Published on August 3rd, 2016 | by Tony Thompson
3 Reasons You Should Break Up With NetFlow and Get With HDRs
It’s no secret that breaches today are a lot stealthier and a lot more difficult to detect, sneaking onto your network and hiding in the normal flow of network communications. Preventative security tools won’t stop a breach from getting onto your network, but new methods of network visibility can stop them from doing a lot of damage.
High-Definition Records (HDRs) are SS8 BreachDetect’s answer to most of today’s enterprises’ lack of total network visibility. As both networks and attacks on those networks have become more sophisticated, you simply can’t rely on basic flow information from NetFlow or its equivalents to tell you whether or not your network has been breached.
Here are 3 reasons you should ditch NetFlow in favor of HDRs:
- HDRs offer an unprecedented level of detail about network sessions because they represent more than what you see with NetFlow.
HDRs improve on basic network and flow statistics by adding an application metadata layer that greatly increases an enterprise’s visibility into network traffic. NetFlow can’t distinguish between multiple transactions such as those in a single email session, and at best will just provide a summary of the entire flow. This means you miss out on valuable information that HDRs generate, such as To, Cc, From, and Subject fields, as well as information about any potential malicious attachments.
- HDRs can also be used to detect and report obfuscated protocols, like Tor.
Tor is designed to be difficult to detect on a network. HDRs are enriched with application metadata, even for difficult-to-detect protocols. Combined with flow statistics such as byte counts, it is possible to determine how much data is entering or exiting a network, so large amounts of outbound Tor traffic could indicate that the protocol is being used as a data transport to exfiltrate confidential files.
- Beyond what’s discoverable from the flow itself, HDRs are also enriched with user, device and host identity, as well as geolocation.
Because IP addresses are often dynamically assigned, identity mapping makes it possible to associate a network session with a specific user and device to follow that user’s activity. And the ability to identify connections to IP addresses in countries not ordinarily found in the network may warrant attention, especially if the protocol classified by the HDR is suspicious.
Learn more about how HDRs can help you take the guesswork out of hunting for breaches.