A common misconception is that antivirus software catches most of the viruses out there. Some suggest that antivirus software only catches 60% of the current viruses
that are out there, so that's 40% of the brand-new viruses that the software isn't even looking for. So when you're monitoring the network what things should you look for that may be an indicator of a security issue impacting network performance?
The key to detecting security issues that may impact the network is monitoring essential analytics and auditing your systems. It’s also critical to establish a baseline of the performance of your network so you can determine what is normal and abnormal activity. After establishing a baseline, here are four network areas to monitor so you can work with your security team to reduce security issues impacting network operations. Look for:
1. Odd protocols on known network segments
Example: You detect inbound web traffic going towards the finance department, or another network that wouldn’t serve traffic.
Action: Set alerts on segments of the network that wouldn’t normally serve HTTP, SMTP or other acceptable, but odd protocols for their segment.
2. Inter-host communications that are larger than normal or between hosts that should not be communicating
Example: A person’s desktop in human resources is constantly communicating with the engineering file server. This is unusual and could be worth looking into further.
Action: Identify the “Top Talkers” on your network and sort those metrics by the biggest consumers of bandwidth. Look for communication between hosts that wouldn’t normally occur.
3. Spikes in utilization from devices that normally don’t serve traffic
Example: A development or test server that is constantly spiking utilization at 1am EST (which is about 4pm in China) may be a sign of compromise and data extrusion.
Action: Create alerts when bandwidth or resource utilization reaches defined thresholds on specific devices so you can perform additional analysis.
4. Crawling of traffic on your systems
Example: A person’s desktop in the marketing department shows thousands of HTTP GETs per hour on the network.
Action: Deploy a honeypot server
or create a hidden page
within your web directory structure and monitor your logs for any GETs to the hidden page. If that page shows up in the logs, then alert the security team that there may be a malicious web crawler on the network.
These four steps can help you identify potential security issues when you're monitoring the network and enable you to work collaboratively with your security team to avoid security breaches. Can your current tools help you monitor the network and security operations in a single view to better troubleshoot issues impacting performance? If not, consider our NeuralStar solution that aggregates all network event data – security, availability, performance and more from any network connected port, device, service or application – all on a single console.
Here is a screenshot of NeuralStar with integrated security metrics.