New Analytics Tool Puts NetFlow Data Under the Microscope

In January, network security tools startup Packet Analytics launched Net/FSE, or Network Forensic Search Engine. Net/FSE is the first commercial search engine for enterprise network data to focus on security incident response by harnessing the analysis of NetFlow data. It is designed to exploit the forensic potential of NetFlow data to dig deep into network alerts.

This startup, based in Santa Fe, N.M., developed the use of a browser-based workflow tool for security analysts. The company uses proprietary search technology licensed exclusively from Los Alamos National Laboratory, where it was developed and battle-tested for five years. Net/FSE allows network security analysts to respond to network alerts and anomalies by analyzing terabytes of NetFlow router data in real time through a scalable search engine.

“This is a very high-volume product with a unique model of delivery to security analysts,” Andy Alsup, president and CEO of Packet Analytics, told the E-Commerce Times.

The Product

Net/FSE is designed to reduce exposure to significant business risk by enabling security specialists to quickly identify the extent of a security breach. It is a browser-based data collector that is deployed as software on servers inside the firewall of an enterprise network.

The Net/FSE software uses proprietary indexing and search algorithms in use for over five years at Los Alamos National Laboratory. It allows security analysts to perform searches in minutes, rather than days or weeks, over terabytes of NetFlow and network data representing years of critical forensic information, Packet Analytics said.

This ability lets network managers analyze NetFlow data for real-time situational awareness and dig deep into network alerts. The software product also allows retrospective data analysis so network analysts can rapidly determine the scope of an alert. Net/FSE’s search engine uses a two-phase search technology that the company said revolutionizes how multi-terabyte NetFlow datasets are analyzed in computer security operations.

The Need

Packet Analytics developed Net/FSE to fill a gap in tools Alsup and his partner discovered when they worked at Los Alamos National Laboratory. They used several existing IP search tools but found them lacking in advanced features.

“When something happened in the network, we couldn’t pursue any analysis of the data we got,” Ben Uphoff, vice president of research for Packet Analytics, told the E-Commerce Times. “There were issues with scalability of the existing tools. Even those that could scale lacked analytic security capabilities.”

That gap in security features still exists today, he said, and only Net/FSE solves that problem. All the existing NetFlow search tools target the IT industry, not security analysts. Net/FSE is designed to fill the niche market that exists around security analysts.

The Challenge

Developing Net/FSE to do exactly what they wanted took several years. The challenge was to identify specific algorithms. That took time, Uphoff explained.

The major challenge was developing proprietary algorithms to analyze IP (Internet protocol) data. He had to use trial and error methods to get everything working. Then he had to design the software so that it only added a 20 percent overhead to the rest of the running process.

“Then there was the challenge of the user interface making the search technique a true workflow tool,” said Uphoff.

Necessary Solution

In a typical enterprise IT situation, a network security alert is generated by an enterprise firewall, intrusion detection system or security information management system. But security analysts often do not have access to the necessary context that allows them to definitively and effectively respond to the event.

That’s the problem Net/FSE is intended to address. It allows analysts to collect and quickly search all of their NetFlow and other network data to determine the impact of the alert and effectively respond.

“Security breaches can happen to any company. It’s not a matter of if, but when they will occur,” said Alsup. “Net/FSE was built by security analysts for security analysts so that enterprises have access to advanced search capabilities over terabytes of NetFlow router data.”

The product, he said, will save analysts a significant amount of time in their routine alert investigations, making them more efficient and dramatically decrease their response time.

Industry Research

“Our research consistently indicates that flow data, including NetFlow, will be increasingly leveraged to improve network security and operations,” said Derek E. Brink, vice president and research director for IT security at research firm Aberdeen Group. “Overall, organizations surveyed indicate about 90 percent year-over-year growth in deployment of solutions that leverage network flow data, based on planned use in the next 12 months versus current use.”

The focus of Aberdeen’s research is on the actual end-user organizations, not so much on the vendors. The firm looks at what end-user organizations are doing, why they’re doing it, and most importantly what results they’re getting, rather than at the company specifically, he said.

“In recent studies we’ve asked questions about current use versus planned use of solutions that leverage network flow data. One study in particular showed that 31 percent of all respondents currently use such solutions, with an additional 36 percent indicating plans to use it within the next two years. Companies are definitely looking to improve their network security, and also the efficiency of their operations,” Brink told the E-Commerce Times.

This last point is important, as IT budgets are already stretched by spending on security and compliance, and the best-in-class companies are starting to be proactive about allocating their security resources more efficiently, he explained.

“All of this speaks positively about the market opportunity for companies like Packet Analytics,” Brink concluded.

Product Availability

Net/FSE requires little or no administration and can be quickly installed by the customer on commodity servers running a Linux operating system.

Net/FSE is available as a free download with full functionality.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Jack M. Germain
More in SMB

E-Commerce Times Channels