Network Monitoring Can Provide Key Clues To Security Problems, Study Says

Done properly, traffic analysis and log review can help administrators identify threats they might not recognize otherwise

[Excerpted from Whats Going On? Monitor Networks to Thwart Intrusions, a new report posted this week on Dark Readings
Security Monitoring Tech Center
.]
In todays complex IT environments, it is not uncommon to find network monitoring devices and logging mechanisms set up, only to be abandoned and forgotten. When problems arise, someone has to dust off the log documentation, if it exists, and start digging in to figure out whats going on. By then, it is often too late; sensitive data is already in the hands of the attacker.
Many IT shops complain that there are simply too many logs, so monitoring suffers. To make matter worse, in many cases no one knows what they should be looking for -- or how their data could be useful to various groups, such as security, applications, and network operations.
Solving these problems often requires cooperation, since each group holds a piece of the puzzle; without collection, management, and correlation, effective network monitoring is nearly impossible.
Network logs are a good place to start. The recent
Verizon Business 2010 Data Breach Investigations Report
(PDF) reminds us that theres a wealth of information contained in the logs, but it is rarely used properly. Verizon reports that it consistently finds that nearly 90 percent of the time, logs are available -- but discovery via log analysis remains under 5 percent.
Logs are not going completely unnoticed. Network operations staff monitor router performance and SNMP traps to ensure the network is running smoothly. The question is, why arent other groups doing the same so a security incident doesnt get missed? Simple: Too many logs and not enough time.
One way to help reduce the impact of having so many logs is to centralize them to one or two indexed, searchable locations. This gives analysts a fighting chance to spot patterns, compared with attempting to pore through dozens to hundreds of systems with their own logs.
Another way to identify potential threats is to monitor network data flow more closely. The same tools used to diagnose network problems and poor application performance can also be used to supplement the security teams efforts.
Network flow data can be used to detect network scanning and potentially infected hosts. Network scanning is easy to spot because no traffic content is needed for detection. If a host attempts a certain number of connections to another host or series of hosts within a certain time frame, then it is likely to be scanning.
SNMP traps can provide informational alerts to show when media access control (MAC) addresses have changed on a network port, or when more than one MAC address is on a port. MAC change messages could indicate a rogue device has been placed on the network in place of the original device, or that a network hub or switch has been plugged in and a rogue device is now connected alongside the original device.
To read about other network monitoring tools and practices that can be used to detect security threats and intrusions,
download the full report
.
Have a comment on this story? Please click Discuss below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Network Monitoring Can Provide Key Clues To Security Problems, Study Says