Someone in your organization is downloading high bandwidth material. You are aware of unusual spikes in bandwidth consumption, and have experience reading traffic monitoring statistics provided by your flow collection and analysis system. So you will eventually become bothered enough to dig deeply and correlate data from varous logs to determine if there’s a clear pattern and if so how to address—essentially, by managing bandwidth to satisfy legitimate consumptions or by shutting-down prohibited consumptions.
In this case, though, you don't have the luxury of reaching your threshold of being bothered. Instead you discover the problem through cease and desist warnings issued by copy-right holders based on the Digital Millennium Copyright Act (DMCA). In short, the internal downloader is pulling down copy-righted material through torrent sites.
Not only is the downloader flouting company policy explicitly disallowing bandwidth-intensive downloads unrelated to business purposes and practices, but he is also exposing your company to industry policing heat that might require billable hours for the company's legal counsel to manage.
Our bandwidth pirate is smart enough to know a current blindspot in the IT team's monitoring system: that flow collection and analysis tools by themselves, even though they provide clear indications of the endpoints involved in the bandwidth-intensive network conversations, cannot tell you unambiguously what user is behind those sessions.
Consider why collecting and analyzing flow data are needed to monitor any network with critical bandwidth constraints, despite the blindspot we are currently examining in this context; and keep in mind this important consideration related to setting up flow monitoring. Finessing flow data magagement becomes important as traffic grows faster than network resources.
Matching Users, Connections, and Endpoint Traffic
Let's assume—as is often enough the case—that for business reasons you cannot simply use the firewall to block all torrent-related traffic on your network.
To actually find your pirate, you need to know what users are behind specific network activity. And so you need a tool that correlates user login data and MAC/IP address bindings with traffic activity.
SolarWinds User Device Tracker (UDT) is a tool that offers exactly these correlations on a network that uses a Active Directory domain controller to manage user access. Explore UDT's resources in this live demo; and see the administrator's guide for detailed information on how to get things done with UDT.