By: Shimon Brathwaite
December 6, 2021
Tools For Network Monitoring
By: Shimon Brathwaite
December 6, 2021
Network monitoring is an important aspect of securing a computer network. After you've set up all of your company's security controls, you still need to watch your network for any signs of intrusion or suspicious activity. You can't expect your controls to stop everyone from getting through, so your next defense line is finding those who do get through and getting them off the company network. Also, you need to monitor your employees to see when they are performing actions that may be harmful to the company. For example, a common thing in big companies is employees downloading applications that they shouldn't. You will never know if you don't have the tools to monitor your network and flag certain activities. If a hack does happen, you can have a situation where hackers can sit on your network for months or years at a time, and you may never even notice. IBM did a study and found that it takes companies an average of 228 days to discover a data breach. Now, some hackers are much more careful to hide their activities. These groups are called advanced persistent threats. These groups are particularly stealthy; they are usually state-sponsored hackers and take care to go undetected on computer networks for as long as possible with the goal of stealing company information for as long as possible. The only effective way to discover these intrusions quicker is through effective monitoring of your network. This article highlights some of the best tools for network monitoring. Given that your employees have the proper training to use each of these software tools effectively, together, they provide you with a lot of coverage and information about your computer network.
Intrusion Detection & Prevention Systems (IDS/IPS): The first thing you should invest in for network monitoring are intrusion detection and prevention systems. These tools sit on your network and monitor for any signs of intrusion from someone outside the network. Not only that, but they can also take action to prevent people from getting access to the network. This is a good way to get automated network monitoring, and it requires very little overhead to manage these tools. Also, it's good to understand the difference between a signature-based IDS/IPS and an anomaly-based software. Signature-based software relies on having signatures to help them identify malicious activity, while anomaly-based solutions can detect previously unknown malicious activities by detecting unusual behavior. Ideally, you want to invest in a solution that leverages both capabilities. However, the downside to these tools is that they can only provide security at the network level and cannot look at the individual files and processes running on the machines on your network.
Endpoint security software: This is a good addition to IDS/IPS; rather than having software that monitors the entire network, endpoint security software is installed on machines of interest and can monitor those machines very closely. It needs to be installed on all machines across the network to provide network-wide protection. While this means the setup is more difficult, it does have the benefit of inspecting and blocking things at the file level. This means that it can monitor individual machines and see exactly what files are being downloaded and what processes are running on them. Hence, it provides much more detailed information and can provide a layer of security that IDS/IPS can't provide because they are operating at the network level.
SIEM: SIEM stands for security information and event management. It is a tool that allows you to collect information about all of your devices, logs, and security technology across the company and perform correlation and analytics on it. This will help you find trends across your company that may suggest a malicious activity, and it allows you to be alert when certain activities happen. When dealing with hundreds or thousands of devices, SIEMs can be very useful in organizing that information into an easily digestible format. A popular example of this is the tool Splunk.
Threat Hunting: Another great way to see what's happening on your company's network is through routine threat hunting activities. Threat hunting is essentially when you get a professional to examine your network and look for any signs of a threat actor in your environment. They are actively looking (hunting) for signs that someone is sitting on your network undetected. This can help you find many potential threats, and it's often more effective than just running automated tools. More sophisticated adversaries can easily trick tools, so it's good to have a professional audit your network from time to time. Also, good threat hunters will usually base their investigation on your industry's latest threat intelligence reports, which means they will know exactly what they are looking for.
WireShark: One aspect of monitoring a network may be examining data packets from machines on the network. While this is commonly done, it is still necessary for troubleshooting and when you need to closely look at the contents of a message between two people on the network. If you ever need to manually examine these data packets to see what communication is going on, then wireshark is one of the best tools for this. It's a completely open-source tool that has been around for years, and it's a great packet analysis tool.
Native Cloud Security Products: Depending on the cloud platform that you use, there are native security tools that you can be used to monitor your cloud network. For example, if you have a cloud infrastructure with AWS, you have access to some built-in tools for monitoring your network. Cloudwatch and cloud trail together provide you with metrics for all of your AWS resources and API calls so you can know exactly what is happening in your AWS environment. You can also configure them to notify you when certain activities occur or reach thresholds. AWS config allows you to monitor the configuration of your AWS resources in your AWS account. This way, you can ensure that all of your instances and resources are properly configured and in compliance with your company's standards. Other cloud platforms like Microsoft Azure and Google Cloud have their versions of these security solutions that can be used to monitor those environments. The point here is to leverage the native cloud security tools to monitor your network.
Network monitoring is all about examining your network for any signs of a data breach or a threat actor sitting on your network. This is a big problem because someone can sit on your network without you knowing. They can exfiltrate data, spread malware, sabotage the company, steal intellectual property, and perform all sorts of negative actions without you even knowing, which means it will go on indefinitely. The tools discussed in this article are meant to give you a well-rounded, multi-layered defense for protecting against threat actors that want to exploit your network. It would help if you had a good balance of automated security tools and manual threat hunting to ensure that you find these threat actors. It would help if you also were sure to invest in security training. This is important because even if you buy the software, if your employees aren't competent in using them, then they won't be nearly as effective as they could be. The result will be that you won't be able to find the clues you could have if you had properly invested in employee training.