They Went Where?



Tracking where people are going on your network—and ensuring they are going to only those places they should be going is an integral part of properly securing a network. According to The Economist (The Cost of Immaturity, 2015) it takes on average 205 days for a company to detect that it’s network has been compromised. That is more then six months from when an attacker first accesses information on your network to when you first notice the attack has occurred—having nothing to do with the amount of time it takes to recover from such an incident.

As The Economist discusses in their article there are no fool-proof ways of entirely securing a modern network. Short of providing a closed network with no external access (eliminating things such as USB ports, CD drives, wireless, and other access technologies as some military networks do) there is always the chance that someone will be able to access and expropriate information. The best you can hope for is to make it as hard as is practical to access information on your network and be able to identify what happened once it does happen. Everyone has heard of the compromise that resulted in a major US retailer losing more then 40 million customers information, cost their CEO his job, and resulted in a hit to the companies stock price. But how many people know that the compromise occurred because of it’s HVAC system? A third party that provided HVAC work for a number stores had their credentials to the network stolen  (how many CIO’s know their HVAC systems are Internet connected). While the original use of the credentials may have been to allow the HVAC company to monitor the stores various HVAC systems for performance and reliability what resulted was the loss of tens of millions of pieces of information, jobs, market share, and more.

So what do you do? If you can not secure your network perfectly what is the best solution to achieve a level of security as well as be able to identify what happened after it happens? As a provider of not only a broad range of network and application monitoring solutions Riverbed SteelCentral also provides technology that can monitor your network for suspicious connections, alert you when they happen, and allow you to find out what was compromised after it has happened.

SteelCentral NetProfiler provides a variety of different technologies that allow you to monitor for intrusions as well as identify what has happened after the fact.

  • Suspicious Connections provide continuous monitoring of traffic on your network leveraging both packet and flow data to identify connections between hosts that are suspicious (if you have a NetProfiler installed then if someone who normally only access the HVAC systems but suddenly starts accessing the financial servers would be flagged)
  • New Server Port watches select portions of the network to identify when systems start either consuming or providing a new service. Whether this new service is unique to the individual system, group of systems, or the entire network, NetProfiler can alert you when this occurs.
  • User Defined Policies (UDP’s) allow the NetProfiler to look for specific types of traffic at specific rates and alert when those rates  are violated. CIFS traffic may traverse the network 24 hours a day in large quantities but how much CIFS traffic should be destined for the Internet? Using UDP’s you can have the NetProfiler monitor CIFS traffic and alert as soon as more traffic heads to the Internet then is expected.

  • Advanced reporting allows NetProfiler to show who accessed what resources at what time. Whether it happened today, yesterday, last week, or last month, NetProfiler stores all the conversations making it trivial to extract the information on what systems were accessed by whom at what times (including information such as all the Windows Active Directory login used to access the system at that time, how much information was transmitted, and to where that information went).

  • If a SteelCentral NetShark is included in the mix then not only can you identify when problems have occurred and identify the potential culprits but you can use the packet capture and storage capabilities of NetShark to retrieve the actual packets stolen. These can be used to replay transactions to identify the actual data stolen or as evidence if it comes to that.

While there is no way to secure your network 100% there are lots of things you can do to make your network hard to compromise. From intelligent password and two-factor authentication policies to advanced traffic monitoring and alerting, you don’t have to make your network impregnable. You just have to make it harder to access then the next network.

Further reading:



Comments are closed.