Does your network monitoring solution give you complete visibility of asset availability, performance and cyber security?
When NetOps and SecOps teams work together, it’s possible to leverage the greatest visibility out of your network data.
Network monitoring analytics and reporting is a critical source of intelligence to reduce the dwell time of any bad actors – insiders or outsiders.
If your network monitoring solution has the analytics and predictive capability to provide trend lines and forecasting (which it should), it follows that you will be able to identify and expose any potential future outages from faulty critical assets. Yet while we spend a lot of time talking about network uptime, performance and capacity planning, it’s important to remember that being able to quickly identify network anomalies is also an advantage for security monitoring, exposing all kinds of damaging activities, from malware and ransomware attacks to Bitcoin mining.
Meeting the needs of both NetOps and SecOps.
It’s no surprise, then, that we’re seeing closer than ever collaboration between network operations teams, security operations teams and Chief Information Security Officers (CISOs and CIOs). Both teams need high-speed polling, end-to-end visibility and decision-ready data: NetOps needs to manage and maintain large scale network performance, while SecOps needs to support essential network surveillance and detect the presence of malware such as Eternal Blue and the Mirai botnet. Think of your network monitoring solution as collecting network management data from known devices on the network for NetOps, while identifying unknown devices and anomalistic behaviors for SecOps.
Threats to cyber security are usually biggest at the front line, where your business interacts with external entities: customers, partners, or potential threat actors – human or machine. Some areas of the threat landscape are particularly porous: for example, supply chain management involves all kinds of interactions with external entities while performing business operations over a network, so your KPIs are likely to cover not just operational issues such as availability and performance, but also security.
SecOps needs automated actionable insight and surveillance capability – spending hours on manual configurations for a network management tool simply isn’t realistic.
Security teams have traditionally used NetFlow as a single source for security network data, which is a time-consuming business. This is where SecOps needs automated actionable insight and surveillance capability – spending hours on manual configurations for a network management tool simply isn’t realistic. We’d be remiss not to point out that setting up a single Statseeker server for extra surveillance visibility at scale would save you time, money and trouble. Using an open source security toolset (such as Security Onion), SNMP polling and ping can be easily configured to generate alerts and syslog that reveal important indicators of compromise (IoCs).
Detecting network threats.
Let’s consider a Mirai botnet as an example of how your network monitoring solution could make a significant difference to your ability to detect and identify a significant network threat.
Mirai has over 300 variants that are finely tuned for Linux, Windows and other operating systems and vendor devices. You might think that detection would rely on identifying:
- Rogue or new devices on your network
- Devices in that are easy targets for the Mirai botnet
- Which variant of the 300+ versions of Mirai you may have on your network
Yet even to the trained eye, any one of these individual steps would not reveal a Mirai botnet on your network. It’s only by combining the results of conducting the right investigations that you can identify IoCs. In addition, when Mirai begins setting up a ‘command and control’ with infected devices, it tests its ability to command and assemble them into a DDoS attack force. This testing and command/control communication will cause spikes in your network that would look like typical congestion to your NetOps team.
Using the right solution, your SecOps team could have already configured your network monitor to look for spikes and anomalies that can reveal botnet behaviors. You could then detect Mirai behaviors in four steps, comparing the results to reveal valuable insights:
- Run discovery on the target CIDR (supernetting) ranges with both public and private SNMP community strings.
- Perform SNMP walks on the devices discovered above with OIDs that will identify open TCP and UDP ports 80, 23 and 21 (Mirai looks for devices that have web, telnet and FTP ports open).
- Using an SNMP walk, identify the 32 and 64-bit counters from the discovery to infer 10/100 vs. 10/100/1000 interfaces. This will be used to identify spikes in traffic that may be caused by Mirai exercising an infected set of slave devices with command and control.
- You would then cross-reference the results from the SNMP discovery (step one) with the open port results (from step two) to obtain a list of devices that are either already infected or are prime targets for the Mirai botnet.
Three critical network monitoring functions that benefit your security surveillance.
Running and re-running network discovery.
Make sure that you can run high-speed discovery scans across your entire network to discover rogue devices or equipment that has SNMP public strings exposed. Even better, set up re-discovery functionality to compare results with earlier scans and detect new rogue devices.
Obtaining and saving full performance history.
Make sure that your performance data for routers, switches, and interfaces is visible in real time and available as history in its full granularity (no averaging or rolling up). You should have all in the information and analytics you need to perform cognitive security surveillance and visibility using historical, current and forecast network data. A fine level of granularity (such as 60-second intervals) is especially important if you are going to be applying AI and machine learning solutions using this data.
Turning data into decision-ready information.
Viewing anomalies and understanding areas of risky communication behaviors in your network is another way to stay ahead of the game with cyber security. Syslog and customized alerts are essential sources of intelligence that can be correlated with other data sources to keep you and your security team fully informed. Every network is different, and you’ll want to be able to easily customize and automate report generation for your specific security needs, preferably available as a single pane of glass view.
Optimising visibility through convergence.
Using the right network management solution, both legacy networks and newer software-defined networks (SDNs) can be monitored and analyzed for anomalies and known faulty conditions. When NetOps and SecOps teams work together, it’s possible to leverage the greatest visibility out of your network data.
As the applications of artificial intelligence (AI) and machine learning (ML) increase, the development and availability of cognitive AI tools will only increase: enhancing network resiliency; lowering costs and IT system cycle times; and increasing the convergence that enables NetOps and SecOps teams to use the same resources to inform critical business decisions.