In-depth cyber defense sees the process of stopping attacks as being only half of the protection activity. Going to the roots of the incident or of the event and thus preparing the system in order to fend off future similar situations is the subsidiary defense move that completes any cyber-shield. Since an ongoing event is analyzable from the moment of its detection onward, a complete security intelligence analysis is possible only if the system benefited from a form of continuous network monitoring, whose logs have been saved and filed.
In network security, status and events network monitoring has precisely this role: potential future threats are avoidable since they have been characterized in opposition with the normal state of the network and in synchronicity with previously registered similar events.
Network monitoring – determining the steady network state
Determining what defines normality for each particular network is not possible in a short time span. Networks support various operations, and depending on the organization, these may dispose of daily, weekly, monthly or once in a few months’ time repetitive cycles.
As we mentioned in our material on user behavior analytics, when setting up a monitoring activity first the professionals must establish a reference state, in comparison to which the abnormalities or unusual behaviors will be detected. The same applies to tracking activities, in order to identify the specific behaviors in relationship with their authors.
Tracking and monitoring network activities pertains to network surveillance and companies perform these activities to detect insider threats and/or other types of potential threats.
Network monitoring as a passive/active security solution
Whenever the tools employed in monitoring warn the system managers of the potential security events, but do not protect the network by default, the monitoring system is considered passive. It can only determine an event log, display an alert or even page a system administrator, depending on its preset configuration.
When upon detecting abnormal activities the security tool takes action and restrains the suspicious activity area or takes another action to protect the network/respond to the potential threat, the monitoring system is active.
This dual typology is clearly explained here, as well as exemplified with an intrusion detection system (IDS) versus an intrusion prevention system (IPS). These kind of tools can be either network-based or host-based, but nevertheless the examples serve in underlining the passive/active nuance that comes from the tool structure, settings’ configuration and ultimately the purpose intended by the system administrator.
When the network monitoring activity is meant to be discrete, it will most likely be passive, or triggering silent responses at most, while an active monitoring activity is set to react to the activities or events qualifying as potential threats.
Product examples
As we mentioned above, the network monitoring activity can focus on potential insider threats, on outside threats or even strive to integrate the monitoring of all the possible intrusion channels. Seeing a few examples of dedicated monitoring and defense products will illustrate this, as well as some of the purposes in view of which companies employ this type of monitoring (meeting the PCI compliance conditions, for example).
- ObserveIT‘s insider threat management software makes it clear that the focus of their product consist of potentially dangerous insider activities; monitoring, detection, prevention and investigation are included, which would make this system an active one;
- Check Point Integrated Threat Management pulls data from security devices, servers, network activity, configurations and user activities; its purpose is ensuring clients’ security compliance and therefore it is set to cover all network activities, monitoring and reporting all details or just the most relevant data, depending on how it is set;
- AlienVault Unified Security Management is another example of specially tailored security tool; as they specify on their product page, this network traffic monitoring automated tool is meant to ensure organizations comply with PCI DSS Requirement 10: Track and Monitor All Access to Network Resources & Cardholder Data;
- Vectra®Networks automated threat management software works in combination with the Ixia Network Visibility Architecture; the focus is on detecting the ongoing events (in-progress cyber-attacks) via a network-based threat detection.
- The Treat Detection feature of the Cisco Adaptive Security Appliance (ASA) branches out into three detection features: basic, advanced and scanning; to form a general idea, the basic ASA threat detection monitors dropped packets for: ACL drop, bad pkts (bad-packet-drop), conn limit (conn-limit-drop), DoS attack (dos-drop), firewall (fw-drop), ICMP Attack (icmp-drop), inspect (inspect-drop), interface (interface-drop), scanning (scanning-threat) and SYN Attack (syn-attack); each event has its own preloaded trigger sets that qualify as threat identification parameters.
The providers of network monitoring systems are many, and the random examples from above are only meant to illustrate a few of the specific offers on the market
Depending on the specific needs of a certain organization some tools are more suited than others. Customizing the software settings may also generate the best configuration for your network enterprise and its monitoring.
Generally, the benefits of having an event-monitoring tool consist in:
- Time-saving (as opposed to performing similar operations by hand);
- Network performance improvement (via continuous monitoring and event prevention);
- Centralization (better organization with a main operational nucleus);
- Creating a database with all network logs that serves in network diagnosis and improvement.
