This security agency not only protects itself, but oversees more than one hundred separate governmental agencies, each of which holds critical data hackers would just love to penetrate. The agency helps these agencies and governmental offices prevent, detect, respond, and recover from cyber threats. It protects this infrastructure and critical systems (and its own environment) from malicious attacks by applying the latest technologies, as well as through training and security exercises.
This agency’s internal security, network performance and of course availability are vital. How can you trust an agency to keep you safe if that agency itself is not safe? The agency needed a solution with detailed insights into the performance of their physical and virtual network environments, the ability to forensically troubleshoot network issues leveraging enriched flow data, and the power to identify anomalous activity quickly and efficiently within their network. This agency’s network is of massive scale, and includes physical networks and vast virtual and cloud environments. That is where Flowmon from Progress/Kemp comes in.
Flowmon’s flow-based network performance monitoring tracks bandwidth usage, understands traffic structure, and pinpoints the root cause of network problems in on-premises, edge, and cloud environments alike. At the same time, its networkcentric Anomaly Detection System (ADS) focuses on detecting anomalous behaviors in network traffic and thus alerts IT to threat activity in your network, such as ransomware or insider threats.
For this agency, Flowmon probes ingests raw network traffic from various points of the network such as physical monitoring ports and virtual hosts and then provides deep packet inspection. Flowmon probes then offload that traffic in the form of enriched flow metadata to the Flowmon Collector. These Collectors are deployed in a distributed architecture to support redundancy & scalability. The Flowmon environment is out of band, so its operation and availability does not impact the production environment.
Kemp Flowmon met all the customers’ requests with a total of 12 Kemp Flowmon Probes and 10 Kemp Flowmon Collectors of various sizes and roles within a Distributed Architecture spanning the agency’s physical and virtual environments. The collectors, including two master collector units (for redundancy), ingest and store all flow data from the probes within the deployment. To make the data more usable, Flowmon probes take flows, convert them into syslog messages, then send those log messages to a centralized syslog server that then feeds Google Pub/Sub. The Sub/ Pub reliably provides many-to-many asynchronous messaging between the agency’s applications.
The agency requested active/active redundancy of their Flowmon deployment architecture and the ability to offload flow data in syslog format to syslogng. Kemp Flowmon worked to design a distributed architecture that not only met scaling needs but ensured redundancy in the event of failure. Flowmon development teams worked to enable the ability for Flowmon Probes to offload flow protocol traffic in syslog format.
In addition to network performance monitoring and diagnostics, Flowmon provides network detection and response capabilities via its Flowmon ADS module. Powered by an intelligent detection engine, Flowmon ADS (for Anomaly Detection System) leverages behavior analysis algorithms to detect anomalies concealed within network traffic to expose malicious behaviors, attacks against mission critical applications, data breaches and indicators of compromise. In short, this Anomaly Detection System offers real-time identification of attacks and network-based anomalies. Flowmon ADS adds the network-centric layer of defense to the agency’s security matrix to detect the slightest network anomalies that indicate the activity of unknown and insider threats undetectable by perimeter and endpoint security. The agency now leverages Flowmon anomaly detection and response capabilities for their scoped physical and virtual network resources.
All of the customers’ requirements with Flowmon Probes and Collectors of various sizes and roles within a Distributed Architecture spanning the agency’s physical and virtual environments. Visibility and forensic troubleshooting of network issues both leverage enriched flow data. Flow is network metadata representative of the packets that are traversing your network. The Flowmon solution is high performance in part due to the lightweight nature of flow as opposed to packets. They have a very large network with a ton of traffic that needed to be stored in order to provide the ability to analyze communications historically. Now they have the ability to not just scale, but have historic network metadata reaching back 30 or more days on their Flowmon Collectors The lightweight nature of flow data means terabytes of difference in 30 days of flow data as opposed to packets. Meanwhile, the agency can forensically troubleshoot because Flowmon is configured to keep each flow, and with this set up does not sample or aggregate packets. Flowmon also adds enrichment to flow by conducting deep packet inspection for protocols such as HTTP, TLS, SIP, DNS, DHCP, & SQL.
The agency now has deep visibility into the actual performance of their physical and virtual network infrastructure. Metrics include: