Providing for more Visibility of Threats in your Network
Visibility of Threats. A must have for all Network Managers
One of the most common requirements Network Managers have at the moment, is for tools which can provide more visibility of threats on their networks. For a lot of Managers, a majority of the devices on their networks aren’t theirs and so endpoint security can only go so far. Network users can also use the network to access blocked or copyrighted material through small media devices running Kodi and a number of plugins.
With the rise in mobile, devices, IoT devices, smart TV’s, etc., they need something with a little more intelligence than just the logs from firewalls. Firewall logs are also problematic when a network is under attack as you may find that they are inaccessible due to resource load on the firewall, or they get overwritten very quickly and you end up losing vital forensic information.
Diagnostics tools such as Wireshark can provide for some excellent low level information but this has issues with scale. If you try and look at traffic from a SPAN, mirror port or TAP it can get overloaded. Commercial packet recorders are very expensive, and many of them need dedicated security personnel to maintain them. Many Network Managers do not have the luxury of having separate network operations and security specialists.
Network Security Analytics
The website NetworkWorld recently published an interesting article to coincide with RSA Conference 2017. In it, they look at how DDoS protection, network security analytics and cloud solutions will take center stage at this year’s conference. Network security analytics is moving from just capturing flow data to the capture of metadata from layer 3 through 7 by using network packet information as a data source.
Actionable events can be generated by aligning external threat intelligence with network traffic telemetry. External threat intelligence sources can include things like:
- GeoIP information
- IDS rules from sources such as Emerging Threats
- Compromised IP lists from sources such as Spamhaus.
An example of GeoIP integration is shown below. By simply associating IP addresses with the countries where they are registered, makes it it much easier to spot suspicious activity.
Visibility of Threats: Next Steps
Capturing logs from firewalls is still recommended. However, you should include network traffic analysis as part of your operational and security tool set. This will allow you to capture threats which may have been carried into your network such as malware laden user devices. It will also give you a secondary source of data if your firewall logs are not available. Applications which use a SPAN, mirror port or TAP to monitor network traffic are vendor agnostic so you can use them to monitor IoT type devices.