Editor's note: This is part of a series on achieving cybersecurity readiness. Part one of this series looks at...
the concept of cybersecurity readiness and proposes seven elements or objectives as fundamentals for achieving that state. Part two examines the first element on that list: building a cybersecurity plan. Part three focuses on the technology aspects of an information security architecture. Part four covers information security risk management. Part five explores identity management systems, and part six examines authorization and accountability.
In part one of this series on cybersecurity readiness, network monitoring was described as enabling administrators and security managers to see and understand the context of every packet that enters and leaves the corporate network so they can quickly recognize changes to expected network operations and identify potentially unwanted network activity.
In addition to overall cybersecurity readiness, continuous network monitoring is also a key element in cybersecurity incident detection. All too often, network intrusions where a user clicks on something in an email that leads to a user account compromise occur. Then, over several days or weeks, tens of millions of employee or customer records are sent out of the network to an IP address thousands of miles away. Months later, the network operator finally realizes that an intrusion has occurred.
Continuous network monitoring could have broken that attack chain in several places and provided early detection by identifying malicious links in an email through monitoring Simple Mail Transfer Protocol (SMTP), and then preventing the links from appearing in a user's email. In addition, when a malicious link is clicked, HTTP monitoring could block the outbound connection to the malicious web server. When 25 million records are exported from a database and are leaving the network, layer 3 monitoring could raise an alert and block the data export, or database security could block the transaction.
The term network monitoring has a broad range of interpretations, including vulnerability scanning, packet capture and analysis, network debugging, network management systems that automate the discovery of network devices, Simple Network Management Protocol tools, network performance, and more.
For this article, network monitoring means those elements that network owners and administrators can observe to improve their degree of situational awareness with respect to network operations. In other words, continuous network monitoring is about knowing what is happening on the network, where and when it's happening, why it's happening, and whether what is being observed is a cause for concern or not.
Information security architecture
An information security architecture is a necessary enabler to perform effective network monitoring.
The details of a strong architecture were described in part 3 of this series and included a secure gateway where all external network connections were consolidated to provide visibility to all network traffic. This secure gateway included common security products and services, such as firewalls; intrusion detection and prevention systems; application proxies for SMTP, HTTP/S and FTP; antivirus and antimalware software; and spam filtering.
Normal network operations
By consolidating all external connections through a secure gateway, it is possible to start monitoring this traffic for threats. Once network monitoring begins, a new question emerges -- how to tell normal network traffic from unwanted and malicious traffic.
Many, and perhaps most organizational networks in operation today are not the product of a well-developed master plan. Rather, the networks in use today are the product of decades of responding to demands to provide access to whatever the latest technology is at the time: email in the 1970s and 80s, World Wide Web access beginning in the 1990s and connecting to all the latest user devices beginning in the 2000s.
As a result, many organizational network operators and administrators have an imperfect understanding of how their networks are configured, which protocols should be in use, what kinds of traffic are expected on the network, between which endpoints the traffic should be running and its quantity.
Baseline network operations
To deal with this lack of understanding of what constitutes normal network traffic, a baseline of current network traffic needs to be created. A measure of bandwidth utilization or network load is a minimal baseline. An open source tool, like Multi Router Traffic Grapher, can monitor bandwidth utilization and provide a baseline of network load.
A baseline that goes beyond network load using NetFlow could break down network traffic by ports and protocols, source and destination IP addresses, and other traffic identifiers.
There also still exists a division between the technology divisions that supply networking and the business divisions that use the technology.
Once a baseline is established, continuous network monitoring can then look for changes or deviations from the baseline that may denote suspicious activity.
Intrusion detection and prevention systems
Intrusion detection and intrusion prevention systems are frequently used as the focus of a network monitoring program.
An intrusion detection system (IDS) is a security appliance or a software application that monitors a network segment or a host system for security policy violations or evidence of malicious or unwanted activity or traffic. Once an IDS has determined that a possible intrusion has taken place, it logs information about the intrusion and can send an alert or alarm.
An intrusion prevention system is like an IDS, except that it operates inline with the network and can block suspected malicious activity by dropping malicious packets, resetting connections or blocking an offending IP address. Today, intrusion prevention is viewed as an extension of intrusion detection, and it is performed by combined intrusion detection and prevention systems (IDPS).
IDPS systems are considered a mandatory type of network monitoring, but they have some serious shortcomings. Most intrusion systems rely upon pattern or signature matching to detect an intrusion. Without the correct signatures installed in an IDPS database, an intrusion doesn't result in an alert. New or unknown attacks for which IDPS signatures do not exist also don't raise alerts.
IDPS systems that attempt to identify anomalies or deviations from a network traffic baseline may be used with signature-based IDPS to improve detection. IDPS systems that employ anomaly detection often result in many false positives, making them difficult to manage.
Network traffic analysis
It is possible to go beyond signature-based network monitoring and add network traffic analysis. Network traffic analysis is based upon the concept of an internet protocol (IP) flow.
An IP flow is a set of internet protocol packet attributes. These attributes are the IP packet identity or fingerprint of the packet, and they determine if the packet is unique or similar to other packets. A key element of IP flow is that the content of a communication does not need to be observed, making it possible to analyze encrypted traffic.
Typically, an IP flow is based on a set of IP packet attributes, including the IP source address, the IP destination address, the source port, the destination port, the layer 3 protocol type, and the Class of Service router or switch interface.
All packets with the same source and destination IP address, source and destination port, protocol interface, and Class of Service are grouped into a flow, and the packets and bytes are tallied. Using this information, it is possible to establish a baseline for normal network behavior, and then to identify unexpected or unwanted behavior, including malicious behavior.
For instance, if a user begins to transfer large amounts of data via email, it would be possible to detect that behavior with network traffic analysis. Cisco's NetFlow or the Internet Engineering Task Force protocol IPFIX can provide this type of data summarization for traffic analysis.
Continuous network monitoring and traffic analysis are examples of where many network operators may be able to improve their situational awareness and overall cybersecurity readiness. Even though the time taken to detect cybersecurity intrusions continues to improve, law enforcement and other third parties still detect more intrusions than network operators, according to Verizon's "2016 Data Breach Investigations Report."
Understanding how corporate networks really operate, consolidating traffic through known secure gateways and watching traffic closely with a variety of monitoring tools are areas where much improvement can still be made in cybersecurity.
Stay tuned for the final article in this series on cybersecurity readiness, which will focus on cybersecurity incident response and management.
Read more on the security benefits of static source code analysis
Find out how invalid certificates can jeopardize web security
Discover how the WannaCry ransomware exposes major enterprise security holes