we can talk about network operations in the day to day without talking about the importance of scanning and monitoring your network as well as patching.
We'll talk a bit about log reviews and scanning reports and other vulnerabilities. We'll talk about managing patches. Distributing them and being able to roll back patches is necessary.
Well, look at the significance of baselines, then talk about packet and traffic analysis.
One of the processes that were always considering is the possibility of events and incidents materializing on the network.
We talk about an event. It's really just a measurable change. In state
DNS. Service started, DNS service stopped. It's neither here nor there
when we have events that are negative or have a negative event on our network. We consider that to be an incident.
A lot of times we can associate that and say that a threat has materialized.
We want to make sure that we use our due diligence and stay knowledgeable on the various types of attacks that are current and on the horizon.
We also want to make sure that we have the tools in place, so that way we can detect those events.
When we talk about being knowledgeable in doing our research usually consider that to be threat intelligence, making sure we have the tools and expertise in place. So that way we can make good decisions based on threats is important.
They're obviously going to be other sources of information, like lots of databases that indicate common threats and vulnerabilities.
We can sign up for notifications from these third party resources and can also configure notifications and alerts for on our network to indicate that something has happened, like percentage of network utilization increasing or certain types of traffic detected on the network.
It's all about detecting at any sort of event that might have a negative impact. We often think of S I E. M systems in this case and that security incident and event manager or a security information and event manager.
These are the systems that put it all together.
We have agents running on various firewalls, routers and honeypots all these different systems.
Ultimately, those agents report to a central management console where we can look at the big picture of what's happening on the network and try to correlate the details.
Activity on one server may seem very benign But when you see that same activity on multiple servers, that might be an indication that there is a greater threat.
Simple Network Management Protocol S and M P is a protocol on a service that devices are information is tracked within our organization, specifically configuration and security related issues.
Now there's an S and M p manager tool that is something called a M. I B management information base.
That's just a formatted text file that is designed to collect information on certain types of threats or activities that I can scan for
the S and M P Manager takes that information and is able to translate it to more helpful information that will be useful to a network manager
you can see over on the right. That might not be particularly meaningful, but ultimately, with good reporting software, I can pull out issues, dropped packets, different types of traffic on the network and different devices on the network.
S and M P provides a lot of information for managing the network.
S and M P. Version three is the latest and is also the only type that transmits this information across the network and encrypted fashion.
Everything else sends this information that's been captured across the network, unencrypted
and as an MP could be compromised and help an attacker figure out what's on your network and what vulnerabilities exist.
In addition to monitoring, we have to know what we're looking for. You can't just look. You have to look with a purpose.
What we've got to look at is the various controls and systems that we have in place and determine what our expectations are.
What amount of error rate is acceptable? How much utilization is too much? What about packets being dropped?
At what point in time does that become an issue?
None of those questions are ones that I can answer. It really varies on your network and the type of traffic that you transmit.
The bottom line is these are some things that we need to consider, and these metrics are frequently things that we monitor along with a slew of other metrics.
The purpose here is knowing what we're looking for and what our network performance expectations are.
Log review. Many times we think we go to our logs after the fact
we've had some sort of negative event happened, so let's go check the logs.
If we're proactive and monitoring our logs many times, we can see an event as it begins to materialize, and we don't have to wait until after the fact.
Most devices have some sort of logging feature.
Again, these help us look at the big picture and spot any anonymously or thing that is indicative for something out of the normal is happening.
We want to make sure that our logs are stored in such a way that they can't be tampered with or modified.
That would involve using hashes that to make sure that there's been no modification.
We really want to be able to review those logs and see if we can pre emptively determine and attacking it's happening, or at least identify some sort of suspicious activity.
We want to be able to correlate those facts across multiple systems, and we do that with S I. M. S
alright. Port scanning goes hand in hand with vulnerability. Scanning.
What we're looking for is known weaknesses when we're scanning for open ports, those reports that have services installed,
we have to remember that a port is really just access into our system.
If my system is listening on Port 80 it's allowing Web based traffic to come in.
If we have too many ports or unexpected ports, then we have unexpected pathways into our system.
The way you close the ports is to remove the software that opens the port
for it. Scans are usually the first step in an attempted compromise.