Quick question for IT leaders – can the switches on your network report 100% unsampled netflow?  If they can’t, there may be elusive cybersecurity threats hiding within your network. Yes, inside your network.

Every week, I hear stories of intellectual property (IP) loss and personal identifying information (PII) being compromised. This is due in part to many agencies still approaching cybersecurity the way they always have – guarding the edges to keep threats out. But that’s not enough anymore. With malware now being custom-written to bypass the perimeter, external drives plugged in, and the ever-present possibility of tricked or malicious insiders, monitoring inside the network is now one of the most effective ways to find and eliminate threats.

Netflow has become an industry standard and is used by most networking vendors to monitor network performance.  It reports activity across the device, much like a cell phone bill lists calls, their origin, destination, length, etc.  Most switches and routers and many security devices are able to report netflow, so it is already available throughout most networks – from the edges of the network to the heart of the data center.

Other devices report netflow in a sampled mode – meaning they report 1 out of every 20 records (5%) or less because reporting more takes cycles from the device and can kill performance.  This is called sampled netflow and is acceptable for monitoring network performance, but is not acceptable for finding cybersecurity threats that may be hiding.  This is where I have found the newer switches from Cisco have an advantage.  Because of our market presence and large scale, we have been able to invest in a custom chip which is included on the circuit boards. The chip allows them to send 100% unsampled netflow records without impacting network performance.  This means every flow in the network can be analyzed to find the cyber threat – essentially that “needle in a stack if needles”.

To analyze this unsampled netflow, Cisco partners with Lancope.  Their product, Stealthwatch, is able to stitch together netflow records from all over the network to sound the alarm on anomalies in traffic and patterns of known bad behavior.   It is great as a stand-alone security tool for sounding the alarm and for providing a security dashboard, and it is part of the Cisco Cyber Threat Defense Solution.

Since October is National Cybersecurity Awareness Month, I couldn’t think of a better time to start planning to monitor unsampled netflow as a major part of your cybersecurity and network management strategy.  Even if there is not enough budget to implement it completely right now, you can start making small steps with the end in mind.  Of course our experts are here to help along the way, too.

For a great read, check out Government Technology’s recent special report on Cybersecurity.


Peter Romness

Cybersecurity Principal, US Public Sector CTO Office