In most IT organizations, network monitoring is an essential piece of the IT toolkit. Network monitoring tools play an important role in letting IT pros get complete visibility into the status of network devices, systems and applications. This enables identify where issues exist before helpdesk tickets start coming in- keeping the IT team aware of problems with services, networks, application performance and more.
Having said that, Network Monitoring tools are rarely used to their full potential. And that’s too bad because one can easily put the data and insights generated by network monitoring to good use for security purposes.
With a little tweaking and creative thinking, all information, alerts, and reports that network monitoring tools generate can be used to beef up an organisation’s security posture.
Think of it this way: if your network monitoring tools look up the health of your network and security events such as attacks or malware adversely affect the health of your network, then network monitoring tools can in a sense monitor for security events.
Discover Breaches Faster by Knowing Your Network
It doesn’t take long for hackers to break into networks. Often it can be a matter of minutes or even mere seconds, but what matters most is what happens after they break in and the amount of time they’re afforded to move about in your network or systems.
According to Verizon’s 2018 Data Breach Investigations Report (DBIR), 68% of data breaches take months or longer to discover, giving hackers plenty of time to escalate their privileges, observe your network and look around for further vulnerabilities and valuable information.
A properly configured network monitoring solution can cut this discovery period drastically by giving you an understanding of how your network works and where key metrics typically stand.
When things go awry and your metrics start breaking away, your network monitoring system can alert that something is up. This capability makes network monitoring tools useful for security forensics because, in the process of gaining access to networks, attackers often employ techniques that can reconfigure services or hosts, or even make them temporarily unavailable— precisely the kinds of conditions that network monitoring tools are designed to look for and alert on.
Even something as simple as a downed machine or ports opening can tip you off though they are not supposed to. With a modern network monitoring tool, you can set up email notifications and alerts for changes to the configuration of network devices and audit configuration against defined policies.
Detect Cryptominers Using Your Resources
Cryptojacking or hijacking other people’s processing power and using it to mine cryptocurrencies, is a growing trend amongst cybercriminals. This is typically achieved with scripts that run behind the scenes on websites, though it’s also possible to hijack machines and servers to run full-blown cryptocurrency mining software, which is either installed by malware or by rogue employees.
For the perpetrators, the benefit is obvious: they can mine cryptocurrencies without worrying about the taxing resource usage that comes from such activity and if their victims are unprepared, it’s easy to get away undetected.
Regardless of the method used, mining cryptocurrency is going to be a major resource hog, which will make the machines being used stand out. This is especially true in off-business hours when most machines will be less active.
Detect DDoS Attacks and Anomalous Network Behavior with Network Traffic Analysis
The most apparent crossover security capability of any network monitoring tool is Network Traffic Analysis, which analyse NetFlow, NSEL, S-Flow, J-Flow and IPFIX records to give you granular details about who or what is consuming your bandwidth. This can alert you to a lot of unusual behaviour from on-the-clock Netflix binges to machines compromised by botnets, to hackers exfiltrating data.
By monitoring real-time bandwidth usage and historical bandwidth trends, network flow monitoring can proactively identify security issues like DDoS attacks, unauthorized downloading and other suspicious and potentially malicious network behavior. Network flow monitoring can be your best ally for performing security forensics and analysis by automatically identifying high traffic flows to unmonitored ports, exposing unauthorized applications like file sharing and video streaming, monitoring traffic volumes between pairs of source and destinations, and detect failed connections.
Unusual patterns in ingress or egress traffic (such when a machine pings an unknown or suspicious IP address) are good indicators of the presence of bad actors. We find that majority of the traffic on a given network is fast with relatively few packets of decent size. If a server begins to send small volumes of bytes via a large number of packets over a long time period, it is likely to be suspicious traffic. Unusual traffic should be treated with great caution during off-business hours such as nights or weekends.
Stop Rogue Users from Exfiltrating Data and Selling your Secrets
While outsiders account for the majority of cyber-attacks, that doesn’t mean they’re the only threat. Insider attacks also account for a large proportion of attacks and data thefts. Infact according to the Verizon’s 2018 D BIR- 28% of all attacks involved insiders.
But managing insider threats can be one of the most difficult areas of Cybersecurity. Identity and Access Management controls are a good start, but it’s also important to utilize the tools you already have- the likes of activity and Netflow monitoring to search for suspicious behavior. Sometimes an increase in user activity may be completely explainable but on the other hand, it can also indicate something more concerning. Some users may work from home to complete projects which shouldn’t immediately be seen as suspicious behavior, while others may have work that calls for intensive GPU or CPU usage. That said, if an employee has sudden and dramatic increases in his or her activity and resource usage combined with suspicious activity, that should be cause for concern.
For example, if a member of your marketing team whose job usually involves handling social media and scheduling events is suddenly using 10 percent of the company’s GPU 24 hours a day, seven days a week, that’s a good indicator that either there’s inefficiency at work or the machine in use has been compromised. If an employee is communicating with suspicious IP addresses, that can be another cause for concern. And traffic from Tor clients would be a major cause for investigation.
Conclusion
For the above situations what you need are solutions that alert administrators when users access the Dark Web (Tor) with features that monitor all Network Traffic Analyzer Sources and also when a host exceeds the configurable number of connections to known Tor ports during a set period. This allows administrators to control access to the Dark Web by their users.
Solutions that provide complete visibility to the status of network devices, systems, and applications and see network devices, servers, virtual machines, cloud and wireless environments in context are the need of the hour.
