Comparing Network Analysis and Visibility (NAV) Tools to SIEM Systems
What is a Network Analysis and Visibility Tool?
A Network Analysis and Visibility (NAV) is an application or appliance which captures user and application data by analyzing network traffic as it flows around a network. This information which is sometimes referred to as metadata, is then stored in a database so that it can be used for real time or historical analysis of security or operational problems. Our own LANGuardian is a typical example of what a NAV tool looks like. Customers use it for many use cases such as, Network Operations Monitoring, Security, Governance and User Monitoring.
Is it designed to be deployed quickly and provide information immediately. The generation and presentation of NetFort Metadata is designed to provide high level overviews, with drill down to detail for users of various levels of expertise (you don’t have to be a network or packet analysis expert to use LANGuardian). It is very easy to see what’s on and what is happening on the network. Some of the use cases that LANGuardian is used for include:
- Detection of ransomware activity
- Monitoring data exfiltration/internet activity
- Monitor access to files on file servers or MSSQL databases
- Track a user’s activity on the network, though User Forensics reporting
- Provide an inventory of what devices, servers and services are running on the network
- Highlight and identity root cause of bandwidth peaks on the network
LANGuardian can be installed onto a physical or virtual server in approx. 20 minutes. Once it is connected to a SPAN port, it starts collecting information. It does not require any agents, reconfiguration of audit logs or any additional software. LANGuardian can monitor any device that generates network traffic. It doesn’t need any prior information about the device, so for example, BYOD devices are automatically monitored.
In summary, a network analysis and visibility tool like LANGuardian provides simple deployment and easy access to overview and drill down detail for operations, security, governance and user monitoring.
What are SIEM systems?
A SIEM can be used to describe two different types of systems:
(1) Basic log managers
(2) Log managers with built-in rules and a correlation engine
Basic Log Manager: The first and most basic is a log manager or quite often referred to as a log collector. This system is used to collect and store event logs in one central location generated by various systems on the network (firewalls, proxies, files servers, database servers).
Log managers simply collects logs and saves them in a single, central location. Log systems generally don’t do any analysis on the logs and do not provide much in the way of reporting. They are generally used to comply with data retention policies. All devices that require to have their logs saved, need to be configured to send the logs to a log manager. Log managers will not automatically detect new servers, as they are added to the network. Hence, log files are not always the answer, when it comes to finding out what is happening on your network.
A Log manager with a built-in rules and a correlation engine is better known as a true SIEM system. The SIEM system is designed to analyse logs from various different sources and generates an alert if certain conditions are met. The image below shows a typically example of what firewall log files look like.
The rule and correlation engine allows the Administrator to create (or import) simple or complex rules that look for patterns in the log entries, match log entries from different systems and determine if an alert should be raised. Some SIEM systems (Splunk, LogRythm) also have traffic analysis add-ons, that generate log entries from network traffic. Most SIEMs come with some prepacked rules. The SIEM system does not typically provide any overall view of the network but only an “event list” type output. The focus is primarily on security events.
SIEM deployment and management is typically a significant project, requiring external consultants to configure the SIEM, along with all the servers that need to send logs and to create the correlation rules. As new servers and services are added to the network, the SIEM configuration has to be updated. The cost associated with SIEM deployment and maintenance can often be significant and without the correct expertise, frequently SIEM projects return little value (and become little more than expensive Log Managers).
If you are in the market for a log manager\collector or a SIEM system, watch out for these pitfalls:
- Log files can be easily removed or overwritten
- When you enable logs on some servers\devices it can impact on system performance
- Log files are not always available. Some systems like NetApp servers to not come with native logging
- If a system is under load or attack, the log files may not be accessible; hence you will struggle to troubleshoot issues at critical times.
- Cost – some SIEMs charge based on the amount of data logged and can end up being very expensive
What should you choose?
If you just want to collect some very specific log files for compliance or other reasons, a log manager may be your best option. If you need a real time and historical view of what is happening on your network then you should look towards SIEM or Network Analysis and Visibility tools.
Remember, the installation of a SIEM tool is only a small part of the solution, the difficult part is getting actionable alerts from the mountain of data that they collect. A network analysis and visibility tool can collect user and application information directly from network traffic. However, ensure you are familiar with SPAN, mirror ports and TAPs before you make that purchase decision!