For most IT organizations, the network monitoring tool is an essential, even central part of the IT toolkit. Network monitoring tools play an important role in letting IT pros know where issues exist before helpdesk tickets start coming in, keeping the IT team aware of problems with service, networks, application performance, and more.

But despite its reputation as an IT Swiss-Army Knife, there is one area where Network Monitoring tools are rarely used to their full potential: Security.

And that’s a shame because, with a little tweaking and creative thinking, you can put the information, alerts, and reports that network monitoring tools are designed to give to work beefing up your security posture.

Think of it this way: if your network monitoring tools monitor the health of your network, and security events such as attacks or malware adversely affect the health of your network, then network monitoring tools can, in a sense, monitor for security events.

What’s more, because these tools are already in place, they can provide security value at a relatively low cost.

Now, I’m not here to tell you that network monitoring software can solve all of your security needs, wants, and issues. That’s not what it’s built for, and that that’s not what it does. What I can say, is that when properly configured, a good network monitoring solution can be a powerful assist to your regular security regiment. And, for organizations without the resources for a full-fledged SIEM and SOC, the tips below can be a good stop-gap solution for alerting on some critical issues.

Network Discovery and Inventory

Network discovery is the first step in setting up a network monitoring system, and it’s also an essential tool for getting security value out of your set up.

That’s because having an inventory of the devices on your network, and their typical profiles, is an integral part of any security program. Not only network discovery and inventory give you the ability to recover after a disaster, but it can also help you understand where data has been compromised and will provide you with a better understanding of sensitive areas, such as servers where regulated information is stored or transmitted.

A capable network monitoring tool will have the ability to set up scheduled SNMP-based or system-specific discoveries on a regular basis, which will help you stay on track of changes in your environment and find new devices on your network. You can also perform ad hoc discoveries when things don’t seem right. With WhatsUp Gold, you can even set up notifications and alerts via email or Slack when a discovery finds unexpected devices.

Setting Baselines for Security

As in dance music, a good baseline is essential. To tell when things are going wrong with your network, you must first know how things look when they’re going right.

The best practice is to establish baselines for as many metrics as possible. With performance monitors, you can track metrics like CPU, memory, disk or interface utilization, establish benchmarks, and set alerts for when those baseline thresholds are surpassed. This can tip you off to many security issues.

For example, mining cryptocurrency is a significant resource hog, which should make the machines doing it stand out. This is especially true in off-business hours, like evenings and weekends when most devices will be less active, but those with crypto miners installed will continue using resources at a higher rate. Likewise, if a machine in the marketing department that typically uses 30% of its CPU is suddenly using 100% all-day, you know you’ve got a problem

With a modern network monitoring tool, you can monitor for CPU spikes and set up alerts for when CPU usage exceeds 90 percent (or any other threshold you want). This is an easy way to keep track of your machines and find out if there’s anything strange going on.

In WhatsUp Gold, monitoring for CPU spikes is a preset configuration, and blackout policies can be used to limit monitoring to off-business hours if so desired.

Finding Data Exfiltration and DDoS Attacks, and Dark Web Use with Network Traffic Analysis

The most apparent crossover security capability of any network monitoring tool is Network Traffic Analysis, which analyzes NetFlow, NSEL, S-Flow, J-Flow, and IPFIX records to give you granular details about who—or what— is consuming your bandwidth. This can alert you to a lot of unusual behavior, from on-the-clock Netflix binges to machines compromised by botnets, to hackers exfiltrating data.

By monitoring real-time bandwidth usage in comparison to historical bandwidth trends, Network Traffic Analysis can even identify security issues like DDOS attacks. When it comes to security forensics, NTA can be your best friends by automatically identifying high traffic flows to unmonitored ports, exposing unauthorized applications, and monitoring traffic volumes between pairs of source and destinations.

WhatsUp Gold 2018 can even alert administrators when users access the Dark Web (Tor) with a feature that monitors all Network Traffic Analyzer Sources and can alert admins when any host exceeds a configurable number of connections to known Tor ports during a set period. This allows administrators to control access to the Dark Web by their users.

Discovering Configuration Changes

In the process of gaining access to networks, attackers often employ techniques that can reconfigure services or hosts, or even make them temporarily unavailable. Luckily, these are exactly the conditions that network monitoring tools are designed to look for and alert on.

With a modern network monitoring tool, you can set up email notifications and alerts for changes to the configuration of network devices, and audit configuration against defined policies. WhatsUp Gold also lets users view and compare device configurations in the device properties page, and if configurations are lost, you can automate network device configuration backups for any device that supports Telnet or SSH.

Alerting: The Crucial Last Step

Of course, none of this matters without a robust alerting system that can let you and your coworkers know as soon as things start to go awry. As discussed above, most network monitoring tools allow you to set threshold alerts for unusual behavior, resource usage, or bandwidth usage, but none of that is worth anything if those alerts don’t get to the person they’re intended for.

A thousand in app alerts won’t help anyone if the person who needs to see them is away from her desk. That’s why its essential to have multiple options for alerting, such as email or Slack messages, so that your alerts can work as intended, wherever your team is.

Jeff Edwards

About Jeff Edwards

Jeff Edwards is a tech writer and analyst with three years of experience covering Information Security and IT. Jeff has written on all things cybersecurity, from APTs to zero-days, and previously worked as a reporter covering Boston City Hall.


Leave a Comment