NetFort Advertising

Network Traffic Metadata – Four Recent Customer Use Cases

SIEM Tools

Network Traffic Metadata – Four recent customer use cases

The rising popularity of network traffic metadata is because it’s in the sweet spot between full packet capture like Wireshark and PCAPs on one hand and NetFlow on the other, which lacks detail and drill down. Drill down, granularity, context, and continuous internal visibility are now absolutely critical for organizations of all sizes including SMEs.

Historically, network traffic analysis based technologies (mostly full packet capture) were seen as too complex and expensive for SMEs and only ever seen on Enterprise networks. Application centric metadata has now made internal visibility a reality for all organizations.

Use Case 1: Monitoring Web Activity Over HTTPS

The opening packets of a TLS/HTTPS session are not encrypted and are sent in clear text. However, the NetFort DPI (Deep Packet Inspection) engine has the ability to conduct an IDP (Initial Data Packet) analysis on these clear text packets, extract the SNI (Server Name Indication) field sent by the client, and the certificate that the server presents.

This allows LANGuardian to report on the domain being accessed, the client and server IPs, port numbers, as well at other attributes of the connection such as the protocol used (SSL 1.0, 2.0 or TLS 1.0 1.2 etc), ciphers used or attributes of the server certificate (SHA1 or SHA256 etc). A similar technique works with Google QUIC encrypted UDP protocol.

Click on the image below to see how this report works on our online demo

Traffic Metadata with encryption protocols and cipher sessions

Use Case 2: Alert on Rogue DNS Servers

LANGuardian includes a DNS metadata decoder which monitors DNS traffic, decodes and logs all DNS replies, and enables the ability to go back and review all resolutions clients are receiving. As a result, it generates an inventory of DNS servers by Geo IP location.

DNS Lookups as network events

Use Case 3: Contractors’ iPhone Copying Data

The LANGuardian’s web client, user agent module generates every web client packet payload and records useful metadata such as source IP address, device and operating system information.

iPhone copying data

Metadata also results in a 400:1 data reduction over full packet capture in a granular but cost-effective data retention, ideal for forensics and investigations. LANGuardian includes a Google like search utility for all user activity retained in the built in database. This information was recently used to investigate the activity of a contractor on an medium enterprise network who had used an iPhone to access and copy internal data.

Use Case 4: Monitor File and Internet Access For a Single User.

LANGuardian’ s network traffic analysis engine also includes decoders for all ‘unstructured data’ activity, including Windows (SMB), UNIX and (NFS) file shares and even MS SQL databases. This results in an inventory of such systems on the internal network and an audit trail of all activity by IP, MAC address and user name.

Using our search facility, it is possible to achieve a consolidated view of all internal and Internet network activity by user name for any time period. It is also possible to configure alerts for certain file activity, including file or folder deletes. No agents or clients required, therefore network metadata is an excellent non-intrusive option for monitoring network user activity.

User traffic metadata dashboard

Visit our live system HERE to see more examples of the unparalleled levels of visibility you can easily achieve on your network by using traffic metadata.