As technologies advance and enterprise networks expand, administrators accountable for the overall health and performance of infrastructure accumulate more and more responsibility. CIOs are continually analyzing the problem of how to better monitor and secure the activity within their organization’s network.
While the differences between network operations and security operations may seem to blur, the two functions have specific, critical purposes within an organization. Although their tools may overlap, individually, they focus on particular and distinct aspects of the infrastructure and the traffic that flows over their networks.
Network Monitoring – A High-Level Look at Infrastructure
A network monitoring system monitors and tracks network activity for issues or problems caused by malfunctioning devices or overloaded resources (servers, network connections or other devices). Standard network monitoring is often performed using diagnostic tools, dedicated applications or appliances attached to the network and/or from a command line interface accessing the available diagnostics or any number of available tools. It uses measurements and algorithms that set a baseline on data-at-rest and measures three primary metrics, including:
- Availability (uptime)
- Performance (data transfer speeds)
- Configuration (system inventory, application and hardware settings)
Differing aspects of all three metrics require an individual, a network administrator, who understands topology, configurations, performance, and security, to manage and oversee the system. When a problem is detected, an alert is sent to the administrator by way of email, SMS, etc., in order to address the issue at hand.
At times, small businesses can get away with simpler infrastructure designs where many components are hosted in the cloud. The administrator would only need to manage and monitor those services hosted in data centers without fully having to understand the core technologies behind them. However, an enterprise has many complex parts (including cloud infrastructure) which often span several geographic locations running on a wide variety of infrastructure.
Therefore, network monitoring within an enterprise requires additional support for managing advanced subnetting and configurations spread across multiple switches, routers, servers and load balancers that support thousands of users.
Although basic network monitoring is critical, an arguably more important component of your infrastructure is the procurement of monitoring tools that provide administrators with real-time statistics and visibility into the underlying network. Hardware fails, and the more systems, appliances and components installed on your network, the bigger chance of a disruptive critical failure. Most monitoring systems inform you after a failure or a problem occurs within the network; however, an even more sophisticated, continuous real-time, monitoring system notifies you before it happens, giving administrators the opportunity to remedy the issue before it affects your bottom line.
Network Security Monitoring – Detection and Response to Intrusions
While network monitoring provides data collection for analysis of basic traffic flows, the overall structure and integrity of your systems, network security monitoring protects you from the numerous potential vulnerabilities and exploits in the wild.
Even more important than general monitoring, security monitoring analyzes a myriad of complex factors (network payload, client-server communications, traffic patterns, and traffic flow) in order to alert administrators to known malicious activities in an attempt to contain a threat. The right monitoring tool gives you around-the-clock service that watches over a business environment for threats and suspicious behavior. Administrators and analysts can then investigate and gauge abnormal user patterns and take appropriate actions.
Unlike network operational monitoring, network security monitoring and the analysts leveraging it must also be able to detect intrusions and all forms of attacks - including new, zero-day, and cutting-edge threats - to enable evidence-based decisioning. No security expert can guarantee 100% protection from attacks, but new continuous network monitoring and analysis technologies provide levels of detection and mitigation support that can severely decrease the possibility of an attack or breach. Those that can leverage continuous real-time network security monitoring, analysis and remediation will also benefit from a reduction in time to detect and the ability to dramatically reduce or avoid the resulting damage.
It’s important to point out that it takes only minutes for an attacker to compromise and exfiltrate data. So, the quality of a network security monitoring system equates to the speed in which suspicious traffic is reported to administrators and whether the system continuously analyzes data-in-motion or data-at-rest.
Although Distinct, Both Tools Overlap
Network monitoring tools typically provide a set of configurable dashboards or controls for orchestrating specific tests across the infrastructure under management. Administrators can initiate various tests or analytics as well as set indicators and create whitelists and blacklists while automating the network analysis process. Although automated solutions help alleviate responsibility for redundant tasks performed by administrators or network teams, human judgment is still very much a part of a fully functional solution. Additionally, all aspects of network monitoring AND network security monitoring- which do overlap- must work together to provide comprehensive analytics.
For example, network monitoring focuses on understanding the composition, availability, status, behavior, performance, and configuration of all the components within the compute infrastructure; yet, security is inexorably woven into each of these responsibilities. You can’t have availability if an attacker is able to launch a DDoS attack against servers and appliances. You can’t have performance if an attacker can flood the network with malware, taking advantage of network configurations that leave your systems vulnerable to exploits.
For these reasons, it’s not uncommon for network administrators to work directly with the security team and combine tools to perform several functions and to correlate results. The dilemma which often arises is that in using the same tools for both network monitoring and security monitoring, you can reduce the effectiveness of security itself. Monitoring tools that claim to be a ‘jack of all trades’ are typically mediocre in security monitoring and, as a result, leave the environment vulnerable to advanced attacks, including zero-day exploits.
Years ago, both network and security monitoring were only concerned with internal infrastructure. Now, even SMB networks can span WAN connections, branch offices, data centers, and cloud hosts. This expanded business infrastructure creates a challenge with the massive amount of data to be collected. Data collection immediately puts a strain on network performance, and the volume of packets being analyzed can build up quickly. Packet captures for only a few minutes can build up to a few megabytes, so just imagine how much storage and performance requirements are needed for a full day’s worth of packet captures.
Administrators need network traffic analysis for all forms of network monitoring, but the wrong solution can affect availability, integrity and performance. The only way for monitoring tools to be effective is if they provide continuous, ubiquitous analysis in real-time. As mentioned above, since data exfiltration only takes a few minutes, having monitoring tools that give you hours old data is no longer practical.
We must adjust and update our approach and tools.
Best Practices to Integrate Real-Time Solutions
Organizations need best practices when it comes to incorporating monitoring tools to minimize negative impact on performance and adequately monitor and secure their networks.
- Take a baseline inventory of your network and characterize network performance. This provides you with a snapshot that can be used for comparison later should problems occur.
- Keep monitoring data stored in a safe location. Network administrators will often provide an easily accessible storage area for security data collection, which leaves the organization open to a breach.
- Create an escalation ladder. During a critical event, network administrators and security teams must be involved. To contain it, it takes collaboration of network and security administrators and an escalation ladder should be a part of a incident response and disaster recovery plan.
- Collect data on every OSI layer. It’s not uncommon to skip the data link layer, but attacks on Ethernet frames would be missed. Network administrators should monitor every layer since failures can happen at several nodes and transport protocols.
- Monitor configuration changes. For both network and security monitoring, administrators need to know when configurations are changed. This could indicate an attack, but it could also indicate a change that could have a domino effect on network availability and downtime.
- Continue relying on your data-at-rest sources for historical context of what has occurred within your network. Forms of data-at-rest sources include forensic packet captures, log data, tapes, archives, data warehouses, etc. Maintaining an active view into historical date along with real-time data constitutes a more complete and powerful form of situational awareness to enable total visibility and provide a broader range of more effective cyber security, fraud detection and infrastructure management solutions.
- Utilize real-time analytic tools to focus on the analysis of data-in-motion. The Programmable Packet Engine (PPE) is a better form of network traffic monitoring compared to traditional analytics tools that use data-at-rest and monitoring based on stale information instead of current, real-time data-in-motion. The PPE is for physical or cloud and virtualized environments, providing hybrid IT organizations the flexibility to deploy network sensors where they are needed in the environment.
MantisNet offers the most advanced traffic processing, network programming and network visibility to harness data-in-motion and enable your network and security teams to identify and engineer (e.g. remediate) malicious network traffic or under-performing infrastructure assets continuously and in real-time.
The Ultimate Network Monitoring Solutions
Even administrators with distinct job descriptions have to understand the goal, objectives and differences between network security monitoring and standard network monitoring. It’s easy to blindly collect data and event information until it’s challenging to separate what could be a security event from network operations issue. For this reason, your monitoring solutions must be able to give both network operations and network security staff the ability to collect, filter, and refine their investigations to determine if and when there is a problem (or potential problem) and determine if the event is 1. Normal network activity or 2. Malicious or disruptive activity. Not only do you need continuous, fast, and reliable data collection, but you also need real-time metrics and the appropriate use of analytic tools to empower administrators to make quick, accurate decisions.