When thinking about network traffic and security, we usually end up considering NetFlow Analyzers for analytics and monitoring. It allows us to plan our network and detect security issues fast and easy.
But the raising concern is also our core need for End User traffic consumption monitoring, as it has been stated that the huge amount of the attacks originate from the inside the company.
Being able to monitor end-user traffic consumption and be notified of any abuse of the network is an incredible gain.
Also, as per Juniper Research, 43% of cyber-attacks are aimed at small businesses, as they usually do not invest enough into security due to the resources issues. NetFlow Analyzer is a relatively affordable tool for this kind of analysis. Finally around 60% of them go out of business within 6 months of an attack.
The fact is that Internet has become a dangerous place, and has caused Network and System Administrators many unslept nights. Luckily not all is black, and we have been writing about that in our previous post:
5 ways to use NetFlow Analyzer for Network Security
https://www.netvizura.com/blog/5-ways-to-use-netflow-analyzer-for-network-security-1
There are some ways to monitor, mitigate and fix various problems on your end. Today we shall see some of the newer techniques in monitoring enterprise workstations and users.
The two worlds...
On the side of the company system, we have network devices capable of extracting traffic via NetFlow protocol and forwarding it to dedicated server. NetFlow was developed as a means of tracking traffic going to and from your network.
Each and every user in the company logs with their unique username, and thus can be tracked throughout the company. This ensures that we have correct information about the resources used from the specific user, in every moment. That information is stored on the AD server, usually called Domain Controller.
Microsoft Active Directory is a most common directory service in the enterprise world. Directory service can be interpreted as a sophisticated AAA server (Authentication, Authorization and Accounting), where the main feature of it is the ultimate control of the logon process, on the enterprise workstation.
How they work together?
So we are now able to combine the information from the network and from the system side, of our company. This is done by mapping login events sent over syslog messages from domain controllers or workstations to the NFA server. Every logon to the AD DC can be followed through the simple message on its event log. Using that message you can have the info of the user with a specific IP address and his logon on the AD DC. This is done automatically so you it correlates IP addresses usage in specific time interval with specific user name. Up from that moment the user becomes a user in your Analyzer.
What does this do for you?
This allows you to follow End User traffic and network behavior in your NetFlow Analyzer. You are able to set up alarming and get notified when a suspicious End User behavior happens. That can be a huge upload/download that is not expected for that user and when they reach a specific traffic threshold. You would also be able to see if they are misusing the network, spending too much time on Social Media for example. Employees' unwanted content visits indirectly expose network to a risk of malware and device hijack. This kind of monitoring within a NetFlow Analyzer brings you opportunities to easily project QoS policies and optimize resources per user, as well to be constantly informed of any security breaches and issues.
