Flowmon CTO Interviewed: 10 years of network monitoring and analysis

It is ten years since Flowmon developed an advanced network monitoring solution and began its journey toward becoming a key industry player. Flowmon pioneered the market in the Czech Republic and soon expanded to the world. In those ten years what changes has the area of monitoring and security of data networks seen? Pavel Minarik, Chief Technology Officer at Flowmon, answered the questions for the IT Systems magazine.

March 31, 2017

You were introduced to the issues of network monitoring during your studies at the Institute of Computer Science of Masaryk University (MU). What was it like then?

I have been involved in the field of monitoring and analysing the operation of data networks since 2006. NetFlow technology already had existed at that time, but was not nearly as popular as today. The Flowmon probe had already existed, developed at the CESNET group led by Jiří Novotný. Monitoring was conducted solely on the L3/L4 layers. The analysis of the application layer was the music of the future. The outputs of the monitoring probes and NetFlow technology in general was used especially in backbone networks for operational purposes, capacity planning or billing services. Applications in the field of security were at the start.

The idea of applying NetFlow technology for security also appeared at MU in 2006. This was given specific shape in the CAMPNEP project for the U.S. Army, on which you collaborated. How important were the results for the development regarding the problem back home?

I would say that the idea, in particular the project in 2006, grew when the proposed CAMNEP project was put forward to the U.S. Army by ČVUT (Czech Technical University in Prague) and ÚVT MU (Institute of Computer Science of Masaryk University in Brno). In 2007 the project started. Its aim was to use NetFlow in the field of security and propose algorithms that could detect anomalies and attacks using just the analysis of the third and fourth layers. By then, the known methods had relied on signatures, thus it was not possible to detect new and as yet undescribed threats. The CAMNEP project was for behaviour analysis consequently a game changer. On its basis and on the experience gained in this project we later developed our Anomaly Detection System and significantly moved Flowmon solution to the area of security. The CAMNEP project was significant also for ČVUT. On its basis the company Cognitive Security was established, later bought by Cisco and today part of the portfolio of this global player.

You stood at the inception of the above-mentioned Flowmon ADS. It uses the principles of machine learning and artificial intelligence techniques for the advanced detection of anomalies, unwanted behaviour and threats in networks – the technology of network behaviour analysis (NBA and also NBAD). What were the first reactions of customers to this new technology?

Our ADS was something completely new. In fact, probes and collectors were a new technology in the Czech Republic, and as a result it took quite a long time to build up the solution on the market. We had to deal with the positioning of ADS against existing technologies and show that our system outputs were both relevant and useful. The key factor of success were pilot projects, which opened the eyes of our customers. After all, to see your own network site infected by malware is an intense experience.

Flowmon ADS responded to the fact that protecting the perimeter itself, which organisations had relied on to protect their networks from cyber-attacks, has now become insufficient. With the rise of trends such as BYOD, cloud, IoT, access to the network can be achieved not only through a precisely defined perimeter …

BYOD and IoT are unequivocally shaking the foundations of the whole business environment. The need for monitoring and security is clearly increasing. If you allow employees to use their own devices, you lose a certain control over them. You need to replace this with very good monitoring. IOT, in turn, connects the virtual world with the real world. Cyber threats are actually becoming visible, have a real impact. I see cloud, in my opinion, as a way of providing IT solutions. Customers today have several options and they can decide how they want to use their services and applications. Flowmon will work in both cases for them, and if they wish, they can use the collector in cloud. Many of our customers at the end of the day do, and the trend is clear. The number of sold virtual solutions is growing from year to year.

Integrated security solution

Flowmon ADS improves the detection capabilities of an organisation. Your solution does not just use a single module. How does it all go together?

NBA is really particularly about early detection. Flowmon nonetheless offers the customer a comprehensive and integrated solution. It is used not only for detection but also for the analysis of the impact of threats or attacks, or recovery after an incident, and where applicable for the forensic analysis of the tracks of an attacker in the network traffic. These comprehensive solutions are not commonly found on the market, and if so, they are intended for the biggest companies, and for others they are practically unreachable. So, if I had to sum everything up, the main advantage I see is in integrating NPMD, NBA and APM technologies into one solution. They complement each other very well.

In addition to security you also offer solutions for operational troubleshooting, monitoring the performance of applications, and the fight against DDoS attacks. This is all related in some way to the visibility into what is happening in a company’s IT. In your position you are responsible for the design and development of products. What else can we expect from Flowmon?

We now have very advanced solutions in the field of Network Performance Monitoring and Diagnostics and Network Behaviour Analysis. Our network probes are the most powerful in the world. After ten years of development, the collector offers unprecedented power and flexibility. Behaviour analysis is used by hundreds of customers. Our development is now heading into the areas of APM and DDoS, which are relatively new for us. After two years of development, our DDoS Defender is able to compete with the established players on the market and the number of users is growing. The big news is coming for Flowmon APM this year. Every user can look forward to the active monitoring of the availability and responsiveness of applications, including of course SLA reporting and the comprehensive administration of test scenarios. This year is a turning point for us also in one more thing. We are launching a total of five new projects, which define our road map for 3 to 4 years ahead. I consider the main long-term goal to be the development of Flowmon properties in the area of IT Operations Analytics, which concerns in particular the simplification of devices and the enhancement of their own intelligence. For example, the system itself will say where the problem is, what its scope and impact is, and what the likely cause is. We have also started the project of the new user interface. But do not just expect a facelift, we’ll leave no stone unturned.

You are also working on expanding the ecosystem of your technology partners. How do you select them?

They are distinctively technologically compatible and support our business. Last year we added among technological partners, for example, the company Gigamon and IXIA. These are global players in the field of TAPs and packet brokers, solutions we are compatible with. It is important to show customers and business partners how to build a whole solution for the customer, what components to build it with and how these components link with each other. In the area of DDoS, our products are compatible and cooperate with all the major players, e.g. Radware, F5, A10. Thanks to this, the customer has a choice of their preferred solution for mitigating attacks, whose activities we can follow through the appropriate API.

This year, Flowmon celebrates ten years on the market. If you take a look into the future, in your opinion what will monitoring and management of networks look like? Will the visions of Cisco about networks capable of defending themselves come true?

Absolutely, yes. We see the endeavour about consolidating and integrating the product portfolio. Cisco has done a great job in the last couple of years. The ability of infrastructure to defend itself is not the music of the distant future. Ultimately, with Flowmon we are an active part of this change. In Japan last year we were in cooperation with Cisco to show how it is possible with Flowmon ADS to detect attacks and thanks to the integration with Cisco APIC controller, to respond immediately by disconnecting the device from the network. I believe that in the future it will be possible to have more functions of the network controlled through standardised APIs. As a result, the process of network administration and deployment of new devices or services will be possible to automate significantly. For us it is important to continue along the chosen way to monitor networks with visibility into the application layer and be an indispensable tool of the modern network administrator, security specialist, and the manager of applications.

*** Infobox ***

RNDr. Pavel Minařík, Ph.D. is the Chief Technology Officer at Flowmon Networks. In his position he is responsible for the design and development of the company products, technical support and the implementation of Flowmon technology for customers worldwide.

Minařík is a graduate of Masaryk University in Brno. As a researcher, he took part in a series of R&D projects in the field of analysing the traffic of data networks and the detection of advanced threats. He is the author of many of the algorithms in this area and has more than a dozen publications.

***