The old line ‘What you don't know can't hurt you’ is dead wrong when it comes to network security. What you don't know is exactly what will hurt you. That is why full network visibility is so critical to protecting your business’ assets and avoiding compliance fines and investigations.
Did you know that since the COVID-19 pandemic began last year, there has been a 300% increase in cybercrimes reported to the FBI? Many of these attacks are aimed directly at the network, and Cisco predicts that by 2023, there will be 15.4 million DDoS attacks. In fact, even non-network specific attacks must traverse your network.
Compliance fines may be the least of your financial worries, as Verizon calculates that last year data breaches cost $3.86 million on average. Business leaders understand these issues, and 68% of them believe cybersecurity risks are indeed increasing, Accenture found.
That’s why you simply must know what your network consists of – including connections, segments, devices, and even applications and virtual machines. These elements are all at risk to the growing hordes of increasingly sophisticated cybercriminals. You can learn all you need to know at the Progress webinar – You Can't Protect What You Can't See.
“The challenge of visibility comes back to this; you cannot protect what you cannot see. Having comprehensive visibility across your network environments, whether this is on-premises or in the cloud, is fundamental to establishing and maintaining a robust security and compliance posture. In-depth visibility shows which business applications and underlying connectivity flows will be impacted by security rule changes, or planned server and device downtime. This is critical to understanding the impact on key applications when migrating or decommissioning servers or troubleshooting problems, and to avoiding costly outages,” argued Security Boulevard.
Of course network monitoring is part of an expert approach to IT security, one element in what should be a defense in-depth strategy – one absolutely essential element, however. Just as anti-malware and firewalls should cover all your assets, network monitoring should understand and track every network resource, and be aware when new ones come on line.
Shining the Light with Network Monitoring
Let’s talk about how network monitoring adds a critical layer of protection to your IT infrastructure. A good network monitoring solution spots changes in configuration that could indicate a breach, while network logs show exactly what happened, and what needs to be fixed. Breaches are spotted faster, or blocked, compliance exposure is reduced, and economic losses lessened or eliminated.
These breaches are more than a nuisance. 36 billion, yes billion, records were exposed by breaches in the first half of last year. And those that care about compliance should know that 58% of those breaches involved personal data, Verizon found.
Network Security Starts With Discovery
As our blog title indicates, you can’t protect a network you can’t see – or understand. That’s why the first thing a good network monitoring solutions does is network discovery. This finds all the bits and pieces, defines a profile, and creates an inventory. Even better, you can automate discovery so at a preselected time, the solution will find new network elements and devices on your network, then add them to the inventory. This way new devices, connections and network segments won’t be a new vulnerability for your environment.
Baseline Your Network To Know When Things Go Wrong
Your network visibility includes understanding how the network is set up when operating properly. This is your network baseline.
Your baseline should be comprehensive and encompass key performance and security benchmarks, such as utilization statistics for memory, CPU, interfaces and disk. Once these are established, you can set thresholds such as when a disk is near capacity and have alerts drawing attention problems which could indicate a security issue. For instance, overloaded devices could indicate a dangerous DDoS attack which requires immediate attention.
Another example is mining cryptocurrency, which while not necessarily a security event, can clog your network so much that it is unavailable. This mining often occurs during off hours when employees load up your network with bitcoin or other crypto processing tasks. CPU and memory monitoring can spot these activities, even when your shop is otherwise closed, and help you put an end to it.
In this case, first find your CPU baseline. Some servers run at 90% because they are used efficiently, so in these cases set the threshold higher. If your normal CPU load is around 50-60%, go ahead and set your threshold for an alert at 90%. You can monitor all your servers this way to spot suspicious behavior and get a sense of whether the devices are up to their current tasks.
All the discovery and baselining in the world won’t matter a lick if you aren’t alerted to problems. We just talked about alerts when CPUs or other network elements exceed thresholds. Alerts can be set for all manner of other things, such as performance issues, overloaded bandwidth, unusual behavior and myriad other items.
Alerts, however, need to be set up properly. First, you don’t want alerts for every single thing that seems the least bit out of the ordinary. Reports can track those, and when they rise to a critical level can turn into an alert. With alert overload, IT is distracted by trivial events, and can’t always pay attention to event that really matter.
Alerts shouldn’t be sent en masse to everyone that uses your network monitoring solution, but instead targeted based on responsibility, with server alerts going to the server team, application alerts going to that group, and bandwidth items going to those that manage your connections. Alerts can also have different levels of severity. Most alerts that you want to see, but aren’t emergencies, can go to email or collaboration solutions such as Slack, while critical items can be sent as a text for immediate attention.
Discover and Control Configuration
Did you know that Gartner says 80% of breaches are due to misconfiguration or other kind of admin mistake?
To gain access to networks, attackers often reconfigure services or hosts, and in the reconfiguration process make them temporarily unavailable. Network monitoring can spot the loss of service, and find the malicious reconfiguration – saving the day.
Fortunately, a good monitoring solution discovers and documents your configurations, and can even send alerts, email or texts depending on the severity of the configuration change. Even better, you can set up auto configurations that are based upon defined and proven policies – so you’ll know the configuration is done right. If you lose a configuration, or there are problems with it, automated backups ensure they are never truly lost, and can easily be restored to the proper settings.
Often configuration errors come from new set ups that stray from established proven norms. Your configuration inventory and automatic configurations takes care of these issues.
You can also set security policies such as enabling password encryption and ensuring policy compliance.
Network Traffic Analysis Finds DDOS, Data Exfiltration And Dark Web Use
Many security (and performance) problems relate to bandwidth, which is why Network Traffic Analysis is so important. With this, you can analyze NetFlow, NSEL, S-Flow, J-Flow, and IPFIX and gain comprehensive and granular details on what resources, departments, groups or even individuals are using the bandwidth. This analysis can spot unusual behavior, such as botnet attacks and network takeovers, exfiltration of data by cybercriminals, DDoS attacks, data mining which we discussed earlier, and even employees binge watching Netflix or Amazon Prime.
If you have a good baseline, monitoring real-time bandwidth usage shows when something is out of whack. And this function reports on historical bandwidth trends, so you’ll have a sense of when you need to upgrade the network.
Network Traffic Analysis is also key to security forensics, discovering unauthorized applications, tracking traffic volumes between specific pairs of source and destinations, and finding high traffic flows to unmonitored ports.
With WhatsUp Gold, you can alert administrators when users access the Dark Web, which folks of get to using Tor, the volunteer network of relays the Dark Web visitor can be routed through to remain anonymous. IT can monitor all network sources for known Tor ports, and spot or block access to the Dark Web.
Other Key WhatsUp Gold Network Monitoring Features
As you may have guessed, all the network monitoring features discussed in this blog are available in WhatsUp Gold from Progress Software. Here are three more you might be interested in.
NetFlow – With NetFlow capability, IT can easily and automatically analyze data from Cisco devices to analyze network behavior, spot security issues, and set up real-time alerts for network and security issues.
Log Management – Managing logs is critical to security, vital to adhering to compliance regulations, and essential to showing exactly what happened and what steps were taken when a security event occurred.
Scheduled Compliance Audits – What if your network monitoring solution also came with the ability to regularly run audits the way SOX, HIPAA, PCI and FISMA need them run? WhatsUp Gold does!
Learn All About Network Visibility
Sit back and let Progress experts teach you all you need to know about network visibility at our webinar – You Can't Protect What You Can't See.
There’s a lot more in WhatsUp Gold 2021, but only so much space here. You can find all the details in the WhatsUp Gold 2021 Release Notes. You can learn more about what’s new in WhatsUp Gold at our What's new page or try it yourself for free. Check out our What's New with WhatsUp Gold 2021 Webinar.