Have you ever gone bowling? Most people have played the game at one time in their lives. It’s relatively simple: just roll a heavy ball down a lane to knock over pins. Easy, right? Well, it is until you start looking at the scoring. If you only knock down a few of the pins it’s not difficult to figure out the scoring system. But if you knock down all the pins you have to do different things with your existing score. You may have to add numbers together for scores from rounds before or you may have to wait to find out what your score is for another round or two.
Security is a lot like bowling in this regard. Sometimes we see things happening that we can’t reconcile until we have more information about things from the past or from the future. And we need a way to get a picture of that information before we can make our decisions. Which means we need a tool capable of getting us the data that we need.
Frame By Frame
I had a chance to sit down and talk to Plixer during the 2019 RSA Conference. Thomas Pore, VP of Technical Services, gave me a great overview of what they can do for network and security visibility. Plixer uses information gathered from NetFlow and IPFIX to build a picture of the traffic behavior in the network and give information about what’s going on. He showed me some of the ways that Plixer is leveraging the network to give the information that security professionals need to find things like lateral movement and for post-event forensics.
To go back to the bowling analogy, Thomas told me that NetFlow and IPFIX data is very much like frame-by-frame scoring in bowling. The captures that you get present you with data and no context whatsoever. Like in bowling, your score isn’t dependent on any one particular frame. Except when it is. In bowling, you know when that happens because of a strike or a spare. Plixer can create the context around a specific set of data to help you understand when something is amiss.
Plixer can help you see patterns like showing internal hosts sending more data than they are consuming from the Internet, which is an atypical pattern for devices that are not servers. Plixer can show you when traffic becomes encrypted, like in the case of using a VPN tunnel to evade data loss prevention (DLP) software. Plixer can also integrate with things like IP Address Management (IPAM) servers to show cases where hosts are constantly changing addresses to test things like server subnets or do reconnaissance work on your internet IP structure.
The key is that Plixer builds a database to enrich the data being sent to SIEMs running in the network. The SIEM should be getting all the data that it can from every available source to find out how to fix these issues. Because Plixer can provide NetFlow and IPFIX data with context, the SIEM doesn’t have to work as hard to find suspicious activity. It doesn’t take a rocket scientist to figure out that massive traffic spikes at 3:30am are a bad thing. Plixer can alert you to these issues or tie into a bigger monitoring system to help get the right people involved when they need to be to get things fixed before you lose something important.
Thomas also told me that Plixer is looking to enhance their platform in the near future with more capabilities enhanced by artificial intelligence and machine learning. AI and ML will allow for better pattern recognition in the data and help find suspicious and malicious behavior more quickly. And when you deal with scenarios where attackers can exfiltrate a lot of data in a short amount of time, the faster you can detect them the less paperwork you’ll have to deal with.
Bringing It All Together
Plixer is a very important piece of the puzzle for security teams. The network is a wealth of data for operators. Networks are expensive and necessary to keep systems communicating with each other, but sadly they are rarely seen as a source for good data. Plixer does a great job of taking all that data and sending it to the right places to help make the critical decisions about how to keep your networks secure.
For more information about Plixer and their network security solutions, make sure you check out http://Plixer.com
