After working the past two-and-a-half decades in IT, I, myself, learned the hard way and witnessed many others...
struggle with the fact that if you don't have the right tools for the job, you're not going to be able to work effectively. There's hardly anywhere this can be more impactful than when it comes to network security.
Today's networks have evolved from computers with a single login prompt to complex systems that have numerous touch points accessible both inside and outside the network. This expanded attack surface requires a smarter approach to security testing -- including using better tools -- compared to where we started with simple scanning.
To adapt to changing network security needs, there's been a major evolution of the traditional network analyzer. From the DOS-based interface of the original Sniffer product 20+ years ago to the graphical user interfaces of today's next-generation network security tools such as the OmniPeek Network Analyzer or TamoSoft's CommView , security administrators have had some amazing tools at their disposal for uncovering network-based security problems such as:
- Systems that are transmitting or receiving more traffic than the average network host
- Odd or disallowed hosts, protocols and traffic
- Network reconnaissance
- Malicious computer usage
- High bandwidth consumption that might point to a Web or FTP server that doesn't belong
When network traffic doesn't look right with a network analyzer, there's usually something wrong. Fortunately, some traditional network analyzer vendors are building security intelligence into their products that go beyond basic network baselining and traffic capturing. These innovative tools now allow security teams to perform more granular analysis of the data and system behavior, endpoint and application identification, and long-term trending.
Nowadays, more specific tools help conquer many of the challenges that come along with today's evolving enterprise environment. These include:
- Fluke Networks Visual TruView for application metrics and event correlation
- Fluke Networks AirMagnet Enterprise for wireless networks
- Skyhigh Networks for cloud application usage that has gone unnoticed to this point
- SolarWinds NetFlow Traffic Analyzer for traffic pattern analysis
- TamoSoft NetResident for network content monitoring, storing and reconstruction
- Wildpackets WatchPoint Network Monitor for distributed network monitoring and analytics
Of course, these other more traditional security technologies can also help in these areas:
- Data loss prevention
- Forensics replay tools
- Next-generation firewalls and intrusion prevention systems
- Security information and event management
Every professional relies on good tools to complete their jobs successfully. Given what's at stake in an enterprise, the quality of tools given to its network security professionals should be no different. I perform analysis of network anomalies as part of my internal security assessments, and every time I find something questionable or problematic. It's not necessarily because I'm that good at it. Rather, it's because these network security problems are so numerous and I rely on good tools to uncover them. My work is just a snapshot over a day or two; imagine how much more an enterprise and its security professionals could accomplish over time with the proper enterprise-ready network analysis and management tools. Security teams would be able to truly see what's going on, analyze trends and see the action (and incidents) in real time. Team members will likely learn much more about their network than they'd ever imagined -- but that's a good thing.
Network security visibility and control is not as simple as we often hope for. That said, enterprises don't necessarily have to have the latest and greatest tools from the Gartner Magic Quadrant. It's really about using what's available in the most efficient ways. While good tools won't solve every security problem, bad tools -- or no tools at all -- will most certainly be detrimental in the long run.
If an enterprise doesn't have the resources to invest in new and improved security tools at the moment, it should at least start with Wireshark connected to a span port on one of its core switches, ideally the one that supports Internet traffic ingress and egress. Networking knowledge -- specifically the OSI Model and TCP/IP -- has a great impact on an enterprise's security skill set and long-term ability to fight the threats that matter.
The most important thing to ensure next-generation network security is to know what's taking place on an enterprise network, and only by using the proper tools in the correct manner will security administrators and teams be able to achieve this.
About the author:
Kevin Beaver is an information security consultant, writer, professional, speaker and expert witness with Atlanta-based Principle Logic LLC. With over 25 years of experience in the industry, Kevin specializes in performing independent security vulnerability assessments of network systems as well as Web and mobile applications. He has authored/co-authored 11 books on information security including the best-selling Hacking For Dummies, The Practical Guide to HIPAA Privacy and Security Compliance and Implementation Strategies for Fulfilling and Maintaining IT Compliance. In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. You can reach Kevin through his website www.principlelogic.com and follow him on Twitter at @kevinbeaver.
Learn how network monitoring tools improve business intelligence
View other articles on monitoring network traffic and network forensics