Posts tagged Flowmon
Flowmon Anomaly Detection System - Network Detection and Response

Today, the increase in cyber-security attacks and their related risk is top of mind for many IT professionals. As such, full consideration needs to be made regarding the appropriate protections that should be in place to mitigate this risk best.

Flowmon positions its Anomaly Detection System (ADS) module at the core of these efforts, ensuring that threats can be detected and responded to as early and quickly as possible.

When speaking to Flowmon, they highlighted the Security Visibility Triad, a framework used by Gartner and others to help examine the three key areas that should be in place to ensure you have true security visibility. The Security Visibility Triad talks about the importance of 1. SIEM and UEBA, 2. Network Detection and Response, and 3. Endpoint Detection and Response. Flowmon focuses its efforts on the Network Detection and Response area of this triad.

Security Visitibility Triad

Flowmon ADS is a module for the Flowmon product set that is most commonly utilised for network visibility and troubleshooting. Because of this, the ADS module fully leverages the network architecture of Flowmon to collect its data from the network. Furthermore, it utilises network flows, enhanced with layer 7 application data provided by its probes for a unique view of what is going on within the network. You can read more about Flowmon in my previous blog.

Flowmon NDR

Flowmon ADS does not rely on legacy signature-based approaches to detect the anomalies within the captured flows. Instead, it uses machine learning for wide-ranging detection, including zero-day threats.

Typical anomalies detected and alerted upon by Flowmon include:-

  • Attacks

    • Port scanning, Dictionary attacks, DoS/DDoS, Telnet

  • Traffic Anomalies

    • DNS, DHCP, ICMP, Multicast

  • Internal Security

    • Viruses, Malware, Ransomware, Botnets

  • Unwanted Applications

    • P2P Networks, Instant Messaging, Anonymisation Servies

  • Device Behaviour

    • Change of device behaviour profile

  • Operational Problems

    • Delays, Excessive load, Unresponsive services, Broken updates

Whilst how Flowmon detects the anomalies and the breadth of what it is able to detect is truly impressive, the biggest stand-out area for me was how the product allows this information to be used.

With many security products, such as NDR and SIEM solutions, they can be very good at collecting data, but in reality, they simply overload an already overworked administrator with information they can’t use. This is where Flowmon ADS is different.

Flowmon ADS not only detects the threats from the noise using machine learning but also does true route cause analysis. This allows administrators to quickly understand the type of threat, the source, the affected resources and the recommended actions.

With many sources speaking about the amount of time a threat actor may be within your network prior to detection, it is important that IT teams have the right tools to understand exactly what is happening across their network. For me, this is where Flowmon comes in, giving true visibility to Security Operations (SecOps) teams and others in IT to ensure that any threats are quickly and easily neutralised.

For more information about Flowmon ADS and how it can help with Network Detection and Response please check out their website.

Below you can see my doodle covering the subject

Disclaimer: Tech Doodles through Tech Crossing Limited has been paid by Progress to create content covering the Flowmon product set. Whilst Tech Crossing Limited and the authors of this blog post have been paid to create the content, there has been no influence or editorial control by Progress.


Flowmon Overview - Network Performance Monitoring and Diagnostics

I have recently been doing some work with Flowmon to further understand Flowmon’s Network Performance Monitoring and Diagnostics (NPMD) functionality. Below you can see my doodle covering the technology.

In-brief Flowmon, which is now part of Progress, following the Kemp acquisition, gives network operators visibility and insights into network performance and issues. It does this by enriching flow data with level 7 application data, giving enhanced network insight without the overheads of full packet capture. Critical to this is the Flowmon collector appliance which can receive data as Netflow, IPFIX or any standard flow record like sflow, jflow or netstream.

Flowmon Architecture

With this collected data, Flowmon provides;

  • Autonomous investigation for route cause of operational issues

  • In-built expert knowledge of network error codes with remedial action

  • Reduced and simplified toolset, allowing delegation of networking monitoring and troubleshooting

  • Reduction of network diagnostic noise, allowing problems to be resolved quickly and easily

I was able to understand some of the use cases in action, this included following the process of an administrator trying to diagnose slow internet performance reported by users. Utilising the Flowmon toolset, the problems were able to be tracked down within a few steps. The root cause, diagnosed through Flowmon was an incorrect client configuration, resulting in increased network traffic. This was due to Windows updates being pulled down directly from the internet rather than from the local WSUS server. Without Flowmon, this may have taken Network Admins and other teams many hours to diagnose and resolve.

I was really impressed by what I saw of Flowmon, without tools like this, troubleshooting user issues is often a difficult task, with admins trying to understand where the problem lies between the applications, the network and the user. Flowmon gives network admins the tools they need, not only to resolve problems quickly but to be proactive in their troubleshooting.

You can find out more about Flowmon here

Disclaimer: Tech Doodles through Tech Crossing Limited has been paid by Progress to create content covering the Flowmon product set. Whilst Tech Crossing Limited and the authors of this blog post have been paid to create the content, there has been no influence or editorial control by Progress.