It Began in the South
For the last decade, network security surveillance has been largely focused on Internet ingress. These southbound communications monitor for a wide range of security events including spam, spear phishing, DDoS, SQL injection and buffer overflows.
Pivoting North
Over the last couple years, data from the likes of Verizon, Symantec Research, Gartner and Mandiant have revealed a need to monitor Internet egress as well. The northbound communications are checked for connections to botnet command-and-control servers, data loss and policy violations.
Looking Laterally
While monitoring northbound and southbound traffic has moved into “best practice territory,” monitoring lateral communications remains neglected in many organizations. When ingress/egress monitoring reveals a security event, the next investigative step should be to determine the impact of the breach.
Using NetFlow
The challenge with monitoring subnet-to-subnet traffic in a global enterprise has been deploying a sufficient number of surveillance probes. Network logging technologies like NetFlow and IPFIX simplify probe deployment by using the existing routing and switching infrastructure to convert network interfaces into probes. NetFlow has negligible impact on bandwidth and performance and delivers pervasive communication logging down to the access layer.
Beron’s Folly
As an example of where east/west monitoring can expand upon the sketch that northbound monitoring provides, let’s examine a data loss event.
Below we can see a possible data loss condition where an abnormal amount of data left the network from Beron’s machine. This is detected by monitoring northbound traffic. In this example, NetFlow records were used to detect the security event, but other egress monitoring solutions could have detected it as well.
Taking a closer look at the flow records, it can be determined that a database dump was uploaded to an FTP server in Eastern Europe.
While all of these markers could be detected at northbound points, the next part of the investigation requires a lateral view. Beron’s machine is a Windows desktop in Chicago. Investigators need to determine where Beron got the SQL dump data. By examining the east/west communications through NetFlow logging, it can be easily revealed that Beron was dumping data from the business-critical database server in Chicago ahead of the disclosure.
The timestamps on both the northbound conversations and the lateral communications allow for a quick picture of the events surrounding the breach.
Wrap Up
While northbound (egress) monitoring is a necessary component in catching advanced threats, it is only one piece of effective network surveillance. To determine the impact of a breach and to create an accurate timeline, lateral (east/west) monitoring is also a critical component. NetFlow monitoring can provide a cost-effective means of cataloging this intelligence. For more information on how Lancope leverages NetFlow to detect data loss and other security issues, go to: http://www.lancope.com/solutions/security-threats/.
