Flow, sometimes referred to as NetFlow, but can be other formats as well, is a small summary for network traffic. While there are tons of articles around using Flow for security detection, I want to really highlight some of the key aspects I’ve seen while working with Flow. Since it has been around for some time, originally developed around 1990 by Cisco, it is a tried and true method. Flow predates Snort and other packet inspection type programs, making it one of the older security detection technologies. It is, however, still a very valid method for security detection.

Flow is often over looked in favor of newer technologies for security detection, or even used for other purposes. While several vendors and technology platforms perform Flow collection, most are focused on link utilization, usage and for discovering what data is moving around where. There are only a handful of vendors who use Flow for security detection. These vendors focus on statistical outliers and protocol misuse and variations. They establish a baseline of normal activity based upon the information available in a Flow record, trend this over time and against like peers and highlight differences outside a threshold.

While network operations information from Flow is beneficial, Flow’s best use is for security detection. Flow can spot anomalies by watching who is talking to whom, and it has a very low evasion rate, since you cannot delete traces that packets transited the network.

Four Reasons to Use Flow for Security Detection

Why is Flow-based security detection something to consider? Here are four reasons why you should be using Flow for security detection:

  1. Storage space – A Flow record contains a very small amount of information and does not require much storage. Even with millions of Flow records generated a day, many modern hardware platforms have the capability to store months of Flow records.
  2. Low processing power – To perform the statistical analysis of millions of Flow records over time does not require a large amount of computing. While organizations are moving to Hadoop and Big Data platforms, those are not required for Flow analysis. A mid-grade 2U server is generally all that is required to perform the analysis and help detect anomalous activity.
  3. Built into platforms – Many routing platforms, firewalls and IPS natively have the capability to generate and export a Flow record. While each platform may utilize a slightly different Flow standard (Netflow v5, Netflow v9, sflow, jflow, IPFIX) most Flow collection platforms are able to process and store these different formats. As many organization may already have platforms that can generate a Flow record, all that is required is a collection and analysis capability to get the full security alerting. This helps to drive down the cost of bringing in a new detection capability.
  4. Confirm traffic – Flow gives you the ability to know what actually made it into or out of your network, what connection was successful, how long it was, whom it was with and how much data was transferred. Similar to using firewall accept logs for intrusion analysis, Flow records help you quickly and easily determine if communication occurred and what other machines may be involved.


While Flow detection is an old method, it is still very valid and should be considered by advanced organizations as their next capability purchase. It is also useful to help tie this alerting device into your SIEM or MSSP to get a holistic picture of everything that is occurring in your environment.

When used properly, Flow can really enhance a security program within an organization. I highly suggest that more and more companies look to implementing Flow into your security programs for security detection monitoring.

Reference Links:

https://en.wikipedia.org/wiki/NetFlow#History

https://en.wikipedia.org/wiki/SFlow

https://en.wikipedia.org/wiki/IP_Flow_Information_Export

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16677