Nomic Insight: What Are “Flows” And Why Are They Important?
Earlier this year, we launched a beta release of our new Insight product, and the key feature is what we call Insight Flows.
Nomic Networks’ mission is focused on supporting teams that need to do more with less, and sometimes you have to iterate on existing technology to do unexpected things to reach that goal. We’ve been working in this space a long time, and we understand that simplicity and transparency can go a long way. Our latest product does just that: With Insight Flows, we leverage traffic metadata to keep visibility simple and protect our customer organizations at scale.
What are Insight Flows?
Short answer: “Flows” enable you to gain a full overview of network traffic with better efficiency and higher visibility than more complicated analysis tools.
As a whole, they create an independent history of the who, what, when, and where of your network. Insight Flows help you to keep this history organized, accessible, and actionable, with enhanced data that provides the increased visibility that other solutions can’t.
Flows are traffic metadata. Network metadata is information about the information rather than the information itself. So, flows are like the envelope of a letter, containing address information, as opposed to the letter itself (the raw packet). It’s surprising how much you can learn about the security and health of your network just from these basics, especially when you enrich the ‘envelope’ with other critical contextual information.
Similar to (and sometimes derived from) NetFlow or sFlow, Insight Flows start with the basics, sometimes called the ‘5 tuple’, plus a few other simple metrics:
- Source and Destination IP
- Source and Destination Port
- Protocol
- Timestamps
- Flow Size
Insight’s Enriched Flows
Nomic Insight goes a step further to enrich that data with other critical factors that serve as a foundation for security analysis and cyber hygiene. Here are a few examples:
- Country Geolocation. Country of Origin for external traffic. Not always perfect, but still an essential building block for enhanced analysis.
- Autonomous System Number (ASN). The organization that owns the IP block. ASN works in concert with Geolocation to provide a deeper, more nuanced understanding of the “Who”.
- Threat Intelligence. A combination of our proprietary CINS Feeds and other public sources of threat intel allows us to identify (and block) bad actors without waiting for them to do something malicious.
- Enhanced IP and App Protocols. Additional protocol information that can be app- or vendor-specific.
This enrichment not only provides insight (pun intended) into security issues and network troubleshooting; it serves as the building block on which we are continually building machine learning (ML/AI) automations. (More on that below.)
What Makes Insight Flows Effective?
Our customers have spoken: They require visibility of their East/West traffic, but the tools they have are either incomplete or way too cumbersome to be effective. Here’s where Insight Flows really shine.
- Simplicity. Sometimes you need to get in, get the answer you’re looking for, and get out. Is that internal web server communicating outbound on SSH? Why are those laptops talking to China at 2am? Insight Flows are presented in an intuitive, friendly interface that is easy to search and lightning fast. It’s a simpler, lightweight alternative to clunky solutions like SIEMs, PCAPs, or network monitoring tools that may have the information you’re looking for, but it might be incomplete or buried 3 or 4 clicks deep in the application.
- In between EDR. Endpoint Detection and Response (EDR) solutions are also complemented with Flows. EDR platforms cover what is at the endpoint, but miss the spaces in between. These include any unmanaged devices, such as IoT, BYOD, printers, and smart devices. Knowing that attackers look for the weakest link, the blind spots left behind by EDR can be covered by the network-wide metadata provided by Flows.
- Visibility beyond the firewall. Flows provide complete access into what is coming in, what is going out, and what is moving around internally. If you’ve always relied on firewall logs for network visibility, this kind of metadata offers you a completely new view of the traffic on your network.
But Wait, There’s More!
Flows are just the tip of the iceberg. We launched our customer beta program earlier this year, because we think Insight Flows offers tremendous value, but we’re not stopping there. We’re already creating automated alerts based on flow filters. Our support team monitors and triages these alerts, communicating important information with our customers and working with them to resolve any issues.
In addition, leaning on machine learning and our own security expertise, we’re building toward the ultimate goal: A comprehensive library of automations and signals to detect anomalous traffic and aid in network troubleshooting.
… Stay tuned for another blog coming soon on that!
Ted has worked with network security and web technologies for almost 30 years, beginning his career as a full-stack web engineer and transitioning to network security. He now guides Nomic and its supporting initiatives, including CINS Active Threat Intelligence.