Internal IP Reputation for Combating Advanced Threats

Today’s network perimeter is well protected by numerous technologies. From firewalls to IDS/IPS, the perimeter enjoys a level of security that has never been seen in the past. However, evolving challenges such as BYOD, APTs and others have introduced new avenues through which all manner of nastiness can reach the internal network. It is therefore imperative that a security and monitoring solution be deployed on the internal network to combat new threats that cannot be easily catalogued, categorized or referenced. 

Such a solution should ideally incorporate information from all areas that have a bearing on the security of the internal network. Examples would be routers, switches, firewalls and the virtual environment. Fortunately, most of these devices produce information in the form of NetFlow / IPFIX that can be consumed and processed to provide performance and security telemetry.

Because of the rich data produced by NetFlow / IPFIX, information such as network performance, bandwidth utilization, anomalous traffic volumes and other metrics can be captured and utilized in determining when things are going awry on the network. But this relatively common capability among flow-based monitoring providers is still not enough to combat APTs, address BYOD and provide actionable information for security teams. Something more is required.

 From a network security perspective, knowing who is talking to your network is also important. This is known as IP reputation, and there are many vendors with the capability to provide this information. What is less common, and critical to knowing what is going on inside your network, is internal reputation. I cannot put too fine a point on this.  Only you and your network visibility solution can profile your internal network to determine who is a bad actor and who is not.   

Lancope’s StealthWatch System, unlike other solutions such as Riverbed Cascade, provides the missing security piece of network visibility.  Leveraging NetFlow / IPFIX, StealthWatch assigns Concern Index (CI) points for hosts on the network that are behaving in abnormal ways, providing an internal reputation profile. Further, StealthWatch can also tie internal reputation of hosts to user and device information.  This nexus of network visibility and security is critical to tackling the threats facing networks today. 

For more information on StealthWatch for security monitoring, go to: