Cyber-Security Operations Center (SOC) operators analyze aggregated syslog events, reports, and security incidents to detect vulnerabilities and threats in real-time. Network flow monitoring provides visibility into application and network usage for security analysis, performance monitoring, and capacity planning. The Internet Protocol Flow Information Export (IPFIX) standard defines how routers and firewalls export flow records to configured collector tools. These records contain details of network connections, such as source, destination, amount of data transferred, and duration, which SOC operators can use to detect unauthorized data transfers and identify anomalies. Open source flow monitoring tools like NFdump, Elasticsearch, Logstash, and Kibana provide log aggregation, search, and visualization capabilities for network flow analysis.

1. Cyber-Security Operations Center (SOC) Operators are often tasked to engage in Information Security
Management, Security Incident/ Event Management. They often delve in searching aggregated syslog
events, reporting, data mining, real time vulnerability analysis, correlation & visualization.
You can’t mitigate or protect what you can’t view or detect. Network operators want to understand in
real-time, how their network is being used and by which applications. Thus, such a monitoring gains in
providing metering services, security, performance analysis, to do capacity planning and application
visibility.
Internet protocol flow Information export (IPFIX) a network flow standard by IETF, is used to export flow
information from routers, switches, firewalls and other infrastructure devices. RFC 7011-7015 defines
IPFIX as a push protocol & sends messages to configured collectors (receivers). A flow between a client
and Server sharing the same 5-tuple, is received by the configured Collector tool.
Flow tools if used as Anomaly detection, is used to detect deviation of network from normal behavior.
IPFIX along with IAM (Identity Access Management) could be used for data leak detection and prevention.
Thus, SOC operators can detect who initiated the data transfer, the hosts involved, amount of data
transferred, and services used. Frequency of connections and duration.
Open Source Flow Monitoring and Analysis Packages
NFdump is BSD Licensed set of linux based tools that support Netflow versions 5, 7 and 9.
One could install in Ubuntu Linux distribution using sudo apt-get install nfdump.
ELK Stack is a powerful open source analytics platform.
Elasticsearch is a distributed search and analytics engine built on top of Apache Lucene.
Logstash offers centralized log aggregation of many types such as network infrastructure device logs,
server logs and netflow. Logstash is written in JRuby and runs in a java virtual machine (JVM).
Kibana is an analytics and visualization platform that provides real time summary, charting of streaming
data.