Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

9/27/2010
05:03 PM
50%
50%

Network Monitoring Can Provide Key Clues To Security Problems, Study Says

Done properly, traffic analysis and log review can help administrators identify threats they might not recognize otherwise

[Excerpted from "What's Going On? Monitor Networks to Thwart Intrusions," a new report posted this week on Dark Reading's Security Monitoring Tech Center.]

In today's complex IT environments, it is not uncommon to find network monitoring devices and logging mechanisms set up, only to be abandoned and forgotten. When problems arise, someone has to dust off the log documentation, if it exists, and start digging in to figure out what's going on. By then, it is often too late; sensitive data is already in the hands of the attacker.

Many IT shops complain that there are simply too many logs, so monitoring suffers. To make matter worse, in many cases no one knows what they should be looking for -- or how their data could be useful to various groups, such as security, applications, and network operations.

Solving these problems often requires cooperation, since each group holds a piece of the puzzle; without collection, management, and correlation, effective network monitoring is nearly impossible.

Network logs are a good place to start. The recent Verizon Business 2010 Data Breach Investigations Report (PDF) reminds us that there's a wealth of information contained in the logs, but it is rarely used properly. Verizon reports that it "consistently finds that nearly 90 percent of the time, logs are available -- but discovery via log analysis remains under 5 percent."

Logs are not going completely unnoticed. Network operations staff monitor router performance and SNMP traps to ensure the network is running smoothly. The question is, why aren't other groups doing the same so a security incident doesn't get missed? Simple: Too many logs and not enough time.

One way to help reduce the impact of having so many logs is to centralize them to one or two indexed, searchable locations. This gives analysts a fighting chance to spot patterns, compared with attempting to pore through dozens to hundreds of systems with their own logs.

Another way to identify potential threats is to monitor network data flow more closely. The same tools used to diagnose network problems and poor application performance can also be used to supplement the security team's efforts.

Network flow data can be used to detect network scanning and potentially infected hosts. Network scanning is easy to spot because no traffic content is needed for detection. If a host attempts a certain number of connections to another host or series of hosts within a certain time frame, then it is likely to be scanning.

SNMP traps can provide informational alerts to show when media access control (MAC) addresses have changed on a network port, or when more than one MAC address is on a port. MAC change messages could indicate a rogue device has been placed on the network in place of the original device, or that a network hub or switch has been plugged in and a rogue device is now connected alongside the original device.

To read about other network monitoring tools and practices that can be used to detect security threats and intrusions, download the full report.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-28048
PUBLISHED: 2021-04-14
An overly permissive CORS policy in Devolutions Server before 2021.1 and Devolutions Server LTS before 2020.3.18 allows a remote attacker to leak cross-origin data via a crafted HTML page.
CVE-2021-28157
PUBLISHED: 2021-04-14
An SQL Injection issue in Devolutions Server before 2021.1 and Devolutions Server LTS before 2020.3.18 allows an administrative user to execute arbitrary SQL commands via a username in api/security/userinfo/delete.
CVE-2021-26030
PUBLISHED: 2021-04-14
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error page
CVE-2021-26031
PUBLISHED: 2021-04-14
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate filters on module layout settings could lead to an LFI.
CVE-2021-27710
PUBLISHED: 2021-04-14
Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because the function executes glibc's system funct...