Your network is the most complex and vulnerable part of your entire IT universe, and the center of everything. Knowing its topology and elements and understanding what is happening on your data roadway is key to protecting this fundamental resource.
This involves Network Monitoring — and proper Network Monitoring arguably equals network security. Here are five ways Network Monitoring gets the network security job done.
Defusing Advanced Persistent Threats
There are a few things a security executive hates more than a problem that is allowed to linger, and advanced persistent threats (APT) are at the top of that CISO list. These are not brute force attacks, but carefully targeted exploits that tend to go after your organization’s most valuable targets, such as high-level executives.
The idea is to crack these individuals’ credentials to gain their admin privileges — without being noticed. Once in, the cybercriminal can do anything that a high-level employee can, such as wandering around your network until (or if) they are discovered.
So, what do these hackers do? Oh, just steal your most valuable data, or use their foothold in your organization as a base for attacking others, that’s all.
In-depth defense and security best practices help limit APT damage, but they can’t always stop the truly sophisticated hackers. Network Monitoring can identify APTs early by watching for several telltale attack indicators and attack types, including:
Backdoor Trojans: Hackers reckon their APT exploits will eventually be discovered, but rather than sacrifice their fought-for network access, they simply install backdoor Trojan horse malware on other endpoints giving them multiple routes of entry. One door opens when another door closes, so to speak. Constantly looking for these Trojans, often by spotting odd network behavioral changes, is critical.
Data Abnormalities: Excessive inbound data is one sign of an APT attack — but did you know abnormal outbound flows can indicate the same thing? IT should monitor for unusual outbound data movement. This could mean your data is leaving your network, and into the eager hands of criminals.
Off-Hours Login Attempts: A rash of login attempts when your shop is otherwise closed is a key APT indicator. While they seem to be from employees, they can be criminals posing as staffers trying to obtain that person’s privileges and access. Often these logins come from different parts of the world and different time zones, especially when it is organized hacker groups or state-sponsored actors trying to get in. Once that account is cracked, logins will continue from these remote geographies.
Shadow Bits of Infrastructure: End users aren’t the only ones that install Shadow IT. Hackers set up nefarious bits of Shadow IT inside the networks that connect with their external command-and-control servers.
Learn more about APT and other threats by reading 4 Ways to Strengthen Data Security with Network Monitoring.
Find Breaches Fast
It only takes a minute or two (sometimes a second or two) for a sophisticated hacker to breach a network. On the other hand, it takes on average 287 days to discover, identify, and contain a data breach. “Data breaches that took longer than 200 days to identify and contain cost on average $4.87 million, compared to $3.61 million for breaches that took less than 200 days. Overall, it took an average of 287 days to identify and contain a data breach, seven days longer than in the previous report,” according to the 2021 IBM Cost of a Data Breach Report.
Network Monitoring slashes this discovery period by helping IT understand how the network is structured and operates – showing this through an array of metrics. When things start to get squirrelly, a Network Monitoring system can alert IT right away. This is vital for quick mitigation but also critical for security forensics and the development of new defenses.
Much of this speaks to how networks are hacked in the first place, which often involves the reconfiguration of devices, hosts, and services — exactly what Network Monitoring tools are already looking for.
When something goes awry, Network Monitoring solutions send out an email or text alerts of changes to the configuration of applications, services, and network devices.
Derailing DDoS and Other Network Swamping Attacks
A great way to discover — and indeed stop — Distributed Denial of Service (DDoS) and other attacks that overwhelm the network is Network Traffic Analysis, which analyzes items such as NetFlow, NSEL, S-Flow, J-Flow, and IPFIX records and shows in granular detail who — or what — is using up all your bandwidth. This way, IT is alerted to unusual behavior (not just relatively harmless Netflix marathons) but more importantly, the sinister world of machines compromised by botnets and cybercriminals exfiltrating your data.
Network flow monitoring tracks real-time bandwidth use and captures historical bandwidth trends. Through both, network flow monitoring proactively discovers problems such as DDoS attacks, unauthorized downloading, and malicious network behavior. Like Network Monitoring on a macro level, network flow monitoring is likewise invaluable to performing security forensics. For instance, it can automatically identify high traffic flows to unmonitored ports, monitor traffic volumes between pairs of source and destinations, and detect failed connections.
Network flow monitoring is adept at spotting unusual patterns in ingress or egress traffic (such as when a machine pings an unknown or suspicious IP address). These anomalies can indicate activity by bad actors, which can be further detailed by identifying involved IP addresses involved, the number of packets sent, the bytes per packet, and just how long this activity has been going on.
Since most network traffic is fast, containing relatively few decent size packets, traffic outside of these parameters is suspicious. So, if one of your servers is sending small volumes of bytes via a large number of packets over a long period of time, it should raise suspicions, especially if this traffic occurs during off-hours.
Stop Rogue Insiders
Many think of network threats as coming from the outside, but insider threats can be more insidious, damaging, and harder to spot. Fortunately, Network Monitoring, including tracking NetFlows, is so valuable in identifying suspicious behavior.
Not all spikes in user activity are signs of trouble. But if you spot sudden and dramatic increases in activity and resource usage such as CPU load, while at the same time being alerted to suspicious activity such as communicating with suspicious IP addresses, this is a clear cause for alarm.
Improving Network Security Posture
By tracking activity and defining topology, Network Monitoring generates deep insights which become actionable when turned into alerts and reports. This knowledge helps IT significantly boost and maintain their network’s security posture. It’s simple, really. Network Monitoring solutions track your network’s health. Attacks, malware, and other incursions harm your network’s health. That is how network monitoring watches for and identifies security events.
A good Network Monitoring solution provides deep visibility into network traffic, showing which applications, users, and protocols are consuming the most bandwidth. With a baseline set, IT can be alerted to spikes and unusual usage that are telltale signs of an attack.
Case Study: How Emovis UK Eliminates Cyber Blind Spots
Emovis UK is a highway infrastructure company that builds tolling systems that allow for free-flowing traffic. When Emovis looked for a Network Monitoring solution to address the cyber security blind spots it was experiencing with the 400 servers it managed, it turned to Progress WhatsUp Gold to provide full network visibility, a sophisticated alerting system providing updates of network issues and rectifications, eliminating cyber blind spots, eliminate cyber blind spots, as well as gaining significant cost savings.
WhatsUp Gold provided the team with a much more advanced alerting system. “Progress WhatsUp Gold gives us visibility into all of our infrastructures and has allowed us to start monitoring our applications, Web services, and switches. We support Infrastructure 24/7, and we have a lot of IIS boxes with web services running. We need to know if something goes down. With WhatsUp Gold we’ve started monitoring event logs, application pools, and WMI metrics,” said James Scott, Head of Infrastructure Team, Emovis UK.
With WhatsUp Gold, Emovis is able to respond more quickly to incidents when they arise, ensure that the same incidents don’t keep reoccurring, and guarantee you have the peace of mind that when issues are rectified they will be notified and their incident management platform will be automatically updated to reflect the current status.
Four Ways Network Monitoring Makes CISOs Happy
Here are four often overlooked ways WhatsUp Gold keeps networks safe:
Configuration Change Management (CCM) — Misconfiguration is the main source of data breaches. With CCM, you can go to a previously backed-up state in the event of a problem or security event, set security policies such as enabling password encryption and ensure compliance with these security policies.
NetFlow — With NetFlow capability, IT can easily and automatically analyze data from Cisco devices to analyze network behavior, spot security issues, and set up real-time alerts for network and security issues.
Log Management — Managing logs is critical to security, vital to adhere to compliance regulations, and essential to show exactly what happened and what steps were taken when a security event occurred.
Scheduled Compliance Audits — What if your network monitoring solution also came with the ability to regularly run audits the way SOX, HIPAA, PCI, and FISMA need them run?