Ziften ZFlow™: Shining a Light on Security Blindspots

by Andy Wilson

October 16, 2015

access_time 6 min read

Ziften ZFlow™: Shining a Light on Security Blindspots

In the past several years, many IT organizations have adopted the use of NetFlow telemetry (network connection metadata) to improve their security posture. There are many reasons behind this: NetFlow is relatively inexpensive (vs. full packet capture); it’s relatively easy to collect as most Layer 3 network devices support NetFlow or the IANA standard called IPFIX; and it’s easy to analyze using freeware or commercially available software. NetFlow can help overcome blind spots in the architecture and can provide much needed visibility into what is really going on in the network (both internal and external). Flow data can also help in early detection of attacks (DoS and APT/malware) and can be used in baselining and anomaly detection techniques.

NetFlow can provide insight where little or no visibility exists. Most organizations are collecting flows at the core, WAN and Internet layers of their networks. Depending on routing schemas, localized traffic may not be accounted for—LAN-to-LAN activity, local broadcast traffic, and even east-west traffic inside the datacenter. Most organizations are not routing all the way down to the access layer and are thus typically blind to some degree in this part of the network.


Performing full packet capture in this area is still not 100% feasible due to a number of reasons. The solution is to implement endpoint-based NetFlow to restore visibility and provide very important additional context to the other flows being collected in the network. Ziften ZFlow telemetry originates from the endpoint (desktop, laptop, or server), so it’s not reliant on the network infrastructure to generate. ZFlow provides traditional OSI layer 3/4 data such as source and destination IP addresses and ports, but also provides additional valuable Layer 4-7 information such as the executable responsible for the network socket, the MD5 Hash, PID and file path of the executable, the user responsible for launching the executable, and whether it was in the foreground or background. The latter are very important details that network-based flows simply cannot provide.


This important additional contextual data can help drastically reduce incidents of false positives and provide rich data to analysts, SOC personnel and incident handlers to allow them to quickly investigate the nature of the network traffic and determine if it’s malicious or benign. Used in conjunction with network-based alerts (firewall, IDS/IPS, web proxies and gateways), ZFlow can dramatically decrease the amount of time it takes to work through a security incident. And we know that time to detect malicious behavior is a key determinant to how successful an attack becomes. Dwell times have lowered in recent history but are still at unacceptable levels—currently over 230 days that an attacker can roam undetected through your network harvesting your most important data.

Below is a screenshot that shows a port 80 connection to an Internet destination of Interesting facts about this connection that network-based tools may miss is that this connection was not initiated by a web browser, but rather by Windows Powershell. Another interesting data point is that this connection was initiated by the ‘System’ account and not the logged-in user. These are both very attention-grabbing to a security analyst as it’s not a false positive and likely would require deeper investigation (at which point, the analyst could pivot into the Ziften console and see deeper into that system’s behavior—what actions or binaries were executed before and after the connection, process history, network activity and more).


Ziften’s ZFlow shines a light on security blindspots and can provide the additional endpoint context of processes, application and user attribution to help security personnel better understand what is really happening in their environment. Combined with network-based events, ZFlow can help drastically reduce the time it takes to investigate and respond to security alerts and dramatically improve an organization’s security posture.