Network Monitoring: The Forgotten Cybersecurity Tool
In a cyber world filled with SIEMs, security appliances and anti-malware products, one would think that the specter of cybersecurity would be well under control. However, attacks are still on the rise, zero-day vulnerabilities are increasing and cybercriminals are always finding new ways to attack.
“When dealing with previously unseen attacks, it is important to gather as much intelligence as possible; that may mean going beyond your security tools,” said Stefano Gridelli, co-founder and CEO, NetBeez.net. “Network monitoring and reporting tools can provide additional insights, especially when it comes to lateral movement and attacks on infrastructure devices,” Gridelli said.
For the most part, SIEMs and similar security tools report on anomalies detected by security hardware, such as firewalls and other security appliances. That can unintentionally create blind spots when monitoring networks for security events.
What’s more, security tools typically report on discovered attacks and known vulnerabilities, relying on a particular pattern or known malicious code flagged by a security device to identify an attack. In other words, zero-day attacks and vulnerabilities may initially go undetected, leaving IT managers unaware of the dangers and/or unable to take action in time to prevent a major breach.
Active network monitoring tools look at the network differently than most security tools. Network monitoring is more attuned to a holistic view of the traffic and devices on the network, looking at the flow of traffic as well as the loads that may be put on pieces of the infrastructure.
Today’s active network monitoring products bring additional capabilities to cybersecurity teams that can keep them one step ahead of an attacker. Gridelli explained three particular use cases where active network monitoring proves very useful in the cybersecurity realm.
DDoS Proactive Alerting
Distributed denial-of-Service (DDoS) attacks are on the rise, and attackers are using DDoS attacks to flood networks with external traffic to grind them to a halt. “A DDoS attack uses multiple IP addresses or machines to flood the bandwidth or resources of a targeted system,” said Gridelli. “The attacks can originate from thousands of hosts infected with malware, and attack multiple systems, usually one or more web servers.”
Active network monitoring tools are able to proactively detect DDoS attacks by measuring end-to-end performance and establishing baselines. Active network monitoring tools build those baselines by running end-to-end network performance tests and measuring network metrics such as latency, packet loss and throughput.
In the early phases of a DDoS attack, generally, there’s an increase in packet loss, network latency and application response time before the full saturation of the network and application resources. Here, active network monitoring tools offer proactive detection of an incoming DDoS attack by alerting administrators of a sudden increase in latency and packet loss, when those metrics fall outside of the established norms.
WiFi Rogue Access Points
Active network monitoring tools can work with established WiFi networks to detect rogue access points or unexpected devices joining the network. “Deploying WiFi sensors at corporate offices and remote locations proves effective at detecting rogue access points, which are used to gather information or redirect WiFi traffic. Either way, a rogue access point can be a major cybersecurity problem,” said Gridelli. “In the past, finding rogue access points was often a time-consuming challenge, requiring active participation of a technician.”
With active network monitoring, discovering rogue access points has become a much simpler, automated process. Network monitoring tools are able to create inventories and use policies to determine if there has been a change in the wireless infrastructure. For example, if a new access point appears on the network and it uses a basic service set identifier (BSSID) not previously recognized, an active network monitoring tool can prevent connectivity to the device and alert the administrator of the presence of an access point that is not part of the managed access point list.
Verifying Network Security Policies
Networks can be very complex, and many are segmented into VLANs to segregate traffic. What’s more, there are many devices on the network that can shape or route traffic depending on how the network infrastructure has been configured.
“Today, networks are highly segmented, yet still interconnected; there are numerous devices, such as content filtering appliances, load balancers and so on, that all work together to shape and control network traffic,” Gridelli said. “Here, active network monitoring can verify whether or not security policies are properly in effect, and detect unauthorized changes to the network infrastructure.”
Active network monitoring tools often deploy sensors, which can look into a network and report on what is happening on that network. Administrators can define policies that verify network segmentation, segregation and even the functionality of content filtering devices. By running end-to-end active network monitoring tests, it’s possible to also verify whether certain security policies, such as compliance requirements, are working as intended. Sensors can be installed on protected networks, such as those used for compliance (PCI, HIPAA, etc.), and make sure that those networks can not interact with external networks. The same is true for content filtering; for example, by running constant checks against blocked websites, an active network monitoring tool can let the network administrator know when certain blocked websites are reachable, perhaps due to a configuration change, and proactively fix the problem.
Gridelli makes some great points about active network monitoring and how it complements cybersecurity tools. What’s more, active network monitoring could prove useful when auditing a network or performing forensic tasks. Today’s cybersecurity professionals should look into all of the tools available, and have a frank discussion with network engineers and administrators to find out what monitoring tools are in place, and how to use them to better secure enterprise networks.
