What We Learned from Monitoring 1 Billion Network Flows

At Redborder, we’ve crossed a major milestone: monitoring over 1 billion network flows. These flows come from a wide range of industries, including finance, healthcare, manufacturing, and government. By analyzing this data, we’ve gained invaluable insights into the nature of network traffic and the threats hiding within it.

Here’s what we discovered and why it’s crucial for your network’s security.

1. The Biggest Threats Are Already Inside

The most eye-opening takeaway? 68% of suspicious activity came from within the network, not from external sources as many security tools focus on. This internal traffic, or East-West traffic, is where attackers often operate undetected. Whether it’s lateral movement between departments or internal reconnaissance, the danger is already inside your perimeter.

If your security stack doesn’t provide visibility into internal traffic, you’re essentially leaving the back door wide open.

2. A Small Percentage of Devices Are Responsible for the Majority of Alerts

We found that just 4.7% of monitored hosts were responsible for 80% of the alert-worthy behavior. These outlier devices, often compromised IoT devices, outdated servers, or rogue endpoints, were the ones setting off the alarms. Attackers don’t always need to break into your network, they just need one weak link.

It’s not about securing everything. It’s about securing the small percentage of assets that matter most.

3. DNS Is a Gateway for Attackers

One of the most overlooked vectors for cybercriminals is DNS. We observed numerous attempts to exfiltrate data using DNS tunneling, along with suspicious lookups for typosquatted domains and communication with command-and-control servers. This silent traffic can slip under the radar of traditional security solutions that don’t give DNS the attention it deserves.

If DNS isn’t a focus of your monitoring, you’re leaving a critical piece of the puzzle unsolved.

4. Cyber Threats Follow the Clock

Another striking pattern we observed was that suspicious activity spiked between 1:00 AM and 4:00 AM, the hours when few people are actively monitoring the network. This time frame is prime for automated attacks or bots to carry out their work without attracting attention.

If your monitoring isn’t running 24/7, you’re leaving your network vulnerable to attacks during off-hours.

5. Machine Learning Is More Than a Buzzword

Our machine learning-powered system flagged numerous threats that traditional security tools missed. By understanding what’s “normal” in the network over time, the system was able to identify anomalous behavior with precision. The key is training the algorithms on specific network patterns and behavior.

Machine learning isn’t just hype. When implemented correctly, it’s a game-changer that dramatically reduces false positives and uncovers threats in real-time.

The Bottom Line

At the end of the day, the data doesn’t lie. The threats are inside your network, often hiding in plain sight. Our NDR solution is designed to reveal the hidden risks, stop threats before they escalate, and provide true network visibility. It’s time to stop reacting to threats and start preventing them.

Want to learn what your network is saying? Contact us today for a demo, and see how Redborder can transform your security posture.