Network Security Monitoring Tools Need Traffic For Context
What are network security monitoring tools?
Network Security Monitoring is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions on computer networks. Network security monitoring tools typically have features such as:
- Network-based threat detection
- Proactive network queries for security data and/or “hunting” for suspicious behavior
- Integration with one or more threat feeds
- Create and automate security alerts
A lot of the development focus in recent years has been in the areas of better threat feeds and web front-ends. We now have network security monitoring tools which can pull threat intelligence from multiple sources and display alerts in fancy dark themed web interfaces. The image below shows a typical output of a modern network security monitoring application.
Recently, I heard about an interesting LANGuardian use case where a customer used their system to carry out forensics on an event triggered by their network security monitoring tool. While LANGuardian can be used as a network security monitoring tool, this customer had a secondary system to make use of other threat feeds.
Why traffic capture is very important when it comes to network security monitoring.
One of the issues with many network security monitoring tools is that they only generate alerts; often good alerts or “actionable alerts” as some of our customers call them. A typical event will display the source IP address (system that caused the event), destination IP address (system that was targeted), event description, and a priority rating.
However, sometimes you need more than just an alert in order to fix problems on a network. Other pieces of metadata can be just as important as the alert itself. Examples include:
- What inbound and outbound network connections were active to the destination IP address at the time the event was triggered?
- Any other events associated with the destination IP address?
- What DNS queries were associated with the destination IP address?
- If the source IP address is on the LAN, is there any unusual activity associated with it (items 1 to 3 above)?
Network traffic metadata is an ideal data source to compliment your network security monitoring tool because it will provide you with extra context, so you can gain a better understanding as to why security events are triggering on your network. It delivers detail without the complexity and costs associated with full packet capture.
Network metadata is typically captured via a SPAN, mirror port or TAP. A common setup is to monitor network traffic at your networks core; where the most interesting traffic converges. Network packets are sent to a deep-packet inspection application which can extract readable information such as filenames, web sites, applications, protocol versions, etc. This information is then stored in a database which can be used for real time or historical analysis.
Using LANGuardian to combine network security monitoring and traffic analysis.
Our LANGuardian product includes both network security monitoring and traffic analysis modules. The image below shows a sample output where we are looking at activity associated with a single IP address. On the left we have traffic and application information, and on the right we have the output of it’s intrusion detection system. Click on the image to access this dashboard on our online demo.
If you have any questions about how to monitor traffic on your network using LANGuardian, or would like to know more about how it can be used with other network security monitoring tools, do not hesitate to contact us and speak with one of our technical support team.