In today's complex IT environments, it is not uncommon to find network monitoring devices and logging mechanisms set up, only to be abandoned and forgotten. When problems arise, someone has to dust off the log documentation, if it exists, and start digging in to figure out what's going on. By then, it is often too late; sensitive data is already in the hands of the attacker.
Many IT shops complain that there are simply too many logs, so monitoring suffers. To make matter worse, in many cases no one knows what they should be looking for -- or how their data could be useful to various groups, such as security, applications, and network operations.
Solving these problems often requires cooperation, since each group holds a piece of the puzzle; without collection, management, and correlation, effective network monitoring is nearly impossible.
Network logs are a good place to start. The recent Verizon Business 2010 Data Breach Investigations Report (PDF) reminds us that there's a wealth of information contained in the logs, but it is rarely used properly. Verizon reports that it "consistently finds that nearly 90 percent of the time, logs are available -- but discovery via log analysis remains under 5 percent."
Logs are not going completely unnoticed. Network operations staff monitor router performance and SNMP traps to ensure the network is running smoothly. The question is, why aren't other groups doing the same so a security incident doesn't get missed? Simple: Too many logs and not enough time.
One way to help reduce the impact of having so many logs is to centralize them to one or two indexed, searchable locations. This gives analysts a fighting chance to spot patterns, compared with attempting to pore through dozens to hundreds of systems with their own logs.
Another way to identify potential threats is to monitor network data flow more closely. The same tools used to diagnose network problems and poor application performance can also be used to supplement the security team's efforts.
Network flow data can be used to detect network scanning and potentially infected hosts. Network scanning is easy to spot because no traffic content is needed for detection. If a host attempts a certain number of connections to another host or series of hosts within a certain time frame, then it is likely to be scanning.
SNMP traps can provide informational alerts to show when media access control (MAC) addresses have changed on a network port, or when more than one MAC address is on a port. MAC change messages could indicate a rogue device has been placed on the network in place of the original device, or that a network hub or switch has been plugged in and a rogue device is now connected alongside the original device.
To read about other network monitoring tools and practices that can be used to detect security threats and intrusions, download the full report.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.