This content is part of the Essential Guide: Set up your system for the best network security possible
Manage Learn to apply best practices and optimize your operations.

Identifying the warning signs of network intrusions

Detecting network intrusions requires a plethora of information. Expert Kevin Beaver explains why security teams need to take a big picture view of the network.

"Have you been hacked?"

It's the big question to which no one seems to have a good answer. Many people I've spoken with, especially nontechnical business leaders, assume a security incident is going to be one of those highly visible events everyone knows about. It certainly can be, especially when attackers take systems offline, expose data or hold it for ransom. But many others -- arguably the majority of network intrusions -- are harder to detect. As a result, cybercriminals and hackers can remain on the network for months or years before they're noticed. That's why these events are so difficult to deal with.

Why network intrusions are tough to spot

In a world where attackers have nothing but time and many breaches are discovered by third parties, enterprises are certainly behind the eight ball. One of the most important elements in determining whether or not a network intrusion has occurred is knowing what's "normal." Oddly enough, this is often overlooked or not considered until after a breach. The average network has so much traffic and noise on it that it can be difficult to understand the differences between network events such as legitimate DNS lookups versus advanced malware infections, large volumes of streaming media versus denial-of-service attacks, penetration testing versus a misuse of privileges and the like. Given this, it's not easy to figure out what's normal for an enterprise network.

Furthermore, people get caught up not only in their day-to-day work, but also their specific job functions, and everyone has a different sense of what normal is for those positions. While everything changes quickly, it's also related to perception. I've had new clients who have never performed security assessments or actively monitored their networks and have assumed since nothing is "seen", nothing bad is happening. They have no idea what to expect because that's all they know. Their perception of reality is different from actual reality. They don't know what they don't know, as the saying goes.

Read the warning signs

Unfortunately, there is no one specific warning sign of network intrusions. Detecting a network intrusion requires a lot of little things put together; that's the problem enterprises and security professionals face. There's no good sense of what's right and wrong given all of the moving parts in an enterprise network.

Unless network administrators and security managers are intimately familiar with how things are supposed to look, there isn't a good way to get the visibility and baseline information necessary to keep things in check. This is where the proper security technologies come into play. Traditional firewall logging and alerting and, to a certain extent, intrusion detection and intrusion prevention systems can create more problems than they solve. I'm not saying these technologies aren't necessary to secure the network environment. However, based on all of the factors -- such as network complexity, minimal time available to collect and analyze data, and lack of expertise on what to look for -- traditional technologies are creating a false sense of security for enterprises and they often end up hurting more than helping.

Instead, newer technologies such as mobile device management, data loss prevention, security information and event management systems, cloud-access security brokers -- for better cloud visibility -- or related security analytics technology can be leveraged to paint the entire picture of what's taking place and what might be abnormal for an environment. Even traditional network analyzers such as OmniPeek and Wireshark are being positioned as tools that can help sift through the network security maze and give enterprises a proper baseline for normal activity. It's this level of insight that's necessary for not only picking up the smallest of anomalies, but also for being able to see the bigger picture of what's really taking place on the network.

We all know what happens once a breach occurs; the information is out there forever and it doesn't come back. Enterprises may not know exactly what to look for in network intrusions, but one thing is certain: If they don't have a good baseline of their environment and reasonable technologies for detection and response, they won't have a chance against the threats. Enterprises have to know their systems, networks and risks -- not perfectly, but to the greatest extent possible -- before they can be prepared to respond effectively, and eventually, prevent network intrusions.

Next Steps

Read about why enterprises need to look for signs of compromise

Find out what the top network intrusion prevention products are

Discover how network microsegmentation techniques can improve security

This was last published in February 2016

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)