drive of the user's computer through your browser when it connects to a web. Cookies can be used to collect and store user data while connected to provide you the requested services and sometimes tend not to keep. Cookies can be themselves or others.

There are several types of cookies:

  • Technical cookies that facilitate user navigation and use of the various options or services offered by the web as identify the session, allow access to certain areas, facilitate orders, purchases, filling out forms, registration, security, facilitating functionalities (videos, social networks, etc..).
  • Customization cookies that allow users to access services according to their preferences (language, browser, configuration, etc..).
  • Analytical cookies which allow anonymous analysis of the behavior of web users and allow to measure user activity and develop navigation profiles in order to improve the websites.

So when you access our website, in compliance with Article 22 of Law 34/2002 of the Information Society Services, in the analytical cookies treatment, we have requested your consent to their use. All of this is to improve our services. We use Google Analytics to collect anonymous statistical information such as the number of visitors to our site. Cookies added by Google Analytics are governed by the privacy policies of Google Analytics. If you want you can disable cookies from Google Analytics.

However, please note that you can enable or disable cookies by following the instructions of your browser.