You know by now that hackers literally never sleep. Chances are your network has been hit before and absolutely will be hit again. Hackers invent new techniques every day and tweak existing ones, many of which are automated—which is why we can say that hackers literally never sleep.
Hackers either attack your network directly or attack your infrastructure through your network. Either way, the network itself is your first line of defense.
Antivirus/anti-malware tools protect individual devices but do nothing to protect the network itself. There are scads of intrusion detection and intrusion prevention devices which are terrific and should be part of a layered defense or defense in depth approach. But all this is not the starting point. The starting point is strengthening the network itself.
The saying goes, "you can't protect what you can't see," and that is doubly true for the network. Let's face it. Networks never get simpler. Instead, they grow more complex as more devices, connections and applications are added.
That’s where network monitoring comes in. “Network monitoring tools are software applications designed to monitor and protect networks from intrusions and malicious traffic as well as monitor overall network health and performance. Law enforcement agencies use these tools to protect systems and databases, which contain information that must be kept secure and confidential,” explains the US Department of Homeland Security.
To protect it, you must see the entire network. You do this through network discovery which not only creates an inventory of all your network elements but a topology map as well. Network discovery is the starting point for network monitoring. Once you know where everything is you can begin watching it.
Once your network is fully discovered and critical aspects monitored, IT knows when bad things are starting to happen. In this regard network monitoring equals security monitoring. “If your business isn’t able to monitor every aspect of its network — including every device and major metric — it can’t ensure the security of its business network. Network monitoring tools must provide end-to-end network visibility to safeguard against security threats,” Solutions Review argued in a piece on network monitoring.
When network monitoring spots anomalies, it springs into action via alerts. “Security monitoring doesn’t work well if your company isn’t alerted to issues as soon as possible after they’re discovered. The more time between your monitoring tool finding a problem and the tool informing your enterprise of the problem, the more time you give that security threat to damage your network,” Solutions Review explained.
Not all network issues should be treated equally. Instead, alerts should be tailored to the situation, level of threat, and assigned respondents. “Intelligent alerting capabilities include tiering alerts to prioritize major security events and delaying alerts that occur during off-hours to prevent them from getting lost,” Solutions Review argued.
Network traffic has its usual ups and downs. It has peak hours during the workday and much less when most people have left for dinner or are sleeping. But there are traffic anomalies and spikes that can't be explained through normal patterns. These often indicate a cyber-attack. Distributed denial of service (DDoS), of course, is the ultimate example of this. But other attacks cause strange traffic variations that are only spotted through traffic monitoring.
Your network monitoring solution can track traffic between network elements such as nodes and applications. When things move outside of pre-established thresholds, which are defined by your network monitoring solution determining what is normal, alerts can be sent out pinpointing where these anomalies lie. IT can then leap into action, identify the root cause, and fix the problem before it gets out of hand.
On a broader level there is bandwidth monitoring which examines how many of your pipes are in use. Abnormal bandwidth usage is a telltale sign of attacks such as distributed denial of service attacks – and like traffic monitoring which can be made to be a more specific measure between devices, bandwidth monitoring is a key element to track.
Fixing problems automatically means fixing them fast and fixing them right. Rather than waiting for IT to remediate an issue, which can take time allowing the problem to fester, automation jumps on the issue right away. At the same time an automated process is one that is well thought out and has been done perhaps many times. This means it's not only done quickly—it is done right.
Individual devices almost always have some sort of monitoring or at least basic log collection built in. Using this approach to monitor the network, IT not only looks at dozens of logs or consoles, but to watch everything must eyeball hundreds of these data sources. This is clearly not practical or effective.
Network monitoring is the opposite of this approach. The network monitoring solution is watching the entire network and its components including applications from a single console and alerts on all these devices and applications are sent through this one system.
All the ideas we have presented are not to say that network monitoring is a replacement for layered security or defense in depth. In fact, it is the opposite. Network monitoring fills in many of the gaps of existing security solutions. “For the most part, SIEMs and similar security tools report on anomalies detected by security hardware, such as firewalls and other security appliances. That can unintentionally create blind spots when monitoring networks for security events,” explained Security Boulevard in its Network Monitoring: the Forgotten Cybersecurity Tool blog. “What’s more, security tools typically report on discovered attacks and known vulnerabilities, relying on a particular pattern or known malicious code flagged by a security device to identify an attack. In other words, zero-day attacks and vulnerabilities may initially go undetected, leaving IT managers unaware of the dangers and/or unable to take action in time to prevent a major breach.”
Limitations such as these are why layered security is crucial. In this approach think of network monitoring as the big security overseer. “Active network monitoring tools look at the network differently than most security tools. Network monitoring is more attuned to a holistic view of the traffic and devices on the network, looking at the flow of traffic as well as the loads that may be put on pieces of the infrastructure,” Security Boulevard argued.
Get our latest blog posts delivered in a weekly email.