How to Monitor What Matters

Posted · Add Comment

Yesterday we have been invited to the NetEye Users Group Meeting to give a speech about monitoring and cybersecurity.

During the talk we covered out 25 years journey in this industry and the decisions we have made during that time:

  • Network vendors provide (after 25 years) poor monitoring data: flaws, proprietary formats, sampling, device limitations didn’t change the landscape even though the NetFlow RFC 3954 is 20 years old, and IPFIX is basically just a cosmetic change.
  • nDPI is 10 years old and it allowed us to provide contextual information even in encrypted communications.
  • The challenge today is to anticipate, no longer to monitor. In order to do that we need to capitalize on pre-labelled data such as blacklists, as well monitor signals as detailed as possible in order to detect even tiny changes in our network traffic and actors.
  • We use both threshold-based (for spotting too much/little) and behavioural based (for detecting changes in behaviour) for triggering alerts.
  • Drill-down is mandatory: we need evidence of problems, not just problems, as they need to be fixed (the magic word is ‘remediation’). For this reason we have implemented in the ntop pipeline the complete alerts to flows to packets path.
  •  Monitoring metrics must be HD (High Definition): packets/bytes were enough 20 years ago, today we need more detailed metrics that range from traffic quality to cybersecurity.

It took us 25 years to implement all this rooted on open source software we developed. Here you can find the presentation slides.


Enjoy !