The Keys to Network Security and Monitoring
by Robert Bond
The Fundamentals of Network Security Analysis and Monitoring
In a Blog Post we wrote titled “Network Security Design is Critical to Eliminating Security Gaps and Reducing Costs” – “The 5 Pieces to the Cybersecurity Puzzle,” we discussed the five core elements of Secure Network Design. Because of all the questions and comments we received concerning Network Security in general, we wanted to take a step back and address just the IT Security aspect from a more fundamental perspective. That is, we wanted to take just a minute to explain how leading organizations deal with Network Security and some of the tools and technology that they employ and why.
According to a SANS survey of 222 IT leaders in companies of diverse size and industry, firewalls, malware detection, and host-based IDS/IPS account for security technology that is most deployed in both large and small organizations. Large-scale networks will have multiple “choke points” where these devices are needed to monitor and enforce the security policy. Meaning, many organizations will have dozens of firewalls, NGFW’s, and IDS/IPS technologies in a variety of areas on the network versus small organizations that will run traffic more centrally and use fewer devices.
Secure email gateways are used by almost all organizations but are used as centrally as possible. Most small and midsize organizations will only have one central e-mail gateway through which most of their mail flows.
Newer technologies, such as web application firewalls and cloud access security brokers (CASB), are deployed in 75% and 50% of organizations respectively, however, we are seeing their number employed increasing year over year due to migration to the cloud and increased application vulnerabilities.
IT Security Visibility with Packet Analysis and Flow Analysis
Together, network and security devices provide deep, robust information that can help create the visibility and management of traffic from multiple network links.
Two types of analysis are currently leveraged for analysis are:
- Packet Analysis – Packet analysis is the more traditional approach to security monitoring. It uses network packets as the data source and then extracts metadata from the payloads to analyze a complete conversation. It provides richer results than flow analysis including incoming and outgoing websites, users, applications, files, hosts, resources, and content of the exchange; but has higher demands on computational processing.
- Flow Analysis – Flow analysis provides summary data for network behavioral analysis. For example, flow analysis is used in forensic investigation to determine if data exfiltration from a host occurred and at what time. It is also used for site or traffic profiling including finding out what protocols are on the network. Further, flow analysis is used in network administration and the measurement of network performance.
Think of the difference this way – flow analysis is typically the 10,000-foot view while packet analysis is the deeper dive perspective into the data. Packet capture is expensive because of the amount of data that must be collected and stored and the number of devices that need to be deployed.
Active versus Passive Network Security Devices
- Active Security Devices – These can be firewalls, Intrusion Prevention Systems (IPS), web proxies, web application firewalls (WAF) and anti-malware as the devices are In-Line with the network. Meaning, they receive the data packets and forward them to the intended destination.
- Note – Active Security Devices are excellent at identifying and stopping threats in real-time because the traffic has to go through the device. The downside is that the devices often slow or stop traffic and thus degrade network performance.
- Passive Security Devices – These include Intrusion Detection Systems (IDS), User Behavior Analytics (UBA), most Endpoint Detection and Response (EDR) solutions and Security Information and Event Management (SIEM) systems. They operate outside the network by inspecting forensic artifacts such as copies of network traffic or log data generated by various IT tools to identify anomalous traffic or malicious behavior.
- Note – Passive Security Devices are designed to provide insight for security analysts to review after the traffic has passed through the network. Thus, passive devices do not typically degrade network performance, however, they are not able to “block” unwanted traffic as Active Devices can.
Therefore, in the SANS survey, many IT leaders have concerning over deploying active security devices suggesting that they are most concerned about the adverse impact active security devices can have on the network. The majority (77%) cite the possible performance impact such devices can have, followed by concern over potential network outage and the introduction of additional network latency, at 54% and 52%.
In addition, when the IT leaders in the survey were asked why they don’t deploy active security devices or why they typically do not turn on 100% of the features, respondents ranked the reasons as follows:
- Performance impact: 68%
- False positives: 59%
- Alert fatigue: 55%
- Network downtime: 26%
Security Monitoring and Prevention
In the blog post that we referenced at the beginning of this post “Network Security Design is Critical to Eliminating Security Gaps and Reducing Costs,” we provide some detail concerning security monitoring and prevention. Therefore, in this section lets just list the tools to identify, monitor and/or block malicious behavior. They are:
- IDS: passive monitoring tool strategically placed at the major intersections of your segmented network. Typically deployed with a network tap or a VLAN span port to listen to monitor traffic.
- IPS: similar to an IDS, but actively prevents malicious traffic. Deployed off a network tap to eliminate a point of failure or in-line within your network.
- DLP: monitors and controls endpoint activities to ensure that sensitive data is not lost, misused, or accessed by unauthorized users. Deployed on end-user systems such as desktops, laptops, mobile devices, etc.
- DAM: monitors all activity on a database and provides alerts and reports on that activity. Deployed on a database, but its output is stored outside the database it is monitoring to avoid evidence tampering.
Security Event Logging
Again, in the same blog post, we provided information into Security Event Logging and we suggested that analysts are typically looking for logs that provide information concerning authorization and authentication of systems, systems and data change, network activity, resource access, malware activity, and failure and critical error reports. The two types of security event logging are:
SIEM: aggregate and correlate logs from multiple sources, including threat intelligence data feeds, asset inventories and directory services; identify suspicious activities through correlation rules and trigger appropriate action by alerting SOC analysts. Typically, a single-pane-of-glass technology used by SOC analysts to monitor and investigate alerts from all security technologies on the network.
Security Analytics: a “newer” version of SIEM that incorporates more than just systems such as UBA/UEBA. Deployed on-premise or in the cloud to enable higher efficacy from collective good.
Questions to Ask About Security Monitoring
Prioritize your security monitoring to align with your network monitoring and consider these questions:
- Which are the most utilized applications, when and where?
- Is your bandwidth adequate at the times of highest demand?
- Do your security devices contribute to degrading network performance?
- What locations contribute to blind spots to your traffic analysis that increase your risk, decrease threat hunting ability or ability to detect malicious behavior?
- How can you leverage your current network operations team to advise your security team on those locations and multiple links?
In a perfect world, security technology would block all traffic that is malicious or geared to somehow deliver malware to an organization. However, the reality is that security technology degrades network performance (bandwidth), is inaccurate in terms of what it identifies as a threat (false positives) and are noisy by inaccurately, though constantly, alerting security staff that they may have a threat or breach (false alarms). Thus, IT and IT security must work together to find a balance between security and performance.
Log Monitoring and Management or Security Monitoring or Network Monitoring or Enterprise Security Monitoring should probably be our next step as we go through Network Security Analysis and Monitoring. Incidentally, all of those terms essentially mean the same thing in the IT Security world. MSSP’s like SecureOps do a great job of managing the time-consuming, arduous task of collecting, correlation, and analyzing the data to ultimately generate reports concerning what these logs mean from a security, regulatory, and compliance perspective. So next time let’s dig into what log monitoring and management are and why so many organizations struggle with logs.
You can always reach the good folks at SecureOps @ 1 (888) 982-0678 and we look forward to the next post on, let’s call it Security Log Monitoring and Management.
June 23, 2020
June 16, 2020