July 27, 2022

NetFlow as valuable data source for SecOps part 1/2

How to use inter-system correlations, optimizing work of SIEM systems and processing billions of flows in dedicated system.

Jacek Grymuza

Senior Security Architect

SIEM is the main security system for every SOC


Accelerated digital transformation, resulting from inter alia with COVID-19, has made it possible to do more and more businesses online. At the same time, new technologies and services increase the potential areas for attacks by cybercriminals. For this purpose, the Security Operations team (called SecOps) are trying to detect as many red flags as possible informing about potential threats or security abuse. SecOps has many security monitoring systems in its arsenal, as shown in Figure 1. The main system used by Security Operations Center (SOC) is a SIEM system, which correlates logs from multiple data sources, such as operating systems, databases, network devices, applications or security systems in order to detect potential threats and security policy violations.

Due to the fact that collected data are located in one place, they can be correlated by characteristic attributes in various contexts, which allows for effective detection of anomalies or security threats. But, for many organizations collecting all information from "everything" is almost impossible due to the retention policy and limitations of disk space for data. In such cases, it is worth considering whether instead of sending billions of network flows directly to SIEM, it is better to process them in a dedicated system - NSM, e.g. Sycope, and then send only information about detected anomalies and abuses to SIEM system to use them in inter-system correlations.

Figure 1. Common data sources for SIEM

Monitoring Network Traffic

When talking about network traffic monitoring, we often mean traffic from network devices in the form of logs from firewalls and routers, packets or flows. Each of them has a different level of detail. Table 1 shows a comparison the Packet Capture (pcap) and Netflow collections. Netflow is a kind of network metadata aggregated by 5-tuple: IP addresses (source and destination), ports (source and destination) and protocol.

Table 1. Pcap vs Netflow

Flow Monitoring is a very important part of designing defensive capabilities

The Network Security Monitoring (NSM) systems increase visibility on suspicious activity in the context of the entire organization. Only on the basis of monitoring network flows, there is a chance to detect many red flags that attackers generate even during advanced targeted attacks. A list of examples of MITRE ATT&CK tactics and techniques that can be detected based on network flows is shown in Figure 2.

Figure 2 Netflow Security Monitoring in the context of ATT&CK MITRE tacticsand techniques

Topic to be continued in the "Part 2" of this article.

Get a monthly dose of blog posts, tips and tricks

Sign-up for the newsletter and be updated about Sycope.

Sign-up for the newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.