Welcome to our next mini course. This time we will talk about our new service β
Here, let's make a small digression. Iβm just sure that the thought flashed through many now: βHow is this different from
What a network administrator can check with this audit:
- Network traffic analytics - what channels are loaded with, what protocols are used, which servers or users consume the largest amount of traffic.
- Network delays and losses - the average response time of your services, the presence of losses on all your channels (the ability to find a bottleneck).
- User traffic analytics β complex analysis of user traffic. Traffic volumes, applications used, problems in working with corporate services.
- Application evaluation - identifying the cause of problems in the operation of corporate applications (network delays, response time of services, databases, applications).
- SLA monitoring - automatically detects and reports critical delays and losses when using your public web applications based on real traffic.
- Search for network anomalies - DNS/DHCP spoofing, loops, fake DHCP servers, anomalous DNS/SMTP traffic and more.
- Configuration issues - detection of illegitimate traffic of users or servers, which may indicate incorrect settings of switches or firewalls.
- Comprehensive Report β a detailed report on the state of your IT infrastructure that allows you to plan work or purchase additional equipment.
What can an information security specialist check:
- Viral activity - detects viral traffic within the network, including unknown malware (0-day) based on behavioral analysis.
- Distribution of ransomware - the ability to detect ransomware, even if the distribution is between neighboring computers without leaving its segment.
- anomalous activity β abnormal traffic of users, servers, applications, ICMP/DNS tunneling. Identification of real or potential threats.
- Network attacks - port scanning, brut-force attacks, DoS, DDoS, traffic interception (MITM).
- Leakage of corporate data - detection of anomalous downloads (or uploads) of corporate data from the company's file servers.
- Rogue Devices - detection of illegitimate devices connected to the corporate network (identification of the manufacturer and operating system).
- Unwanted Applications - use of prohibited applications within the network (Bittorent, TeamViewer, VPN, Anonymizers, etc.).
- Cryptominers and Botnets - checking the network for infected devices connecting to known C&C servers.
Reporting
Based on the results of the audit, you can see all the analytics on Flowmon dashboards or in PDF reports. Below are some examples.
General traffic analytics
Custom dashboard
anomalous activity
Discovered Devices
Typical testing scheme
Scenario #1 - one office
The key feature is that you can analyze both external and internal traffic that does not fall under the analysis of network perimeter protection devices (NGFW, IPS, DPI, etc.).
Scenario #2 - several offices
Video tutorial
Summary
CheckFlow audit is a great opportunity for IT/IS managers:
- Identify current and potential problems in your IT infrastructure;
- Detect problems with information security and the effectiveness of existing protection tools;
- Determine the key problem in the operation of business applications (network part, server, software) and those responsible for its solution;
- Significantly reduce the troubleshooting time in the IT infrastructure;
- Justify the need to expand channels, server capacity or additional purchase of security equipment.
I also recommend reading our previous article -
If you are interested in this topic, then stay tuned (
Only registered users can participate in the survey.
Do you use NetFlow/sFlow/jFlow/IPFIX analyzers?
-
Present in several = 55,6%Yes5
-
Present in several = 11,1%No, but I plan to use
-
Present in several = 33,3%No3
9 users voted. 1 user abstained.
Source: habr.com