Many of you know that I have always loved a good security product and quite recently I was made aware of Kemp Flowmon. Usually, with most review blog posts you read through the docs sent over and out goes a post but I decided this time I wanted to dig a little deeper so that I can arrange a go with the product via a video soon.
I would not quote word for word some of the material that is sent out about a product but there was a particular line that really sat with me and that was
Taking Vitamins cannot guarantee you never get sickArtur Kane
This is so true and we should apply the same to security practices, we can have the best firewalls and antivirus but humans will be humans and this is why social engineering can make all this hard work fall over if this attack may have a new signature
One of the customers in the case study points out that they located the ransomware within the network due to the fact the power of an anomaly detection system lies in the fact it does not rely on signatures. This is the best case where we have monitored something for a while and perceive the known good and when something does not act like it usually does then we can easily alert on it such as it never access FTP in the past and why is it now or even connecting externally when it never has done so in the past.
Depending on your architecture once I looked into it Flowmon can easily be deployed and work with all your existing infrastructure permitting they can export or mirror flow. A basic diagram is below.
This is where the old school version of me would come in and they do an appliance and if you can afford it this could save you some headaches as what happens if your servers datastores get encrypted. How can you access them to get a root cause or again it’s just about being clever how you deploy this, is it on a set of disks or a SAN isolated away from other things
Again this goes back to prevention but when I was in this area more day to day I saw some very sophisticated attacks and having tools like this that can help you trace back what is happening can really aid in educating people and all learning to hopefully stop it next time.
For Flowmon to be able to do all this of course it needs the data and the above shows a bit more of an in-depth diagram on how you can connect this all up even if you are consuming public clouds. Of course, once all that data is there the algorithms can get to work of which I would love to see. I know there has been a massive move recently in this industry to even provide data flow maps showing devices and even geographic locations. Seeing one I kind of felt like I was in a well know spy movie seeing the data bounce around
The biggest thing apart from virtual meeting fatigue most of us have now is, of course, alert fatigue, this is by far where I have seen most amazing platforms fall on their face as by week 2 your inbox or SMS has not stopped and you do not know what to look for. What I liked from what I saw was a nice clear event log and it got straight to the point to show what had happened
One thing I was informed about which I do want to try in the lab somehow is the fact this can then kick off orchestrations such as Network Access Control (NAC). From here you could lock down actions on the firewall or maybe block switch ports it wireless access so this then prevents the malicious stations from access the network and causing further damage
I feel this is a product and topic set I need to dive into more as once again I have heard friends within the industry struggling to get their infrastructure back after an attack. We also need to remember sometimes the compromise can happen months before the main event kicks off and it makes it even hard to then get back any lost data and even during the restore you may well recover the way the attackers go in the first place. The best thing about these products is they seem to see the anomalies of little things happening and talking back to bad endpoints prior to a major issue. As major attacks may happen to others these IPs can be highlighted to these products and hopefully feedback early to en event that may occur.
Please do comment if you think I should follow up with some demos! If you want to keep an eye on stuff on your Networks go get a 30-day trial here.
Note : I have been compensated for this post and commentary. All the thoughts and opinions in the post are mine and not linked to the company or the current company I am working for