Ziften ZFlow Will Shine A Light On Your Security Blind Spots – Charles Leaver

Written By Andy Wilson And Presented By Charles Leaver CEO Ziften


Over the past few years, many IT organizations have embraced making use of NetFlow telemetry (network connection metadata) to enhance their security posture. There are many factors behind this: NetFlow is fairly affordable (vs. complete packet capture); it’s fairly simple to collect as the majority of Layer 3 network devices support NetFlow or the IANA requirement called IPFIX; and it’s simple to analyze using freeware or commercially supplied software. NetFlow can help get rid of blind spots in the architecture and can offer much required visibility into exactly what is really going on in the network (both internal and external). Flow data can likewise help in early detection of attacks (DoS and APT/malware) and can be utilized in baselining and anomaly detection techniques.

NetFlow can offer insight where little or no visibility exists. The majority of companies are collecting flows at the core, WAN and Internet layers of their networks. Depending upon routing schemas, localized traffic might not be accounted for – LAN-to-LAN activity, local broadcast traffic, and even east-west traffic inside the datacenter. The majority of companies are not routing all the way down to the access layer and are thus generally blind to some degree in this part of the network.


Carrying out full packet capturing in this area is still not 100% practical due to a variety of factors. The solution is to execute endpoint-based NetFlow to restore visibility and offer extremely important additional context to the other flows being collected in the network. Ziften ZFlow telemetry originates from the endpoint (desktop, laptop computer, or server), so it’s not dependent on the network infrastructure to create. ZFlow provides traditional ISO layer 3/4 data such as source and destination IP addresses and ports, however likewise supplies extra valuable Layer 4-7 info such as the executable responsible for the network socket, the MD5 Hash, PID and filepath of the executable, the user responsible for launching the executable, and whether it remained in the foreground or background. The latter are crucial details that network-based flows merely can not offer.



This crucial extra contextual data can help considerably decrease occurrences of false positives and supply abundant data to analysts, SOC personnel and incident handlers to enable them to quickly examine the nature of the network traffic and determine if it’s malicious or benign. Used in conjunction with network-based notifications (firewall software, IDS/IPS, web proxies and gateways), ZFlow can dramatically reduce the amount of time it requires to resolve a security event. And we know that time to identify harmful behavior is an essential determinant to how effective an attack becomes. Dwell times have lowered in current history however are still at undesirable levels – presently over 230 days that an enemy can roam undetected through your network collecting your most important data.

Below is a screenshot that reveals a port 80 connection to an Internet destination of Interesting realities about this connection that network-based tools might miss is that this connection was not initiated by a web browser, but rather by Windows Powershell. Another intriguing data point is that this connection was started by the ‘System’ account and not the logged-in user. These are both very eye-catching to a security analyst as it’s not a false positive and likely would require deeper investigation (at which point, the analyst might pivot into the Ziften console and see deeper into that system’s behavior – what actions or binaries were initiated before and after the connection, procedure history, network activity and more).


Ziften’s ZFlow shines a light on security blindspots and can supply the additional endpoint context of procedures, application and user attribution to help security workers much better comprehend exactly what is truly occurring in their environment. Integrated with network-based occasions, ZFlow can assist dramatically lower the time it takes to investigate and react to security alerts and drastically improve a company’s security posture.