How often you need to know who is sitting behind that IP address right now or who was logged there one month ago? Flow monitoring will give you information about IP, MAC address or DNS name but getting the user identity is usually time consuming task of analyzing the auditing logs of Active Directory or network access control system.
However, having the user identity directly in flow monitoring system is not that difficult. All you need is a reliable source of user identities providing IP address, user identity and time stamp. This general concept enables to integrate information about users in flow data from various sources like Active Directory, Cisco Identity Services Engine, Checkpoint firewall, VPN or using simple DHCP server (having as user identity name of PC). All you have to do is send these logs to Flowmon Collector using syslog protocol and adjust the parsing rule to understand the log and retrieve information about IP, user identity and time. And you have to do it online so Flowmon can create a map of user identities related to active IPs and store this information as part of flow data as they reach to Collector. Adding user identities retrospectively in GUI when needed is not an approach that can work.
Each flow record than contains items “source IP user ID” and “destination IP user ID” which enables you to look for particular traffic related to concrete user. When investigating security incident that happened one week ago you still have accurate information about users hidden behind involved hosts. New top N statistics based on user identities are available which means that you can use this attribute in online analysis as well as long term reporting.
Moreover, this attribute can be used for filtering using keyword “uid” or “src uid” or “dst uid” to show only traffic related to particular users. Information about user identity is part of each flow record.
This feature is available since Flowmon 7.02.00 as part of Flowmon Collector without the need of any additional licenses. Using Flowmon Configuration Center you can configure external syslog sources as well as parsing rules for individual log formats. Looking into third party systems for user identities while analyzing flow data is no longer needed therefore troubleshooting and investigation of security incidents is more efficient and less time consuming.
Pavel Minarik
As Acting CISO at Progress, Pavel Minarik is responsible for overseeing enterprise-wide information security strategy, risk management and regulatory compliance. His role is focused on aligning security initiatives with business objectives, strengthening security posture, building resilient security programs and leading cross-functional teams in complex, fast-paced environments.
As Vice President of Product Security at Progress, he is responsible for the secure software development life cycle across all Progress products, defining and implementing product security standards and ensuring that security is inherent to the product development practice. As part of M&A initiatives, Pavel leads the product security reviews and assessments during technical due diligence.
In his previous role as Vice President of Technology, he was responsible for overarching technology strategy of Progress’ Infrastructure Management products such as Flowmon, Loadmaster and WhatsUp Gold as well as experimental development in this area. With his experience as the former CTO of Flowmon Networks (acquired by Progress) Pavel led the product management for the flagship NPMD & NDR product Flowmon. Flowmon is a solution for IT professionals that enable businesses to ensure their services are running well and securely, and their workforce is productive.
As a former senior researcher at the Institute of Computer Science of Masaryk University, Pavel has participated in several research and development projects in the domain of network traffic monitoring, analysis and cybersecurity. He is also the author of more than ten publications on behavior analysis and algorithms for traffic processing and anomaly detection summarized in his PhD thesis “Building a System for Network Security Monitoring.”