April 20, 2018
Security: Utilizing the Right Tools for Proper Network Monitoring
“Everybody’s talking to computers
They’re all dancing to a drum machine
I know I’m living on the outside
Scared of getting caught between”
– Rick Springfield
So far we have discussed the history of the analyst’s craft. It’s time to start cracking open the playbooks and to talk about actual nuts and
bolts of a well-rounded security plan. While there are limitless ways, and no one-size-fits-all solutions, we can take the time to use highly customizable tools and methods to make the best for our needs. The goal has been and always will be fast and effective network monitoring & response to alerts.
The first step in any plan is to assess the network that you will be monitoring and protecting. Through this process we will isolate and identify each part of the network and create a ‘just right’ fit within the security plan for each and every device. Remember that all parts of a network contribute to and reflect the validity of the security posture of the network.
The major parts of a network can be broken down into three categories:
- Network Devices
The devices that make up the network upon which all data flows. These are mostly appliances that run their own firmware and have logging options that are configurable by the device administrator. Examples of these devices are routers, switches, and load balancers.
- Service Provision Devices
These devices are either appliances or servers running specific software that provide services to the local network, the internet itself, or both. Examples of these devices are web (HTTP) servers, Mail (SMTP) servers, and file servers ( FTP … I’m not going to say FTP, and neither should you).
- Security Devices
These devices are either appliances or servers running specific software that provide security services to the network. Examples of these devices are intrusion detection / prevention systems ( IDS/IPS), firewalls, and antivirus systems.
By breaking the network devices up into these three categories, we provide an analysis space for each to weigh in uniquely in the security plan. For network monitoring, comprehensive analysis and correlation between these three groups many attacks can be detected, followed, and, using the information gathered, proactive measures can be developed on the fly. This also allows the division of responsibilities between multiple analysts so that while on duty they can focus on a single discipline, and by rotation they can be exposed to all three disciplines over time to keep their skills sharp and to distribute knowledge and experience across the team.
One question that gets asked is why we separate the devices between appliances and servers providing services. This is an important distinction because of the way they are designed and implemented on the network.
An appliance is most often a small self contained system that runs on a custom operating system selected by the appliance manufacturer, and is capable of being configured and operated by way of a user interface that is designed by the manufacturer. An administrator will, on a regular basis, review the appliance and keep in communication with the manufacturer to ensure that the firmware and software on the appliance are up-to-date and that any required patches are applied in the proper manner. Logging is accomplished inside of the appliance, with various output methods to central collection points or servers. Because of their closed nature it is very common for the majority of the logs generated by an appliance to be held externally due to the fixed amount of storage space available internally. For the most part appliances need only the configuration for the task they are designed to perform and then to be attached to the network to begin working.
A server running a service is most often a computer, running a selected operating system that runs service providing software. In many cases the selection of operating system and service providing software is done by the company by way of it’s system administrators and other selection committees to best serve the needs of the company. These systems require more administration and closer monitoring than appliances as the responsibility of the care and feeding of the underlying operating system is a designated local responsibility and not left to the manufacturer. An extended version of this is the ever popular virtual server, which consists of one large scale physical computer sectioned off logically into a number of smaller virtual computers, each with its own assigned task. These systems present a unique logging challenge because of the number and depth of the logs generated. The physical server, or host, has the logs generated by its underlying operating system, its virtualization software, and the logs generated by each virtual computer, or guest, that runs within the virtual environment.
That’s a lot of logging to address. Luckily we have time to cover all of this and more. The future is streaming technology, and to be part of that, the craft of the analyst needs to evolve to meet the challenges of big data, cloud processing, and more. Network monitoring will continue be crucial to address these emerging technologies.
In our next blog we will start to drill down into the details of each of the three groups, starting with the network devices, and show how they can at first be overwhelming but can be tamed to provide valuable data.